The worst of enemies – let’s talk about DDoS and RTC, Sandro Gauci

Video and Slides

Outline

The worst of enemies – let’s talk about DDoS and RTC

Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security

Why are VoIP and WebRTC services so vulnerable to DDoS and what can we do about it?

  • Distinguish between volumetric and application-level DoS
  • Why volumetric/bandwidth saturation is so effective
  • Application-level DoS, appreciate the complexity of the topic
  • Some demos to illustrate the point
  • General recommendations: security testing, apply changes, preparations, repeat

Review

We also have a keynote from David Casem of Telnyx, sharing their DDoS experiences on the 8th Dec. What’s surprised me is how many programmable comms companies have been hit this year. Not just the big names like Bandwidth, but lots of medium and small providers.

I think the UK and US attacks drew media attention, however, programmable communication companies back in June and July of this year were attacked. It’s usually accompanied with a ransom demand, and the solution is generally putting the entire BGP network behind Cloudflare’s magic transit.

I want to thank Sandro, not only for this presentation, but also his support in the open source telecom survey, and his presentation at TADSummit Asia 2021 on ‘Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server.’

This presentation provides an excellent review of why RTC services are being attacked. That its generally not application layer attacks, rather more brute force volumetric attacks. He shows a couple of DDoS demos, and then reviews Enable Security’s learning.

This is a problem for the entire programmable communications industry. No one is immune because of the broad attack surface of RTC (both SIP and WebRTC). Best practices are evolving, and resilience must be built-in to the infrastructure and application layer from the start, it’s not a patch.

Attacks are going to evolve, because some companies are paying those ransoms! If we share best practices, there’s no need to pay the ransoms, and the threat will be reduced, but never eliminated.