Attacks against VoIP services have been growing since 2013. In September 2021, DDoS attacks were launched against VoIPms, Bandwidth, Twilio, and Telnyx. A few months later, an attack was launched against UK-based VoIP service provider VoIP Unlimited. The attackers used the same malware in all these attacks. Threat actors' aim seems to be to extort money from companies. Attacks seem to be coordinated internationally.

VoIP service providers are being targeted by cybercriminals who use DDoS attacks to disrupt business by causing outages of the VoIP, Cloud, and IP Infrastructure. The signs that your Provider may be experiencing such an event; are failed calls, API and Portal latency/time-outs, and/or delayed messages until the attack stops. These attacks are more sophisticated than ever, using reflection/amplification, layering, and adaptation or "Volumetric Attack." Additionally, threat actors use of bot networks in conjunction with unsecured Services like DNS and spoofed IP addresses making the attack appear as if it came from many different locations and attack vectors. A truly global event.

A successful DDoS attack against a VoIP provider's services can significantly affect the ability to provide critical products and services, such as emergency response, medical care and other essential functions.

High-volume DDoS attacks can disrupt the entire network. Collateral damage includes shared resources such as servers, routers, switches, and other equipment. Compounding this is that many providers host their infrastructure with companies like Amazon AWS and Google GCP, which contracts allow them to blackhole the offending services and protect the network. We saw this with companies like VoIPms and Telnyx.

Attack Vectors

Mitigating DDoS attacks is not a simple accomplishment. Adding a simple filter or rate limit to your firewall won't cut it. SIP floods are usually the first attack vector used by attackers. SIP flood attacks are very effective because they overwhelm the target system without requiring much effort or money. Due to bottlenecks in databases, complex systems authentication mechanisms, media servers "running out of ports," CPUs and/or memory used to handle SIP sessions exceed available resources. Malformed SIP messages cause errors, filling up logs, or logging servers. SIP over TCP or SSL vulnerable file descriptor exhaustion attacks and rate limiting does not prevent these attacks. If you survive the SIP flood, there is a second vector. Volumetric Attacks are effective simply due to the nature of VoIP and its reliance on UDP. The Volumetric Attack reported by Bandwidth reported trillions of packets per second and bandwidth requirements above 200Gbps. Even if you can handle this, your edge upstream will have issues causing them to blackhole the destination network to protect the overall health of the upstream network.

Mitigation

The solution is simply Cloudflare, to be more specific, their Magic Transit product. Voxtelesys has no inside knowledge of what was done by the affected carriers; we can only surmise based on the effect and resolution. During the attacks in 2021, it started with VoIPms, which spoke about using an entirely cloud-based solution. We love the premise and commitment their development makes to the solution. Unfortunately, during the multiple weeks of that event, we saw epic trolling by competitors that were less than gracious to their toil. VoIPms was at a disadvantage for three reasons. First, every cloud hosting vendor has a clause that allows them to blackhole any traffic it deems destructive; unfortunately, that meant UDP. Second, any shared resource within a cloud solution is only profitable if its means of consumption can be leveraged, leaving little to no incentive for the cloud hosting provider to fix. Third, they may not have been the first, but they were the most public; carriers after them could learn from their success and failures. We then saw Bandwidth get hit. Bandwidth was the most successful mitigating out of the gate; they were prepared with DDoS Mitigation Multiple IP peerings. But in the end, they fell to the attack. The effect on Bandwidth was not a complete outage as in the case VoIPms the 200Gbps at the upstream IP peering took them down. A few weeks later, it was Telnyx's turn. Telnyx utilizes AWS anyCast network for its front-end services. As noted with VoIPms cloud provider will blackhole any traffic considered detrimental to the stability of the network. Cloudflare was the solution in all three cases; the issue lies in the vast amount of traffic sent and the saturation of their IP networks. Cloudflare mitigated the attack at the edge of their network, blocking traffic as close to the source as possible.

Conclusion

It is evident that during the attacks, carriers that relied heavily on 3rd party cloud hosting to deliver services and did not have DDOS mitigation through Cloudflare magic transit were at a disadvantage in resolving issues. It is fortunate that Bandwidth and VoIPms worked as diligently as they did to resolve the DDoS event. Due to their efforts, the rest of our industry saw our path forward. As a Carrier, we always fear the failure of our infrastructure. We never like to see others struggle, and when we see a large Carrier like Bandwidth go down, it affects more than Bandwidth customers; our customers cannot reach businesses that rely on Bandwidth. Voxtelesys never wants to earn a customer because of a DDoS attack; we want to earn a customer because we provide superior service and support.