The massive DDoS attack came blasting in from the Internet in the form of a flood of invalid VoIP registration requests. The attack resulted in widespread service disruptions for a number of days in late March and cost the company hundreds of thousands of dollars in customer credits. After the attack was over, the facilities-based services provider, based in California and Nevada, took steps to boost security measures to seek to prevent any similar occurrence again, said Don Poe, TelePacific’s vice-president of network engineering.
But Poe, who spoke out about the massive DDoS attack during a presentation he made at the fall 2011 Comptel Plus Conference here, said he was sharing details about the attack because the pace of many types of DDoS attacks appears to be growing and the telecommunications industry isn’t sharing information about them as well as they might for the common good.
TelePacific, he said, sees a multitude of daily scans against its network, and low-level attacks can occur about twice a day. But the services provider had never before seen what happened in the March period when the normal level of 34 million SIP traffic registration requests for VoIP connections suddenly shot up to 69 million and “flooded our systems,” he said. “There was no calling ability.”
Comptel, the industry trade group for competitive communications services providers and their suppliers, says it does believe its membership is seeing an uptick in DDoS attacks and that’s why it scheduled the session panel on the topic that included Poe; Stacy Arruda, a supervisory special agent and cybercrime supervisor at the FBI; and Patrick Gray, principal security strategist at Cisco Systems Inc. [Nasdaq: CSCO].
In recounting the DDoS event against his company’s VoIP service, Poe said he did contact the FBI to report the attack, but he found out that TelePacific simply did not have the necessary event-analysis information that the FBI needed to be able to successfully pursue a case. “We were not prepared,” he said. “We didn’t capture enough information.” That situation has been rectified with new data-capture systems, he adds.
Much of the DDoS attack streams did appear to be originating from China. But even if a botnet based on compromised Chinese computers was the source of the attack, that does not necessarily mean that someone in China is the culprit originating it, though that is a possibility. Poe said there was no extortion threat accompanying the DDoS flood, and he has no idea who or what would decide to launch such a massive crippling attack against TelePacific and its customers.
In the aftermath, TelePacific turned to a number of firms, including Acme Packet and Arbor Networks, for help in security and network analysis.
But even installing Arbor’s PeakFlow anti-DDoS equipment isn’t the complete answer to the problem because when DDoS attacks are strong enough, PeakFlow can’t necessarily stop the worst of them, Poe added. And TelePacific still fights against denial-of-service attacks, which often originate as traffic coming from China and Africa.
FBI agent Arruda said many cases of network attacks which the FBI works on do appear to involve a financial motive. There have been a few cases that involved instances where a “competitor DDoSed a competitor” to make the competitor look bad. But that’s unusual. More commonly, the goal for the attacker appears to be stealing information of value through the incident. She urged service providers to join the local chapter of InfraGard, the FBI’s information-sharing organization with the private sector. She said to get to know FBI people and to get their cell number to call them the minute something happens.
Poe said there doesn’t seem to be sufficient information-sharing among services providers themselves about these types of serious attacks. Others agree.
The IT community doesn’t talk among itself enough about the serious problems occurring in terms of DDoS and other security events, said Gray, the Cisco security strategist. In contrast, he added, “The hacking community talks to each other all day long.” He said the service providers need to understand they are a target and they need to have a plan in place for this kind of devastating event.
“DDoS attacks and SYN floods are extraordinarily common today,” said Stacy Griggs, senior director at Cbeyond Cloud Services, a division of Atlanta’s Cbeyond Communications, which was attending the Comptel conference.
He said telecom providers in general seem to be reluctant to talk about the problem. In a cynical sense, Griggs even thinks some telecom providers can be seen as sometimes deriving revenue from DDoS floods that hit customers.
Griggs said that his company, which is a hosting provider, sees constant attacks against customer servers in which an attacker gains access to them or will brute force a password. The monitoring at his company does both inbound and outbound seeks to detect this, while also fending off some types of attacks with intrusion-prevention systems.
But Griggs pointed out that his own general practice also involves communicating about serious events with about half a dozen colleagues at other firms, including Hosting.com. “If I have a problem coming out of Hosting.com, I’ll call them,” he said. “We know each other. We call each other.”
DDoS and server hacking aren’t the only problems service providers face. Hackers are also trying to break into the computer-based funds-transfer systems that service providers have to their banks.
One conference attendee told the story of how just a few weeks ago, the chief financial officer at an undisclosed services provider was authorizing a payment transfer of more than US$180,000 from his computer, when suddenly a spam explosion of pop-ups erupted on it, and a second unauthorized transfer for the same dollar amount was zapped off to a bank in Hong Kong. Fortunately, the CFO was quickly able to recover the full amount that was stolen — minus the small charge for a wire transfer — due to this direct attack on the CFO’s computer.
Speaking on security, Arruda said, “The targeted email attack is the easiest way for the bad guys to get into the network.” Since we live in a world where much information is readily available, attackers are using methods such as combing through public information, including social-networking sites, to find out what they can about corporate employees and their jobs.
