November 18, 2021

Ribbon Communications: Protecting Your VoIP Infrastructure From DDoS Attacks

Distributed denial of service (DDoS) attacks continue to be a major issue for communications service providers, putting critical systems at risk, undercutting service level agreements, and bringing unwanted headlines. The first half of 2021 alone saw 5.4 million of these attacks reported, an 11 % increase over 1H2020. Some common characteristics across these attacks included:

These aggressive DDoS attacks against service providers are bringing unwanted news headlines such as:

Recent DDoS Trends

While attacks have been around since the dawn of the Internet years, bad actors continue to refine their methods and evolve their execution capabilities. We’ve seen some of these “trends” in recent DDoS attacks:

Volumetric – Bad actors are increasingly spoofing the DDoS victim’s source addresses to send requests to a Server Host (i.e. Reflector), that generates a reply toward the DDoS victim which is several times larger than the request message, resulting in a high volume of traffic for the attack. Attackers will use protocols like DNS, CLDAP, and SNMP with their high amplification factor between requests and responses, making it difficult to pinpoint which attack is causing the most damage by using multiple reflectors simultaneously
Use of DDoS-for-hire services – making it easy for a bad actor to initiate multiple attacks, especially when coupled with volumetric techniques
Small packet size – Increasingly DDoS attacks are using small packet sizes which helps to avoid detection — in some the average packet size was under 100 bytes
Multi-layered – DDoS attacks are targeting Layer 3 and 4 plus Layer 7 (SIP signaling ports)
Adaptive – DDoS attacks are being modified in multi-stage attacks or in follow-on repeat attacks, for example launching a brute force traffic flooding, that evolves to become volumetric through reflection using botnets for UDP from spoofed legitimate sources, and then changed into targeted attempts to flood specific VoIP APIs
Coordinated – More than 50 local telecom providers in Brazil experienced attacks in a 1-3 minute window with the bulk of the attacks starting simultaneously, clearly indicating a coordinated attack

Recommendations for addressing DDoS attacks

Faced with these mounting threats, what are service providers to do? Here are four key recommendations for service providers to address potential DDoS attacks, followed by highlights of the capabilities that enable Ribbon’s session border controllers (SBCs) to provide DDoS mitigation

Strengthen interconnect security – Work with IP peers to strengthen security by migrating IP interconnections from UDP to TCP for SIP transport (UDP based attacks accounted for 44% of all attacks in 1H21.) In addition, implement encryption on IP interconnections using TLS for signaling and SRTP for media, as ismandated as part of Microsoft’s Teams Direct Routing and Operator Connect service offers
Pay attention to port scan alerts/alarms – DDoS attacks need an opening and port scans are key to find open ports, which should therefore be proactively monitored by an intrusion detection system to alert on significant changes in volume or unusual port scan sources.
Review and optimize DDoS solution – It’s critical to review your DDoS security procedures and processes currently in place and determine if/how they should be changed to optimize protection and mitigation
Review and, where needed, optimize SBC solution – DDoS mitigation solution providers typically bundle a Web Application Firewall (WAF) function for Layer 7 security, but VoIP is not a traditional web application. Therefore, it is also important to review the DDoS capabilities of the SBCs that are in place and determine that their configurations are up to date. For example, how recently were Access Control Lists updated and are unusual port scan source addresses populated in the ACLs?

Ribbon’s SBC DDoS Solutions

As a market leader in VoIP security, Ribbon’s SBC capabilities for DDoS detection and mitigation include:

ACL policing – apply access level control to allow traffic from trusted pre-configured IP addresses
IP address learning – when IP addresses used by valid peers/endpoints are not known a priori or may change dynamically, peers are confirmed as trusted only after receipt of specific valid SIP requests
Media packet policing – media packets are accepted only if they correspond to a session negotiated via SIP/SDP signaling
Media address learning – if a peer media address advertised in SIP/SDP does not match the actual source address of the RTP packets, it is possible to learn the peer media address to perform policing of subsequent packets
Priority aware packet policing – rate limit SIP signaling packets on a microflow basis + give higher priority to packets from authenticated sources than those from unknown sources, significantly increasing the likelihood that desired traffic gets let through while malicious traffic is stopped
Application-level CAC – provide call admission control (CAC) to rate limit traffic on a peer/IP trunk/IP trunk group level, and can also be provided to limit bandwidth usage

Today, identifying and stopping DDoS attacks has become a necessary part of every service provider’s business strategy. Ribbon is proud to partner with service providers around the world and offer them a suite of SBCs with a comprehensive set of security capabilities that enable our customers to detect and mitigate the effects of a DDoS attack on their critical VoIP services.

Sourced from: Ribbon Media Center. View the original article here.

Looking for new suppliers for your telecoms business?

Sign up as a reseller for Fibre and Wireless Connectivity, VoIP/UCaaS and more.

Our teams has access to an extensive supplier network that makes it easy for any telecoms company looking to tap into new markets or enter the telecoms industry. Take advantage of our expertise and contact us today to line you up with the best supplier partner for your business.

Harnessing Virtual Agent Technology to Transform Contact Center Operations: Insights from Cisco

Discover how virtual agent technology is reshaping contact center operations, enhancing efficiency and customer satisfaction. Learn about the benefits and capabilities of these innovative tools.

Update 5 BETA 2 Launch: Enhanced Fixes and Comprehensive DECT Support from 3CX

The recent release of Update 5 BETA 2 brings significant improvements and expanded support for DECT devices. This update addresses several crucial issues and enhances system functionality, making it a pivotal upgrade for users.

Sangoma GenAI Platform Revolutionizes Business Communication with Cutting-Edge AI Solutions

Sangoma Technologies has launched its innovative GenAI platform, setting new standards in business communication. With powerful AI-driven features, this platform enhances customer engagement and operational efficiency in various sectors, including healthcare and customer service.

Smarsh’s Strategic Acquisition of CallCabinet Enhances Voice Technology for Compliance Solutions

Smarsh has taken a significant step forward in the voice compliance sector by acquiring CallCabinet. This move aims to enhance their offerings with advanced technology, providing businesses across various sectors with improved operational efficiencies.

Webex Emerges as Leading Webinar Software of 2025: Recognition from G2 and TrustRadius

Webex Events and Webinars has been named the premier webinar software for 2025 by G2. Discover the features and awards that set Webex apart from competitors like Zoom and Livestorm.

Maximising Business Opportunities with Microsoft Teams Integration for IT Providers

Integrating with Microsoft Teams can unlock significant benefits for IT providers. Discover how to leverage Teams for growth and customer satisfaction.