VoIP.ms Battles Week-Long Sustained DDoS-for-Ransom Attack (bleepingcomputer.com) 37
Slashdot reader Striek writes: VoIP.ms, a Canadian VoIP provider [also serving the US], has been under a sustained, and presumably massive DDoS attack which started on the September 16th, 2021. The attack has been disruptive enough to be covered by major media outlets, including Hacker News, ZDNet, Ars Technica, BleepingComputer, CTV News, and The Toronto Star.
They have so far refused to pay a ransom demand, which has grown from 1 bitcoin at the outset ($45,000 USD at that time), to 100 bitcoin now, or $45 million. Similar attacks have occurred recently on several UK based VOiP providers.
With DDoS attacks against VOiP infrastructure difficult to defend against — or at least more difficult than your bog-standard denial of service, this may be setting a worrying trend.
Bleeping Computer reported Monday that the attack was "severely disrupting the company's operation: As customers configured their VoIP equipment to connect to the company's domain name, the DDoS attack disrupted telephony services, preventing them from receiving or making phone calls. As DNS was no longer working, the company advised customers to modify their HOSTS file to point the domain at their IP address to bypass DNS resolution. However, this just led the threat actors to perform DDoS attacks directly at that IP address as well.
To mitigate the attacks, VoIP.ms moved their website and DNS servers to Cloudflare, and while they reported some success, the company's site and VoIP infrastructure still have issues due to the continued denial-of-service attack.
ZDNet has been following the story: In an update on Wednesday, VoIP.ms apologized to customers and confirmed it was still being targeted by what it described as a 'ransom DDoS attack' . VoIP.ms says it has over 80,000 customers in 125 countries.
And in addition, this afternoon the company's Twitter account announced that "Our main U.S. upstream carrier is currently experiencing major issues on their network affecting inbound and outbound calls and messaging to US numbers. We have already been in contact with their senior leadership team and they are on it along with their whole NOC."
They have so far refused to pay a ransom demand, which has grown from 1 bitcoin at the outset ($45,000 USD at that time), to 100 bitcoin now, or $45 million. Similar attacks have occurred recently on several UK based VOiP providers.
With DDoS attacks against VOiP infrastructure difficult to defend against — or at least more difficult than your bog-standard denial of service, this may be setting a worrying trend.
Bleeping Computer reported Monday that the attack was "severely disrupting the company's operation: As customers configured their VoIP equipment to connect to the company's domain name, the DDoS attack disrupted telephony services, preventing them from receiving or making phone calls. As DNS was no longer working, the company advised customers to modify their HOSTS file to point the domain at their IP address to bypass DNS resolution. However, this just led the threat actors to perform DDoS attacks directly at that IP address as well.
To mitigate the attacks, VoIP.ms moved their website and DNS servers to Cloudflare, and while they reported some success, the company's site and VoIP infrastructure still have issues due to the continued denial-of-service attack.
ZDNet has been following the story: In an update on Wednesday, VoIP.ms apologized to customers and confirmed it was still being targeted by what it described as a 'ransom DDoS attack' . VoIP.ms says it has over 80,000 customers in 125 countries.
And in addition, this afternoon the company's Twitter account announced that "Our main U.S. upstream carrier is currently experiencing major issues on their network affecting inbound and outbound calls and messaging to US numbers. We have already been in contact with their senior leadership team and they are on it along with their whole NOC."
Somebody can't multiply (Score:2, Informative)
Re:Somebody can't multiply (Score:4, Informative)
That would be me. I meant $4.5 million.
What a difference a dot can make.
Re: (Score:2)
Mistakes with periods have been the ruin of many men.
Re:Somebody can't multiply (Score:5, Funny)
That would be me. I meant $4.5 million.
What a difference a dot can make.
Without it, this place would just be /
Re: (Score:2)
Technically, that is not the multiplication that was done here. There were 2 multiplications:
1 * bitcoin price at onset
100 * bitcoin price today
Perhaps the OP is a bitcoin optimist hoping the time people read this, the "bitcoin price today" will be 10x what it was a couple of weeks ago ;-)
Return to sender. (Score:4, Funny)
This is one of the few times one wishes the internet carried high voltages. Make the attackers computers blow up like a Star Trek bridge console.
Re: Return to sender. (Score:4, Insightful)
I think it would be more feasible to legislate that ISPs use reverse path forwarding to prevent spoofing, then mandate they disconnect anybody participating in a DDoS until they fix their shit. Inbound foreign DDoS is considerably easier to deal with.
Re: (Score:2)
How well is that going to work out for time-sensitive communications like audio?
Re: (Score:2)
???
How would this slow it down?
Re: Return to sender. (Score:2)
The point is to kill off the possibility of a DDoS from being able to accomplish anything. That would have the additional benefit of making the internet have less of a need to be centralized into bigger providers that have the money to deal with DDoS attacks.
