In the afternoon on September 25th, when Bandwidth.com first began reporting cases of service failures, they were unaware of the attack’s scale. Once it became clear that these reports announced the first signs of a massive, orchestrated attack, it was understood: this was the latest in a string of distributed denial of service (DDoS) attacks pillaging supply chains and networks across the globe unchecked.
Our industry is no stranger to attacks. But this one was felt deeply across the VoIP world. Bandwidth.com’s status as a top telephony provider in the US leaves the industry reeling and many execs questioning the integrity of their own security systems.
DDoS attacks occur when assailants attempt to overwhelm a target by flooding it with traffic from multiple sources. These attacks are not new by any means, but in terms of attack duration and persistence, the attack against Bandwidth.com has no precedent. Five days passed before service levels were fully restored.
Several variations of DDoS attacks exist, each with its own characteristics. Some are capable of launching simultaneous attacks of varying intensities against a target, while others generate one type of attack at any given time. Presently, there exists equipment that enables users to manage botnets on an industrial scale. (In order to create truly massive DDoS attacks, malware can infect hundreds of thousands or even millions of devices.)
When DDoS attacks are combined with VoIP and video conferencing tools, the risks to both companies and consumers alike increase exponentially. The cyberattack/cybersecurity battle has always been a game of cat and mouse, but the Bandwidth.com attack is a grim reminder that the framework world exists online, the battle to secure our networks affects all people.
This attack is particularly harrowing for VoIP providers, demonstrating how susceptible telephony systems are to massive waves of network traffic. When DDoS-for-hire services meet centralized data centers serving millions of users, the potential exists to create global blackouts.
The DDoS threat looming over VoIP providers has driven many companies to outsource their security or purchase specialized equipment designed specifically to counteract bandwidth-sapping cyberattack techniques. These measures, however, provide but a marginal boost to existing security systems, and are not immune to debilitating DDoS strikes.
It’s clear security is the aim — but this is not new. Why is it that advancements in security seem always to be one step behind cyberattack sophistication?
DDoS services are easily accessed, and the majority of attacks still go undetected. DDoS mitigation tools alone will not put a stop to a threat these attacks present.
Purchasing the newest iterations of equipment seems an equally ineffective approach: they do nothing more than fortify existing systems. New equipment grants systems bulk, not brains, beefing up a system instead of teaching it a new way to approach a problem it has yet to solve. We may be able to withstand Bandwidth’s DDoS attack today; but tomorrow will bring an entirely new level of cyberattack sophistication, likely delivered by means still unknown (maybe IoT botnets?).
If we want to address the problem as an industry, it will be exhaustive. It’s time to rethink our entire network infrastructure: start at routing protocols and run the way up through service delivery models.
The system is insufficient. Let’s develop a better system.
The Bandwidth.com attack highlights the inherent vulnerabilities in VoIP technology and public telephony systems globally. Given industry reliance on central data centers and high-bandwidth consumption rates, DDoS mitigation tools cannot completely protect against orchestrated attacks. We must rethink our network infrastructure and security protocols in order to truly address DDoS threats.
The tools at our disposal — any tools, it would seem — aren’t enough. The very systems that power our industry need a complete redesign. It won’t be easy, but given the neck-break speeds with which we employ shiny new tools that remain ineffective, perhaps difficult is promising.
This one hurt. The question time will answer is whether the attack stung enough to spur VoIP into action, or whether enhancing the strength of an outfoxed system will allow the DDoS threat to remain at-large.