Massive DDoS attacks a growing threat to VoIP services

When the massive distributed denial-of-service attack in March brought down the voice-over-IP call processing supplied by TelePacific Communications to thousands of its clients, it marked a turning point for the local-exchange services provider in its thinking about security.

The massive DDoS attack came blasting in from the Internet in the form of a flood of invalid VoIP (Voice over Internet Protocol) registration requests. The attack resulted in widespread service disruptions for a number of days in late March and cost the company hundreds of thousands of dollars in customer credits. Afterwards the attack was over, the facilities-based services provider, based in California and Nevada, took steps to boost security measures to seek to prevent any similar occurrence again, said Don Poe, vice president of network engineering at TelePacific Communications, which provides the VoIP (Voice over Internet Protocol) "Smart Voice" service to thousands of clients.

But Poe, who spoke out about the massive DDoS attack while a presentation he made at the fall 2011 Comptel Plus Conference here, said he was sharing details about the attack because the pace of many types of DDoS attacks appears to be growing and the telecommunications industry isn't sharing information about them as then as they might for the common good.

TelePacific, he said, sees a multitude of daily scans against its network, and low-level attacks can occur about twice a day. Nevertheless the services provider had never earlier seen what happened in the March period when the normal level of 34 million SIP traffic registration requests for VoIP connections on the spur of the moment shot up to 69 million and "flooded our systems," he said. "There was no calling ability."

Comptel, the industry trade group for competitive communications services providers and their suppliers, says it does believe its membership is seeing an uptick in DDoS attacks and that's why it scheduled the session panel on the topic that included Poe; Stacy Arruda, a supervisory special agent and cybercrime supervisor at the FBI; and Patrick Gray, principal security strategist at Cisco.

The DDoS event against his company's VoIP service

In recounting the DDoS event against his company's VoIP service, Poe said he did contact the FBI to report the attack, nevertheless he found out that TelePacific simply did not have the necessary event-analysis information that the FBI needed to be able to successfully pursue a case. "We were not prepared," he said. "We didn't capture enough information." That situation has been rectified with new data-capture systems, he adds.

In the aftermath, TelePacific turned to a number of firms, including Acme Packet and Arbor Networks, for help in security and network analysis.

FBI agent Arruda said many cases of network attacks which the FBI works on do appear to involve a financial motive. There have been a few cases that involved instances where a "competitor DDoSed a competitor" to make the competitor look bad. Nevertheless that's unusual. More commonly, the goal for the attacker appears to be stealing information of value through the incident. She urged service providers to join the local chapter of InfraGard, the FBI's information-sharing organization with the private sector. She said to get to know FBI people and to get their cell number to call them the minute something happens.

"DDoS attacks and SYN floods are extraordinarily common today," said Stacy Griggs, senior director at Cbeyond Cloud Services, a division of Cbeyond Communications, which was attending the Comptel conference.

The problem

He said telecom providers in general seem to be reluctant to talk about the problem. In a cynical sense, Griggs even thinks some telecom providers can be seen as at times deriving revenue from DDoS floods that hit clients.

Speaking on security, Arruda said, "The targeted email attack is the easiest way for the bad guys to get into the network." Since we live in a world where much information is gladly available, attackers are using methods just as combing even though public information, including social-networking sites, to find out what they can about corporate employees and their jobs.