Akamai has published details of a DDoS attack which generated more than 53 million packets per second by abusing misconfigured PBX VoIP gateways.
Amplification DDoS attacks work by abusing systems which send large responses to small queries. Thus, an attacker can transmit a number of small requests which have the ‘reply-to’ address set to the TCP/IP address of the intended victim and the much larger replies then overwhelm the victims ability to process the incoming traffic, resulting in a service outage.
During February 2022, Akamia detected a large DDoS attack which was leveraging around 2600 Mitel VoiP gateways which had been incorrectly deployed – exposing abusable test services to the Internet. These services were designed to be used by deployment engineers to stress test new phone system installations as part of the commissioning process.
This attack is notable because a single malicious data packet can be amplified by a ratio of 4.3 billion : 1 generating up to 24Gbps of attack traffic.
Mitel have released a critical software update to remediate this attack vector for their Mitel MiCollab and MiVoice Business Express systems.
This attack is an example of how systems exposed to the internet can be abused to target not just the systems owner, but also innocent third parties. Performing discovery scans against your public IP addresses and using services such as the NCSC Early Warning Service can help identify misconfigured systems and services accidentally exposed to the internet which could be abused by malicious actors.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)