Telecom industry players have been experiencing major transformations, with 5G and IoT, among others, resulting in new revenue opportunities and value streams. But alongside these are an increased security risk and pressure that require every telco to create a better defense mechanism.

If you come to think about it, a successful cyberattack on a telecom operator could disrupt Internet service for millions of consumers, affect business operations, and worse comes to worst, shut down government operations.

Thus, communication networks need to be resilient, especially as the scope, variety, and complexity of current cybersecurity threats are increasing exponentially. These include distributed denial of service (DDoS) attacks which are among the most common that telcos need to dodge on a daily basis.

According to Nexusguard, roughly 65% of the global DDoS attacks in 2018 were aimed at communication service providers (CSPs). This shows the high susceptibility to security concerns within telecoms due to its interconnected nature.

What are DDoS attacks?

DDoS is a common form of cyberattack that has grown in frequency and sophistication over the last 10 to 15 years. As a result, this simple attack can be devastating to enterprise companies and service providers alike if not managed properly.

To put it simply, DDoS is a malicious attempt to disrupt the normal traffic of a targeted server, service or network. By using individual devices (bots) as well as a group of bots (botnet), the target or its surrounding infrastructure can be flooded with traffic through a spoofed IP address.

To illustrate, a DDoS attack is like an unexpected traffic jam clogging up the highway. It prevents the cars from having regular traffic, delaying their arrival to their specific destinations. How? Once a botnet has been established, the attacker can send a set of requests to the vulnerable services, hitting the target simultaneously.

On a macro scale, DDoS attacks can happen on domain name services (DNS), network time protocol
(NTP), and simple service discovery protocol (SSDP). All of these are widely available services, making them easy targets. Upon distribution of an abnormal amount of traffic, the network will be affected.

These result in the ‘denial of service.’ Networks can shut down and encounter technical issues if DDoS attacks are successfully deployed. In addition, more sophisticated DDoS attacks are used quite effectively to degrade firewalls and intrusion prevention systems (IPS) and serve as distraction for a greater infiltration threat.

How DDoS affects telcos?

Based on Kaspersky’s DDoS report, the longest DDoS attack during the Q2 of 2019 lasted 509 hours. This was measured based on the commands received by bots from command and control servers. Roughly 21 days, in the digital age, this security breach can spell disaster on many levels — negate a company reputation, damage confidence, and cause massive loss of revenue.

Nowadays, telecom service providers are the life-blood of modern consumers and enterprises as the demand to be connected 24/7 is becoming a necessity. Thus, being affected by DDoS attacks can obviously disrupt the line of business within the telco industry.

According to Akamai, the Internet and telecom sector is among the industries that experienced the biggest spike in DDoS attacks in 2020, a 210% increase over 2019. By and large, for the first time in history, the annual number of DDoS attacks cross the 10 million threshold in 2020 and regionally, the attack frequency in EMEA in the same year was 3.71 million, with a peak volume of 586 Gbps and 7 days peak duration.

These attacks consumed huge amounts of network throughput and bandwidth and increased costs for both ISPs and enterprises. As an example, Telecom Norway suffered a ransomware DDoS (rDDoS) attack by profit-motivated cybercriminals who demanded 20 bitcoin (approximately $1 million as of April 2021) in order not to repeat and continue the attacks.

In a traditional telecom environment, many physical devices or appliances have application-specific integrated circuits (ASICs) that can be tailored to meet the exact requirement for the product using the circuit, such as a switch, router or firewall. ASICs are very stable and are built to manage peaks and increases in network traffic, providing a strong resistance to DDoS attacks.

However, many telcos now adopt network function virtualization (NFV) that moves network functionality away from physical appliances and runs them in software on CPUs. This shift makes way for increased vulnerability such as the high traffic volume loads that exist in a DDoS attack.

In line with this, the impact of DDoS attacks for telcos include reduced network capacity, degraded performance, increased traffic exchange costs, and disrupted service availability. Moreover, although 5G-enabled devices can deliver more computing power and speed, these architectures will expand the attack surface and create new challenges for managing DDoS risk.

DDoS mitigation

The evolving nature of DDoS attacks calls for the need for formal mitigation strategies at many organizations, including telcos. "DDoS is a relatively simple attack to orchestrate since all public Internet-facing websites and services are sitting ducks," says Mark Kedgley, CTO at New Net Technologies (NNT). Thus, one of the best mitigation approaches continues to be the use of content distribution networks or web application firewall technology to filter out malicious traffic. "The only real defense is using a reverse-proxy, content-distributed web infrastructure that multiplies your web presence and distributes access geographically while a mitigation process takes place to filter out the attack traffic," Kedgley says.

Another action that can be done is blackholing. From the telco operator’s point of view, blackholing prevents the DDoS attack from worsening or becoming more exacerbated against unintended victims.  This means any traffic associated with the victim’s IP is dropped, effectively fulfilling the desired outcome of the DDoS attack by taking the victim off the network altogether.

On the other hand, a more common approach to DDoS protection wherein DDoS-generated traffic is rerouted through a dedicated facility called a scrubbing center. This is where the DDoS is removed from the flows and legitimate traffic is forwarded on. But there’s a catch. Once the system has detected a DDoS event, the DDoS traffic is removed and legitimate traffic is forwarded back on to the original destination. At this time, the affected IP address can be back up and running in about 30 minutes.

This downtime is unfavorable in a digital-driven society. In response, recent advances in automation and proactive DDoS mitigation have been underway. As networks become more sophisticated and intelligent, DDoS mitigation techniques are now taking the shape of automated threat detection and mitigation, distributed across the network and capable of identifying and managing potential attacks before they cause harm.

On the flip side, telecom operators such as Etisalat, du, and Ooredoo offer advanced solutions that will ensure business continuity and productivity through quick responses to DDoS attacks. Cyberattacks like DDoS are inevitable as almost everything we deal with is online but with heightened cybersecurity measures, telecom security can be upgraded and maintained for the benefit of both providers and end-users.

Pin It