87% of largest DDoS attacks in Q4 targeted telecoms: Lumen

A new report from Lumen Technologies showed more distributed denial of service (DDoS) attacks are targeting telecom companies than ever before. But Mark Dehus, director of threat intelligence for Lumen’s Black Lotus Labs, told Fierce it’s not just the traffic coming in that operators need to worry about but also the outbound streams as well.

Lumen’s Q4 2022 report noted telecom companies accounted for 87% of the 1,000 largest DDoS attacks in the quarter. That was up from 54% of the 500 largest attacks in Q4 2021. All told, telecom companies fielded 1,870 attacks in Q4 2022, up from 812 in the year-ago period.

Dehus acknowledged the report is slightly biased because it draws data from Lumen’s customer base. However, he noted telecoms are increasingly a prime target in large part because they provide “multiple different services.” Sometimes this means they’re not the intended target of the attack, but a pass through to hit something else, like a gaming service. This exact scenario happened in Q2, when Lumen blocked its largest attack to date – a 1.06 Tbps UDP-based incursion which pushed traffic on the network to 20,000 times normal levels.

Of course, a lot of telecom providers have DDoS mitigation capabilities. To adapt, Dehus said threat actors are increasingly using multi-vector attacks to try to skirt or overwhelm these defenses. Indeed, in Q4, 69% of attempts on telecom companies were multi-vector attacks, up from 57% in the same quarter of 2021.

“The DDoS mitigation platforms work in different ways to detect these types of attacks as they occur. Some platforms are really good at detecting one type of attack and while they’re dealing with that one type of attack cannot respond to another,” he explained. “When they try a multi-vector attack, they’re trying to amplify the impact they can have” while also gathering more resources to deploy against the attack target.

In terms of multi-vector attack types, 46% used DNS amplification – which leverages vulnerable servers to send traffic to an attack target – alongside TCP SYN Flooding, static filtering or both of those supplements. TCP SYN Flooding exploits the three-way handshake initiated when a browser tries to connect to the internet to overwhelm the system and make it unresponsive to traffic.

Outbound attacks

But Dehus said telecoms aren’t just receiving attacks – their resources are being abused to launch them as well. For example, he said cloud services offered by telecoms have been leveraged to deploy attacks, as have DNS servers and other reflective surfaces used by their customers.

“Very few folks are looking at their outbound traffic and scrubbing it, because there’s a significant cost to that,” he said. “It puts the telecom industry in an interesting and difficult position.”

He concluded: “Telecoms who are also offering cloud and edge services should really put an effort into ensuring those services are well secured."