Protecting Your VoIP Infrastructure From DDoS Attacks

November 17th, 2021

Distributed denial of service (DDoS) attacks continue to be a major issue for communications service providers, putting critical systems at risk, undercutting service level agreements, and bringing unwanted headlines. The first half of 2021 alone saw 5.4 million of these attacks reported, an 11 % increase over 1H2020.  Some common characteristics across these attacks included:

These aggressive DDoS attacks against service providers are bringing unwanted news headlines such as:

Recent DDoS Trends

While attacks have been around since the dawn of the Internet years, bad actors continue to refine their methods and evolve their execution capabilities. We’ve seen some of these “trends” in recent DDoS attacks:

  • Volumetric – Bad actors are increasingly spoofing the DDoS victim’s source addresses to send requests to a Server Host (i.e. Reflector), that generates a reply toward the DDoS victim which is several times larger than the request message, resulting in a high volume of traffic for the attack. Attackers will use protocols like DNS, CLDAP, and SNMP with their high amplification factor between requests and responses, making it difficult to pinpoint which attack is causing the most damage by using multiple reflectors simultaneously
  • Use of DDoS-for-hire services – making it easy for a bad actor to initiate multiple attacks, especially when coupled with volumetric techniques
  • Small packet size – Increasingly DDoS attacks are using small packet sizes which helps to avoid detection -- in some the average packet size was under 100 bytes
  • Multi-layered – DDoS attacks are targeting Layer 3 and 4 plus Layer 7 (SIP signaling ports)
  • Adaptive – DDoS attacks are being modified in multi-stage attacks or in follow-on repeat attacks, for example launching a brute force traffic flooding, that evolves to become volumetric through reflection using botnets for UDP from spoofed legitimate sources, and then changed into targeted attempts to flood specific VoIP APIs
  • Coordinated – More than 50 local telecom providers in Brazil experienced attacks in a 1-3 minute window with the bulk of the attacks starting simultaneously, clearly indicating a coordinated attack

Recommendations for addressing DDoS attacks

Faced with these mounting threats, what are service providers to do? Here are four key recommendations for service providers to address potential DDoS attacks, followed by highlights of the capabilities that enable Ribbon’s session border controllers (SBCs) to provide DDoS mitigation

  • Strengthen interconnect security - Work with IP peers to strengthen security by migrating IP interconnections from UDP to TCP for SIP transport (UDP based attacks accounted for 44% of all attacks in 1H21.)  In addition, implement encryption on IP interconnections using TLS for signaling and SRTP for media, as ismandated as part of Microsoft’s Teams Direct Routing and Operator Connect service offers
  • Pay attention to port scan alerts/alarms - DDoS attacks need an opening and port scans are key to find open ports, which should therefore be proactively monitored by an intrusion detection system to alert on significant changes in volume or unusual port scan sources. 
  • Review and optimize DDoS solution – It’s critical to review your DDoS security procedures and processes currently in place and determine if/how they should be changed to optimize protection and mitigation
  • Review and, where needed, optimize SBC solution - DDoS mitigation solution providers typically bundle a Web Application Firewall (WAF) function for Layer 7 security, but VoIP is not a traditional web application.  Therefore, it is also important to review the DDoS capabilities of the SBCs that are in place and determine that their configurations are up to date.  For example, how recently were Access Control Lists updated and are unusual port scan source addresses populated in the ACLs?

 Ribbon's SBC DDoS Solutions

As a market leader in VoIP security, Ribbon’s SBC capabilities for DDoS detection and mitigation include:

  •  ACL policing - apply access level control to allow traffic from trusted pre-configured IP addresses
  • IP address learning - when IP addresses used by valid peers/endpoints are not known a priori or may change dynamically, peers are confirmed as trusted only after receipt of specific valid SIP requests
  • Media packet policing - media packets are accepted only if they correspond to a session negotiated via SIP/SDP signaling
  • Media address learning - if a peer media address advertised in SIP/SDP does not match the actual source address of the RTP packets, it is possible to learn the peer media address to perform policing of subsequent packets
  • Priority aware packet policing - rate limit SIP signaling packets on a microflow basis + give higher priority to packets from authenticated sources than those from unknown sources, significantly increasing the likelihood that desired traffic gets let through while malicious traffic is stopped
  • Application-level CAC – provide call admission control (CAC) to rate limit traffic on a peer/IP trunk/IP trunk group level, and can also be provided to limit bandwidth usage

Today, identifying and stopping DDoS attacks has become a necessary part of every service provider’s business strategy. Ribbon is proud to partner with service providers around the world and offer them a suite of SBCs with a comprehensive set of security capabilities that enable our customers to detect and mitigate the effects of a DDoS attack on their critical VoIP services.