DDoS attacks have been plaguing telcos for over 25 years. For communications service providers (CSPs), the potential for an attack is nothing new. Typically, telco DDoS attacks are large and only getting bigger. For example, one of the most common types, HTTP flood attacks, has increased the average attack size by over 180% in the last year. Yet, while most attacks have this size in common, the methods attackers use can vary massively. So, what forms are these new DDoS attacks taking, what’s the impact on telcos, and how can they be stopped?
The downtime disaster
While DDoS attack methods and vectors have evolved and diversified over time, the result that attackers aim for remains mostly the same – overloading their target to bring them offline. According to a recent report, the two most common DDoS attacks currently being used are HTTPS Floods and NTP Amplifications. HTTPS Floods accounted for one out of five attacks last year, exhausting servers by overwhelming them with answer requests to trigger downtime. The second most common, NTP Amplifications (accounting for one in four attacks), work similarly, exploiting a time-keeping protocol to flood the server with excessive data to cause downtime.
These days, downtime can be a death knell for any DDoS attack victim, let alone CSPs. On average, an hour of downtime for larger businesses will cost them around one million pounds or often more – in 2019, FaceBook’s 14-hour outage cost them $90 million. While there are many potential big business targets, telcos are particularly attractive due to their gradual evolution from traffic carriers to digital enablers. They now underpin most other business and critical infrastructure, making them tempting targets.
The other attribute that makes telcos vulnerable to DDoS attacks is the large impact zone of downtime. If a service provider is hit by one of these attacks and has service-critical functions compromised, all of their customers could effectively be taken out. While impacting those reliant on that connectivity, this method could also be used as a precursor to more advanced attacks with national security threat potential. Any downtime can be incredibly costly from a customer perspective – the Optus outage this year led to nearly half a million dollars being claimed in compensation by affected customers.
DDoS in a haystack: The rise of Bits and Pieces attacksÂ
While ‘traditional’ DDoS attacks can be lethal enough for a telco, a more specialised technique has come into play that is uniquely suited for use on CSPs – bits and pieces attacks (sometimes known as carpet bombing). They function similarly to the ‘traditional’ DDoS attack, except instead of flooding a single system with an overwhelming number of requests, they ‘hide’ the excess traffic by spreading requests across an entire network.
By dispersing smaller packets of requests across multiple hosts, the attack becomes far more challenging to detect as it can hide amongst the legitimate traffic, evading detection from regular cybersecurity methods such as thresholds and firewalls.
While this method of attack might appear less dangerous since it tends not to take its target offline, the overall impact can be far worse than it seems for telcos. The contaminated traffic clogs up the IP, potentially damaging the Quality of Service to a point where QoS agreements with customers are in breach.
As connectivity providers, the impact of these attacks is felt by telcos and their customers, with knock-on effects on trust and reputation, not to mention the financial loss incurred. They could be seen as having unreliable service, potentially leading to a loss in future business, and customers could claim compensation for having their QoS agreements breached.
The risk that bits and pieces attacks pose only worsens as network traffic rises with the implementation of 5G and new data-hungry applications such as AI. Telcos will already be under pressure to deliver the networks needed for the future before the threat of these attacks is even considered. Put plainly, bits and pieces attacks are a dangerous threat that CSPs can’t afford to ignore against increasing service demands.
Silver liningsÂ
Although telcos have been mitigating against DDoS attacks for years, the number of factors they must consider has risen dramatically. With the amount of traffic passing through networks set to increase due to AI and 5G developments, DDoS attacks will also have much more legitimate traffic to hide in. Just as threat detection becomes infinitely more crucial, it’s set to become infinitely more complicated.
Telcos should be protecting against these attacks, but there is a balance to find between under- and over-protecting. Too little protection would leave telcos open to attack, yet too much can be its kind of financial drain. False positives, where legitimate traffic is incorrectly identified as malicious, are just as problematic as attacks. So, while using a positive security model may effectively protect CSPs, it may be at the expense of their customers.
However, there is an upside to this new era of CSP-focused DDoS: the financial benefits that telcos can unlock from securing their networks effectively. Those who thoroughly embrace DDoS protection and integrate it into their product offering could expand from just connectivity providers to managed security service providers. It can be a route to diversifying the business model, creating a new revenue stream and turning a security problem into financial gain.
