In just two weeks, four leading global telecom providers found themselves at the receiving end of DDoS attacks that impacted their operations, caused outages, and revenue losses. In early 2021, the telecom industry became the number one DDoS target, having jumped from sixth place in 2020. Though this industry is no stranger to DDoS attacks, the need for expert and purpose-built telecom security has never been more pressing.
Before we dive into the VoIP security measures you need to take to defend your company against DDoS attacks, let’s take a step back to understand what such an attack looks like in the context of telecom security.
The breakdown of a VoIP DDoS attack
A DDoS attack on a VoIP/UC system is when a large amount of traffic is directed at a particular SBC from single or multiple sources, causing a system overload that could result in the SBC restarting, showing performance issues, or even malfunctioning.
What is this traffic and how did it even reach the SBC? Shouldn’t your firewall be defending your SBC against this traffic?
Though SBCs are usually behind firewalls, a firewall blindly passes on the SIP traffic to the SBC simply because it doesn’t understand SIP. Additionally, a firewall’s traffic limits are much higher than what a SIP SBC can handle. So, even high volumes of SIP traffic from a specific IP address could end up going under the radar of the firewall’s traffic limits. This is an issue most current VoIP security models fail to account for.
As a result, it becomes solely the SBC’s responsibility, to a) sieve the good traffic from the bad, and b) process the “good”.
The SBC’s role in protecting your SIP system from DDoS or TDOS attacks
To protect your telecommunication systems from bad traffic, the only thing SBC has to do is ignore/block the bad packets that make up this traffic. Easy enough, right?
Not quite. There are multiple things an SBC needs to do. This includes:
- Limiting the SIP messages to be processed from an IP address to tackle single-source DoS attacks
- Limiting specific SIP messages to be processed from multiple IP addresses, based on the traffic
- Accepting packets from valid IPs (whitelisting) only
- Rejecting packets from known bad IPs (blacklisting)
- Accepting packets from endpoints with known certificates
- Blacklisting all the known malicious IP addresses
While the above are great security concepts, they have to be managed dynamically to be a valid defense. Given the dynamically evolving nature of the tactics and the tools attackers deploy, it is naive to believe that merely static methods will work.
So, what can you do to ensure your SBC is actually equipped to take attackers head-on and build a robust VoIP security strategy against DDoS attacks?
Your telecom security strategy needs a dedicated solution, not just for the tertiary security of your SBC, but to also ensure that your SBC’s traffic is analyzed in real-time, its configurations are dynamically modified and reconfigured, and that you have the latest, most reliable external threat intelligence to act on.
At Assertion, we’ve built the world’s first purpose-built SBC security solution in the market today. If you’re curious to learn how Assertion® SecureVoice™ handles the challenge of DDoS attacks, read on.
How Assertion® SecureVoice™ ensures comprehensive VoIP security for SBCs
Though DDoS attacks are just one of the different SBC attacks Assertion® SecureVoice™ handles, for now, let’s focus on DDoS.
Here’s what it does to protect you against DDoS attacks. The real deal, you’ll see, is in the details.
Its AI-powered engine:
- Analyzes your traffic on a time-of-the-day basis and determines the expected traffic to dynamically create a high water mark for theDoS thresholds
- Uses historical analysis to suggest DoS configuration changes based on the time of the year, taking into account the holiday, new year, festival, calendar, and more to pick up early signs of a DoS attack
- Looks at every packet that comes to the SBC in real-time to learn the source of the attacker. If it observes abnormal traffic from a particular source or if it finds that the SBC is rejecting too many packets from this source, the IP gets tagged as a Graylist for human review
- Learns the valid user ranges in your network and suggests ways to tighten up the URI filter, so you do not allow packets addressed to random extensions. This is a simple and effective way to save your SBC’s processing power.
- Learns the valid endpoint types / far-end devices that connect to your SBC and suggests the tightening of the UA filter, so you don’t allow unknown/unwanted devices to connect to your SBC.
- Blacklists IPs from the latest database of malicious or suspicious IPs.
- Detects if your certificate has been compromised – based on its usage, geo-location, the endpoint type, and the kind of traffic coming from its source.
Getting dynamic. To put it simply, that’s the reason why Assertion’s approach to VoIP security works where mere best practices and preventive steps fall short.
But most importantly, Assertion® SecureVoice™ is learning every minute — not just from your SBC but from every SBC that it studies. The power of this crowd-sourced threat intel ensures that you do not have to get impacted to become more secure. With every attack on every other SBC out there, your SBC becomes more robust.
It’s not just TDoS attacks that you need protection from, you need real-time threat protection against Toll Fraud, Telephony Denial of Service, Robocalls, Vishing, and Remote Worker Attacks — in addition to TDoS attacks. All this with complete visibility into attacks on your system as well as integration with your organization’s SOC practice and cybersecurity workflows.