DDoS (Distributed Denial of Service) attacks on VoIP Carriers and UCaaS providers, attackers target the components of the VoIP systems causing intermittent service or complete outages. First, it is necessary to understand how VoIP connections are established and all the workings that go into these complex systems. The Open Systems Interconnection (OSI) model is always a good starting point for explaining modern networked systems and how they work— by separating modern networking into seven easy-to-understand segments from the application to the network to the physical layer. DDoS Attacks primarily happen in two of three categories Application Layer Attacks (ALA), and Network Layer Attacks (NLA), although Physical layer attacks are possible "War, Terrorism, Contractors with backhoes." An attacker may use any number of different attack vectors and cycle through them in response to countermeasures taken by the targeted systems to achieve their goals.
Layer 7 DDoS attacks, sometimes referred to as application-layer attacks (ALA), exhaust the target's resources to create a Denial of Service. The attacks on a VoIP carrier's web service, portals, media, and SIP require the systems to consume an abnormal level of resources leading to congestion inside these systems. Computationally inexpensive to execute on the client-side, it can be expensive for the target server to respond. ALA attacks are challenging to detect since it can be difficult to distinguish malicious traffic from legitimate traffic, HTTP Flood, Attacks, SIP Flood, and too many more to list. These types of attacks range from simple to complex.
Protocol attacks, also known as state exhaustion attacks, operate at the NLA. They cause a service interruption by consuming too many network resources, exploiting vulnerabilities refer to the OSI model's network layer (layer 3) and transport layer (layer 4). A network layer receives a request exceeding its ability or resource to handle it. As a result, it can no longer keep up with all the requests it receives, becomes overloaded, and requests go unanswered.
Volumetric attacks are also an NLA; this category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger internet. Large amounts of data are sent to a target using amplification or another means of creating massive traffic, such as requests from a botnet. NTP Amplification, DNS Amplification.
One way to describe a volumetric attack is TikTok Targeting Starbucks. TikTok operates like a modern botnet. TikTok users or "zombies" receive a command from their threat actor/source and start making very complex, expensive, and hard-to-make drinks through the Starbucks app. These actions led to longer lines and delays, which backed everything up, causing a complete shutdown of online orders. The ordering system itself had not failed; it could take more orders than the back end could produce, but the abnormal traffic and its complexity completely saturated the barista's bandwidth. The issue is that the zombies/TikTok users themselves are valid users and have ordered from Starbucks using the app before they joined the botnet. Protecting from this event is almost impossible. All kidding aside, volumetric attacks can cause upstream providers to shut off or blackhole networks and systems that are affected by these attacks to protect the greater network.
As DDoS becomes more sophisticated, we see a combination of NLA and ALA attacks that require more creative and complicated solutions. Mitigating these attacks require all of the above approach and many tools. We don't know what we don't know; in some cases, we need to go back to the beginning and start from scratch or hope that we are not the first and that someone else has already figured out what to do.