It started last week. September 16, 2021. Our VOIP phones were cutting out. Then not working at all. We utilize a VOIP system called Wildix, that is resold by a local reseller of Telephony solutions. It’s a pretty intense system, full of bells and whistles. For us, it does the job quite well as our guys can log into the system from anywhere on the Internet, take calls, forward calls, do conference calling, forward their calls to their cells, etc. In other words, do pretty well anything and everything that you might want to do with a phone system. Its pretty slick. When it works. Last Wednesday, it wasn’t.
A call to our provider, came back with an answer to our plight I just wasn’t expecting.
“Our “SIP trunk” provider is being DDOS attacked. We’re waiting to hear back from them. As you might expect, they’re a little under pressure right now.”
DDOS is a Distributed Denial of Service attack. Imagine you have a store. You sell books. You have a set of doors, which say 4 people can go in or come out at the same time. Even though you may have a hundred people inside, no more than 4 people can go in or leave at any given moment in time. If more people try, they start queueing at the door. There just isn’t enough room to let more people in or out at once.
Now imagine if your competitor saw that you were doing really good. They wanted to disrupt your business. So they put out a fake news release saying that you are selling all your books for 1¢ each. You open your store, and within minutes you have 200 people in your shop. With a few hundred more waiting outside the door to get in. You can’t sell anything to a legitimate customer, because most of the people in your store are there to buy a 1¢ book, not a $5.99 book. But because there are so many of them, you have to go one by one to find out who is a real client and who is fake. Meaning that your real customers, are being “denied their service.”
Same in the real world with Denial Of Service attacks. The bad actors out there have botnet zombie computers making requests to VOIP.MS. These zombie computers have been slowly cultivated by them, over time. They are computers that are owned by people like you and me, small businesses and even large ones. Computers that are infected with malware that just sits there and does NOTHING. Until the message comes in from the master, to attack. In this case, VOIP.MS.
This attack wasn’t by a few dozen computers spread around our fair city. This attack was being launched by someone who apparently had access to an army of botnet zombie computers, spread across the world. Soldiers waiting to do their master’s bidding. When called upon. The term botnet comes from the word “robot” and “network” referring to a computer that is under the spell of a small program that carries out its task according to it’s master’s plan. When the attack is coming from multiple sources, we add the word “Distributed” to the term “Denial of Service.” Hence a DDOS attack.
And the attack itself? Very likely a super small packet of data, requesting a webpage to show up, or in VOIP.MS’s case, requesting the opening of a Voice Over IP (VOIP) channel to communicate with VOIP.MS’s SIP trunks (a place where VOIP phones ultimately connect with the “old world” phone system called PSTN – Public Switched Telephone Network). With bogus credentials, which wouldn’t allow the channel to be opened. But no matter. Their job was done. They slowed the system to a crawl. Which for us meant, our telephone calls weren’t getting through to our clients.
Bleeping computer did a great write up about the event. And a gent by the name of Tom, from Lawrence Systems in Southgate, MI, USA did a great video about it on Youtube. I was under the impression, that VOIP.MS was the first VOIP provider, that was hit by this type of DOS attack. Apparently not. Only a few weeks prior, a very similar attack, possibly by the same perpetrators happened in the UK. Rob Thomas, a VOIP expert, wrote a fabulous piece on what he believes may have transpired, in the wake of VOIP.MS’s incident on Reddit.
Which is why I am writing this today.
What is stopping these people, from targeting anything and everything web-based that we use today? Email, Accounting, CRM systems that may or may not be ready for such an attack. Do you know if your web based provider is ready for such an attack?
The best way currently for these web based services to mitigate such an attack is to:
- Stay off the bad guy’s radar (which is more of a hope, than a strategy)
- Sign up with someone who has more “doors” and a reverse proxy system that only allows “good” people in those doors
#2 bears a little explanation. Remembering that analogy of VOIP.MS having a store with only 2 doors (or 100 or 1000 – whatever the number was, it wasn’t enough)? Rent a storefront that has a million doors. Or a storefront that handles initial data requests on behalf of the store, and only passes valid requests onto the store. Or a combination of the two.
Those types of “storefronts” are what folks like Datadome, Netscout, Cisco and Cloudflare specialize in. The latter company being the one that VOIP.MS finally turned to, to get help with this attack.
So do your web based programs use a storefront with a million doors coupled with a set of bouncers at each door tossing people that weren’t invited to the party?
Time to do some homework.