Re: (Score:2)
SIP breaks rather easily [rtcsec.com].
so who cares? (Score:1)
this is supposed to be worrying but i find it very difficult to be sympathetic to a company to provides an unlimited amount of annoying scam calls to my cell phones.
Re: (Score:2)
Some of the companies in this category are unethical, but my understanding is Voip.ms actually does a pretty good job of screening customers and source number resolution. They do make it easier for scammers to cycle through telephone numbers, but I don’t think they support that on a massive scale.
(I’m a customer for a few phone numbers I use for local area code and to manage commercial calls; my cell phone has an out-of-area code prefix which makes for a hassle in a few situations.)
*I* care! (Score:4)
this is supposed to be worrying but i find it very difficult to be sympathetic to a company to provides an unlimited amount of annoying scam calls to my cell phones.
As others are quick to point out, not every VoiP provider is complicit with phone scammers.
I've been with VoIP.ms for over 5 years, and I've been very satisfied with their service - they're feature-rich, which is an excellent option for DIY'ers like me to setup my phone system as I like, all this for a fraction of the price I used to pay Ma Bell before for far less functionality.
I'll continue to be their customer a long time after this has passed.
Re: (Score:2)
I agree some VoIP providers make things easy for spammers... voip.ca are not one of them. I've been a customer for years ever since I ditched the overpriced mess called Ringcentral, and I'm often impressed at the efforts they've put into security and authentication that go beyond what I've seen from any other provider. Unfortunately the technology isn't perfect, and much work has to be done, as is true with most of the Internet. These guys are a cut above the rest, which is why I fear they are being tar
Seems to beg for a customer white-list (Score:2)
I happen to have a few Voip.MS numbers, and noticed they were offline. It’s cheap, so I don’t expect much from them, but it has been a huge help at times to have their service. While I get that it is a little harder to manage than a more traditional DDoS, it wouldn’t seem like it should be that resource intensive to whitelist customers for static IP/server use, and have a backup VPN for dynamic/direct application access. You could even charge more for the latter category maybe it would b
Re: (Score:2)
Whitelists sound great, until my softphone tries to register from your hotel WiFi. VoIP.ms does a lot more than basic SIP trunking.
Re: (Score:2)
Sure, but are you registering directly with your device from hotel wifi, or do you have the registration terminated by a third party and “pushed” to you securely? (I use Bria, which acts as a middleman that could easily be whitelisted.). If I was using a laptop, I would want to have a server ~somewhere~ that handles the calls when it is suspended. Using their voicemail should really just be a last-ditch fallback.
Re: (Score:1)
Re: (Score:2)
You might be right; their push notification service originally sounded like a middleman, but the connection looks more local.
Re: (Score:2)
Except the whitelist would have to be managed by an upstream provider that has much more capacity and be able to absorb the excess traffic.
I manage some services hosted by the same data center as some of voip.ms equipment and we got collateral side effect from the DDOS, so even the datacenter itself seems to be struggling with the load.
Not only that but SIP itself is going to always be problematic. It poses some of the same challenges as FTP, but over UDP. The control channel is established between 2 hosts,
Re: (Score:2)
Specific to Voip.ms, and I imagine many similar companies, they have POPs distributed throughout their service areas, so it still shouldn’t be that hard to distribute the workload even if they have to go upstream for some of it.
Re: (Score:2)
I have directly experienced a UDP flood attack against DNS infrastructure, probably a reflection/amplification type.... it is a nasty attack.
White lists do not help. If the traffic hits your uplink, you are screwed. The only way you can possibly deal with this type of attack is at the ISP level (before your uplink) or through a cloud provider like CloudFlare. Make sure your checkbook is prepared.
It was an interesting experience and would have almost been fun if the Executives had not been breathing down
$4.5 M would hire a lot of Blackwater-style agents (Score:3)
Just saying.
It's a fucking TLD (Score:1)
Re: (Score:1)
Tracing an on-going attack should be easier (Score:2)
I understand that what cyber cops there are will have trouble tracing who hacked a company in the recent past to ransom their data, but surely something can be done about an on-going DDOS attack. Sure, they're going to be based internationally but even so ...
Re: (Score:2)
The internet is broken at a fundamental level (Score:3)
DDoS is a built in feature of the internet ... time to just relegate the old internet traffic to a low QoS and start Internet 2.0 with more sane design parameters for an adversarial environment.
Mandatory ingress/egress filtering for every service provider and allowing IP range owners to force firewall rules upstream to the ISP of the spammer would make compromised/amplifying devices the problem of the owner of that device (who will get fucked by his ISP as punishment for loading up the firewall with rules) instead of everyone else's.
Re: (Score:1)
re (Score:1)