Distributed denial of service (DDoS) attacks are an ongoing issue for communications service providers, putting critical systems at risk, undercutting service level agreements, and bringing unwanted headlines. In the first half of 2022 6 million of these attacks were reported.

Some metrics of DDoS attacks in 1H2022 compared to 2H2021:

• 75% increase in the total attack count
• 56% decrease in the size of attacks to avoid detection
• 68% of attacks were  volumetric (direct flood) type
• 69% of attacks lasted less than 90 minutes

Recent DDoS Trends

While attacks have been around since the dawn of the Internet years, bad actors continue to refine their methods and evolve their execution capabilities. We’ve seen some recent trends in DDoS attacks:

• Volumetric – Bad actors are increasingly spoofing the DDoS victim’s source addresses to send requests to a server host (i.e., a reflector). This host generates a reply several times larger than the request message, toward the DDoS victim, resulting in a high volume of traffic for the attack. Attackers use protocols like DNS, CLDAP, and SNMP with their high amplification factor between requests and responses, making it difficult to pinpoint which attack is causing the most damage by using multiple reflectors simultaneously
• Use of DDoS-for-hire services – making it easy for a bad actor to initiate multiple attacks, especially when coupled with volumetric techniques
• Small packet size – Increasingly DDoS attacks are using small packet sizes which helps to avoid detection -- in some the average packet size was under 100 bytes
• Multi-layered – DDoS attacks are targeting Layer 3,4 and Layer 7 (SIP signaling ports)
• Adaptive – DDoS attacks are being modified into multi-stage attacks or in follow-on repeat attacks. For example a brute force traffic flooding can evolve to become volumetric through reflection using botnets for UDP from spoofed legitimate sources, and then changed into targeted attempts to flood specific VoIP APIs
• Botnet proliferation – Bad actors are increasingly utilizing direct-path attacks sourced from botnets to launch application-layer attacks. In the first half of 2022, there was an 11 percent increase from 2H 2021 in direct-path attacks—almost all of which is attributable to botnet innovation.

Recommendations for addressing DDoS attacks

Faced with these mounting threats, what are service providers to do? Here are four key recommendations for service providers to address potential DDoS attacks, followed by highlights of the capabilities that enable Ribbon’s session border controllers (SBCs) to provide DDoS mitigation

• Strengthen interconnect security - Work with IP peers to strengthen security by migrating IP interconnections from UDP to TCP for SIP transport (UDP based attacks accounted for 61% of all attacks in 1H2022.)  In addition, implement encryption on IP interconnections using TLS for signaling and SRTP for media.  For example, these protocols are mandated as part of Microsoft’s Teams Direct Routing and Operator Connect service offers
• Pay attention to port scan alerts/alarms - DDoS attacks need an opening and port scans are key to find open ports, which should therefore be proactively monitored by an intrusion detection system to alert on significant changes in volume or unusual port scan sources. 
• Review and optimize DDoS solution – It’s critical to review the DDoS security procedures and processes currently in place and determine if/how they should be changed to optimize protection and mitigation
• Review and, where needed, optimize SBC solution - DDoS mitigation solution providers typically bundle a Web Application Firewall (WAF) function for Layer 7 security, but VoIP is not a traditional web application.  Therefore, it is also important to review the DDoS capabilities of the SBCs that are in place and determine that their configurations are up to date.  For example, how recently were Access Control Lists updated and are unusual port scan source addresses populated in the ACLs?

 Ribbon's SBC DDoS Solutions

As a market leader in VoIP security, Ribbon’s SBC capabilities for DDoS detection and mitigation include:

•  ACL policing - apply access level control to allow traffic from trusted pre-configured IP addresses
• IP address learning - when IP addresses used by valid peers/endpoints are not known a priori or may change dynamically, peers are confirmed as trusted only after receipt of specific valid SIP requests
• Media packet policing - media packets are accepted only if they correspond to a session negotiated via SIP/SDP signaling
• Media address learning - if a peer media address advertised in SIP/SDP does not match the actual source address of the RTP packets, it is possible to learn the peer media address to perform policing of subsequent packets
• Priority aware packet policing - rate limit SIP signaling packets on a microflow basis + give higher priority to packets from authenticated sources than those from unknown sources, significantly increasing the likelihood that desired traffic gets let through while malicious traffic is stopped
• Application-level CAC – provide call admission control (CAC) to rate limit traffic on a peer/IP trunk/IP trunk group level, and can also be provided to limit bandwidth usage

Today, identifying and stopping DDoS attacks has become a necessary part of every service provider’s business strategy. Ribbon is proud to partner with service providers around the world and offer them a suite of SBCs with a comprehensive set of security capabilities that enable our customers to detect and mitigate the effects of a DDoS attack on their critical VoIP services.

Secure SBC Deployment Guide