While cybercriminals will continue to try to stay ahead of the latest detection tools, service providers can take action in 2022 and beyond.
The last two years of the pandemic have brought dramatic changes to the way we live, work and spend our free time. The growth of remote work has been predicted for a long time, but the pandemic turned these predictions into reality much faster than expected, and in many cases before the networks were really ready for it.
As we learn to live with the effects of the COVID-19 pandemic and the so-called “new normal” becomes just the “normal”, I believe service providers will need to pay more attention to network security in 2022 to combat the growing number of attack vectors, which attackers can use to try to undermine and/or steal the data of organizations in all sectors of the economy in virtually every country.
Distributed denial-of-service (DDoS) attacks are one of the most common methods used to undermine companies, and their numbers are on the rise.
During a DDoS attack, cybercriminals overload the organization’s server with traffic in order to disrupt the normal processing of requests, thereby depriving users of access to connected online services and sites. Such attacks not only prevent legitimate users from interacting with an organization, but can also potentially disrupt a company’s entire IT infrastructure.
Table of Contents
DDoS attacks are on the rise and need to be countered
In the first half of 2021, a massive 5.4 million DDoS attacks were recorded. This is 600,000 more attacks than in the same period of 2020, i.e. plus 50,000 attacks per month. 85% of these attacks lasted less than ten minutes, to make them harder to detect. All but a few of them were below 10 Gbps, so they were extremely targeted, and almost one in three were repeated within seven days.
The main trends that can be noted in relation to DDoS attacks include:
The amount of traffic. Increasingly, cybercriminals falsify the source addresses of a DDoS attack victim and send requests to a host server (reflector), which generates a response that is several times the size of the request message, resulting in a large amount of attack traffic. Attackers typically use high-gain protocols between requests and responses such as DNS (Domain Name System), CLDAP (Lightweight Directory Access Protocol without Connectivity) and SNMP (Simple Network Management Protocol) and also use multiple reflectors at the same time, thus making it difficult to pinpoint which attack does the most damage.
Using services to order DDoS attacks. These services make it easy for cybercriminals to launch multiple attacks, especially when combined with high-traffic methods.
Small package size. Increasingly, DDoS attacks are using small packets to avoid detection: some attacks have average packet sizes of less than 100 bytes.
Adaptability. DDoS attacks are converted into multi-stage or subsequent replay attacks – for example, starting with the help of “brute force” by overloading traffic, the attack then transforms into a volume attack by repelling requests using botnets that generate UDP requests from falsified real sources, and then turns into in a targeted attempt to overload certain IP telephony service APIs with traffic.
Coordination. In Brazil, more than 50 local mobile operators were attacked within 1-3 minutes, with the bulk of the attacks starting at the same time, which clearly indicates the coordinated work of hackers.
Session Border Controllers Can Be a Powerful Security Tool
Any component of an organization’s IT infrastructure can become the target of a DDoS attack, including IP telephony (VoIP) servers and services. One important tool that can be used to counter DDoS attacks on VoIP servers is the Session Border Controller. Session Border Controllers (SBCs) have long been considered the backbone of IP telephony network security due to their ability to detect suspicious or anomalous network activity and take action in real time to minimize network exposure.
The function of the Session Border Controller is to specifically manage the Session Initiation Protocol (SIP) and Real Time Protocol (RTP) that are used to exchange data for VoIP services, video calls, or instant messaging. It is used to manage each communication session or connection between networks and to ensure security and quality of service (QoS) within the communication session, and also provides additional functions for the provision of internetworking services. Session Border Controllers provide enhanced protection against DDoS attacks and other security threats.
How to protect yourself from DDoS attacks?
So what steps should service providers take in the face of the growing threat that DDoS attacks pose to their networks, customers and reputations?
Here are four key recommendations for dealing with potential DDoS attacks in 2022 for service providers:
- Improve the security of your internet connections. Work with peer-to-peer IP networks to increase security by migrating IP internetwork connections from UDP to TCP for SIP telephony (UDP-based attacks accounted for 44% of all attacks in the first half of 2021.) In addition, implement internetworking IP encryption – connections using the TLS protocol for signaling and the SRTP protocol for multimedia transmission. For example, Microsoft Teams Direct Routing and Operator Connect services require such encryption.
- Pay attention to alerts/alarms when scanning ports. DDoS attacks require a breach in the security system, and scanning is a key method of finding open ports, so an intrusion detection system must actively monitor their status in order to warn of significant changes in traffic volume or anomalous sources of port scans.
- Test and optimize DDoS response solutions. It is critical to review and validate current DDoS protection procedures and methods to determine if they need to be changed and, if necessary, what changes need to be implemented to optimize protection and minimize negative impacts.
- Check and optimize session border controllers as needed. DDoS mitigation vendors typically include a Web Application Firewall (WAF) feature for Layer 7 security, but VoIP services are not traditional Web applications and require Edge Controllers to provide this functionality. sessions. Therefore, it is also important to check the functionality of existing SBCs and make sure their configurations are up to date. For example, how long ago were the access control lists updated, and do they contain addresses of anomalous port scan sources?
These days, detecting and repelling DDoS attacks has become an integral part of every service provider’s business strategy. While cybercriminals will continue to try to stay ahead of the latest detection tools, service providers can take action in 2022 and beyond to protect not only their reputation and brand, but also their networks, intellectual property, their employees and their channels of interaction with customers and business partners.