Featured Image

Wave of DDoS Ransom Attacks Target VoIP Services


Massive DDoS attacks have hobbled at least five VoIP (voice over internet protocol) providers in the UK, Canada, and the US in recent weeks, with significant consequences for their customers, including resellers as well as end-users.

The effects of the attacks have included outages or degradation of inbound and outbound voice calls and SMS services, portal and portal API timeouts and intermittent loss of Internet connectivity. In some cases, the impairments lasted for days as the victimized providers worked to deal with the attacks.

VoIP services are prime targets for DDoS attackers. They are easily accessible, as their traffic is routed over the Internet and their servers and endpoints must be publicly available. VoIP traffic is also highly susceptible to degradation and latency due to attack because of its real-time nature.

Moreover, because a single VoIP attack can affect hundreds or thousands of enterprises, the resulting turmoil creates heightened urgency to stop the attack, making these services particularly attractive targets for cybercrooks demanding a ransom.

With DDoS extortion attacks on the increase generally, most experts believe the attacks are likely to continue, targeting additional providers in the coming weeks and months.

If your enterprise relies on VoIP, expect that your service could be disrupted by one of these attacks if it hasn’t been already. Unfortunately, because the outages occur at the provider level, there is little that you as a customer can do directly to prevent an attack from affecting your service.

However, you can ask your provider about the DDoS protections they have in place, and if they have made specific preparations to deal with this current wave of DDoS ransom attacks and the particular methods they have employed (see below).

In addition, since DDoS ransom attacks against all targets have increased dramatically in recent months, you should make sure your enterprise is prepared for the possibility of a direct attack on your assets. Our recent whitepaper, DDoS Disruption Impacts, describes in greater details how the DDoS threat has evolved and outlines options for protecting your critical digital assets.

More on the attacks. The current wave of VoIP attacks began at the end of August 2021, and struck three providers in the UK including Voipfone, Voip Unlimited and a third, unnamed company. The attack on Voipfone was launched on an August 30 bank holiday. Customers were still dealing with outages four days later, after the company reported a second, additional attack.

Voip Unlimited was hit on August 31 by an “alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand,” according to a statement the company released. The statement also reported that the UK Comms Council, an industry organization, had informed the company that other UK SIP (session initiation protocol) providers had been affected.

On September 16, Canadian provider VoIP.ms was hit by a large attack that lasted a week and took down almost all service and portals, directly affecting voice calls for many of the company’s 80,000 customers in 125 countries. The attackers initially demanded one bitcoin (roughly US$42K), but dramatically raised their demand to 100 bitcoins (US$4.2M) in a profanity-laced communication issued two days into the attack.

The attack initially targeted the company’s infrastructure, including its DNS name servers. Customers were then advised to modify their HOSTS file to point directly at the IP address, bypassing DNS resolution. In an indication of the attackers’ sophistication, however, they responded by launching new attacks directly at the IP address.

Another attack was launched on September 25 against Bandwidth.com, a leading US provider for many prominent VoIP services. The company initially remained tight-lipped about the attack, finally issuing a statement on October 5 noting that its network had been largely stable since the evening of September 29, and operating at normal service levels.

Attackers and methods. In the first three attacks, the extortionists claimed to be REvil, an infamous ransomware operation that recently reappeared after vanishing in July 2021. However, since REvil is not known for either DDoS attacks or public ransom demands, most experts believe the current VoIP attackers are simply using their name to intimidate victims.

Neustar’s DDoS experts have noted that this wave of VoIP-specific DDoS attacks has frequently targeted SIP, specifically through SIP invite (request) floods or specially crafted and malformed SIP packets. However, VoIP providers are also vulnerable to broader DDoS techniques such as DNS amplification/reflection and other types of UDP floods.

Neustar’s DDoS solutions leverage specific SIP mitigation countermeasures to mitigate the threat of SIP invite floods or malformed SIP packets, while also addressing the more common DDoS attack vectors. Our mitigation capacity totals 12.5 Tbps distributed across fourteen DDoS and application security nodes around the world.

If you’d like to discuss these attacks in more detail, or learn more about how Neustar can help protect your enterprise (or VoIP provider) against DDoS attacks, please email us.

Let's stay in touch! Get exclusive threat research, company and cybersecurity insights - delivered to your inbox once a month


Under DDoS Attack? Relief Begins Here!