Global DDOS Attack Campaign Targets Several VOIP Providers

Bandwidth.com has become another victim in a global distributed denial of service(DDOS) attack campaign which is targeting VoIP providers this month. The campaign has to lead to nationwide outages this week. Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers.

On September 25th Bandwidth began reporting that they were experiencing unexpected failures with their voice and messaging services.

“Bandwidth is investigating an incident impacting Voice and Messaging Services. Calls and Messages may experience unexpected failures. All teams are actively engaged,” reported Bandwidth on their status page.

Since the DDOS attacks began, Bandwidth has been providing frequent status updates detailing outages affecting voice, Enhanced 911 (E911) services, messaging, and access to the portal.

Bandwidth is a leading telephony provider for US VoIP companies, and due to the DDOS attack, many other VoIP vendors reported outages over the past few days, including Twilio, Accent, DialPad, Phone.com, and RingCentral.

Though it is not confirmed if all these outages are related to the DDOS attack, one outage report directly mentions Bandwidth while the others state that an upstream provider was involved.

“The upstream provider has indicated that service has returned to normal operation. We will continue to monitor this situation and report any new information as it becomes available. Customers should be prepared for potential impairments of inbound services within 12-16 hours as the potential exists for this DDoS attack to return. We will not close this issue until services have returned to the normal operation for a period of 72 hours.” said the report on Accent’s page.

Twilio initially told reporters at BleepingComputer they were not affected by the DDOS attack on Bandwidth, but their status page states that they had issues with Bandwidth on September 27th.

“Monitoring – We are observing recovery in Twilio Voice call quality and connection issues. Bandwidth is reporting the issue resolved as well. We will continue monitoring the service to ensure a full recovery. We will provide another update in 2 hours or as soon as more information becomes available.” said a representative on Twilio’s status page.

Initial DDOS Attacks

Early this month, VoIP provider VoIP.ms suffered a catastrophic week-long DDoS attack that took down almost all of their services and portals, leaving their customers without voice services.

The attack was tied up with extortion, where hackers began impersonating the notorious ransomware group REvil. They initially demanded one bitcoin ($45,000) to halt their attacks but later increased it to 100 bitcoins ($4.5 million).

Due to that DDOS attack, Bandwidth customers immediately suspected that Bandwidth was also suffering from a similar DDoS attack.

Because VoIP services are routed over the internet and require endpoints to be publicly accessible, they are easy pickings for DDOS extortion attacks.

During these attacks, hackers will overwhelm servers, portals, and gateways by sending more requests than can be handled and thus making the targeted devices and servers inaccessible to anyone else.

Bandwidth did not initially make an official statement on the attack, but employees informed customers of the DDOS attacks.

One such customer shared a screenshot on Reddit of a customer support message allegedly from a Technical Assistance Center manager who states that a DDoS attack is responsible for the outages.

“Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network,” reads the screenshot.

On Monday night, Bandwidth said that services had been restored; it was not clear had they paid a ransom or not at this time. Attack resumed again Tuesday morning – it is common for threat actors to briefly halt attacks while they push extortion attempts.

Following the restart of the attack, Bandwidth came clean about the nature of the outages, confirming that they were being hit by a DDOS attack. Bandwidth CEO, David Morken, had the following to say:

“Bandwidth and a number of critical communications service providers have been targeted by a rolling DDoS attack. While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry.

You trust us with your mission-critical communications. There is nothing this team takes more seriously. We are working around the clock to support your teams and minimize the impact of this attack. Our account managers and support teams have been actively reaching out to customers individually to address any issues. If you are experiencing problems and you haven’t heard from us yet, please let us know.

Real-time updates will continue to be posted at status.bandwidth.com. We will not rest until we end this incident, and will continue to do all we can to protect against future ones. Thank you for your patience.”