Lumen finds a third of the largest DDoS attacks in Q3 targeted telecoms

A new cybersecurity report from Lumen Technologies identified the telecommunications industry as the leading target for distributed denial of service (DDoS) attacks in Q3 2021 and warned such threats are becoming increasingly complex.

In its third Quarterly DDoS Report, Lumen revealed that 34% of the 500 largest DDoS attacks in Q3 took aim at the telecommunications sector. That figure compared to 9% of attacks in Q1 and 32% in Q2. Another 21% of incidents targeted software and technology companies, while 12% hit retail and distribution, 8% were directed toward hosting and 7% at government entities.

All told, the telecommunications industry faced 956 incidents in Q3, including both the largest bandwidth attack (612 Gbps) and the largest packet-based attack (252 Mpps) overall across all the segments Lumen tracked. The bandwidth attack marked a 49% increase from the largest seen in Q2, while the packet-rate attack was a whopping 91% bigger than the largest in the previous quarter. Just over half (52%) of attacks against telecommunications companies used a multi-vector approach and the longest incident lasted 6 days.

RELATED: Telia Carrier says largest 2020 DDoS attack was 50% bigger than 2019

Mark Dehus, Lumen’s director of information security and threat intelligence, told Fierce there’s been an uptick in attacks on voice-over-IP services using a combination of different methods. The two most common are reflection and application specific attacks, he said.

In the former, an instigator sends a request to a server, prompting it to respond to and overwhelm the targeted IP address with a large amount of traffic. Application specific attacks, meanwhile, go after the specific protocols – like the Session Initiation Protocol (SIP) – that enable voice services and remote collaboration tools. Examples of entities and services which use SIP include mobile virtual network operators, which sometimes use SIP-enabled VoIP services to offload cellular traffic to their own networks; managed voice infrastructure and the operators that supply it; and video conferencing services, he said.

Dehus noted reflection attacks don’t necessarily require a lot of skill, meaning “actors that are not as sophisticated can launch” them and demand money either in advance of or during the incident to halt the attack. He added threat actors are increasingly using multi-vector attacks to amplify their impact and bypass the protective countermeasures companies might take.

Lumen is working to track misconfigured reflectors and what services are being abused in an effort to try to help prevent future attacks, Dehus said. “The more the telecom industry in general can do to help clean up these open reflectors, the more it will take away from the malicious actors in terms of their ability to launch extremely impactful DDoS attacks,” he added.