Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Donny Chong, Director, Nexusguard, updates us on the DDoS security threat and what can be done about it.

Distributed Denial of Service (DDoS) attacks have existed for nearly as long as the internet. For telcos, the threat is nothing new. Yes, hackers are becoming more sophisticated, but this is the only direction of travel for cyber threats. Perhaps more importantly, as the telecoms industry continues to evolve, the stakes are changing too.

A tempting target 

The first ever DDoS attack was against a telecoms company in 1996 via a SYN flood on an ISP. Fast forward to today, and while many things have changed in the DDoS space, if you look at the big picture, more things have stayed the same. SYN floods, attacks that send a torrent of connection requests, still occur. Of course, as technology and defences have changed and improved, attack types and vectors have adjusted. According to a recent report, HTTPS Floods are now one of the most common attacks, making up more than one in five DDoS attack vectors. But the broad strokes are the same: attackers look for whatever vector, protocol or method they can exploit to bring down their target. The rules of engagement haven’t changed.

So why should telcos care? While the game might be the same, the stakes are so much higher for operators or communications service providers (CSPs). This is because telecoms has changed significantly in the quarter-century since DDoS began, becoming nearly unrecognisable. In that time, telecoms companies have transitioned from fixed traffic carriers to cloud-powered technology enablers. Telecoms underpins practically all business and critical infrastructure, and internet or data connectivity has become its bread and butter, rather than traditional voice services. This makes it a more tempting target than ever. A recent report from Zayo showed the telecoms industry was hit with almost half of all its recorded DDoS attacks in the first half of 2023.

The Devil’s in the detail 

While at a high level, most companies are aware of the threat of DDoS, the Devil is in the detail for service providers. The number of tools attackers have in their arsenal is bigger than ever, and with telecoms networks, the target is huge, so they are spoilt for choice regarding surface area and attack entry points.

While the most popular attack types, such as NTP Amplification, Memcached Attacks and the HTTPS Flood mentioned above, can all be targeted at CSPs, some methods are unique to communication companies. One of these attack types is particularly damaging because it exploits the large scale that telecoms operate on rather than pinpointing a single server or Internet Protocol (IP).

“Carpet bombing” or “Bits and Pieces” attacks send mass junk traffic across a CSP network. Rather than overloading a single IP with a large traffic volume, it disperses smaller packets across a wide pool of IP addresses or prefixes. This stealthy attack targets multiple hosts and is designed to evade detection from devices like firewalls, load balancers or thresholds. The attack traffic blends in with the legitimate, making many small drops in the ocean rather than one noticeable splash.

When they go undetected, these attacks often heavily degrade the service, rather than taking it offline altogether. The large-scale convergence of polluted traffic towards a single IP prefix often exceeds the capacity limits of generic mitigation devices, leading to high latency or deadlock at worst.

The prevention paradox      

While mitigating against DDoS attacks has been on telcos’ priority lists for the past few years, the amount of things they have to consider as part of this has increased enormously. With more traffic coming through these networks thanks to 5G, AI and other advancements, threat detection is more important than ever, but attackers have so much more space to hide.

DDoS prevention has always been a balancing act. Financially, it's about finding the line between over- and under-spending. But when it comes to prevention, a balance must be struck between blocking as much fake traffic as possible without creating too many false positives - legitimate traffic incorrectly identified as malicious and blocked. False positives can cause as many problems as attacks, so CSPs using a positive security model (similar to zero-trust) may effectively prevent attacks at the expense of their customers.

Of course, failure to adequately block this malicious traffic can hurt customers just as badly, if not worse. In today’s ultra-connected world where telecoms services underpin everything, downtime can be the death knell for CSPs. Reputation also matters here, if a network experiences a major outage, organisations may think twice about relying on it for mission-critical services. But it is not just downtime that loses customers, “Bits and Pieces” attacks can clog and congest the network when left undetected, damaging the Quality of Service to such a degree that CSPs can drop below the levels agreed with customers in their QoS agreements.

With the volume of traffic that telcos have to sift through, AI is rightly seen as a potentially game-changing tool for threat detection. While AI will undoubtedly be hugely significant in the DDoS space in the coming years, as with any new technology in cyber security, it will be employed by both sides of the struggle. In many ways, AI is better suited to aid attackers as you can present specific scenarios or environments for automating attacks or vulnerability detection. AI is the latest example of things changing yet staying the same in DDoS prevention. The tools are evolving, but the technology race and endless cat-and-mouse game remain the same.

The old adage about crisis and opportunity is true here, however. CSPs who get DDoS protection right can actively turn it into a business gain. This goes way beyond simply standing out from competitors with superior DDoS credentials. Just as telcos have capitalised on technology advancements such as the cloud, 5G and AI, those that embrace and add DDoS protection as part of their digital transformation journeys stand to benefit most as their customers come to see them as managed security service providers. By offering these defences directly to their end customers as part of a cloud-in-the-box DDoS solution – on top of securing the overall network – CSPs can diversify their business model, adding a new revenue stream and turning their DDoS problem into business gain.

Donny Chong, Director, Nexusguard, has over fifteen years of experience assisting ISPs worldwide to productise anti-DDoS services in their local markets. Donny played a key role in defining Nexusguard's managed DDoS protection services for both the communication service providers (CSPs) and enterprise customers.