Some telecoms kit settings can make a DDoS attack 4 billion times worse if not switched off

Resh Ayi allegedly met with officials from a terror group while visiting Turkey to hand over information on Cellcom network’s weak points.

Why don’t vendors make equipment settings safe by default?

Badly prepared telecoms equipment has created an opportunity for cyber criminals to mount denial of service (DoS) attacks on mobile operators that are 4 billion times worse than anything else that’s gone before, say researchers. The revelation, reported in Arstechnica, comes just as state sponsored cyber warfare is booming, in the wake of the conflict in Ukraine. 

Easy hack

Distributed denial of services (DDoS) attacks are a popular form of DoS because they need minimal bandwidth and computing power. The effect of each small unit of data overload is amplified by the number of units it replicates on. Rather than having to marshal huge amounts of bandwidth and computing power, the DDoSer locates servers on the Internet that will do it for them.

It’s a Dos
Historically DDoSers would target domain name system (DNS) servers, which could increase the volume of their data onslaught by a factor of 54. Other unwitting amplifiers have been Network Time Protocol servers (amplification factor: 556), Plex media servers (5), Microsoft RDP (86x) and the Connectionless Lightweight Directory Access Protocol (at least 50). The biggest known amplifier was memcached, which multiplied junk traffic by 51,000.

Mitel provides the gun

However, researchers have discovered that telecoms equipment from manufacturer Mitel has given cyber criminals an incredible arsenal of junk data bullets. A new amplification vector provided by the misconfigured Mitel servers has the potential to shatter those all cyber-criminal records, with an unprecedented 4 billion-fold amplification potential, according to researchers from researchers from eight organisations including Akamai SIRT, Mitel, Telus, Team Cymru, and the Shadowserver Foundation. Mitel’s MiCollab and MiVoice Business Express collaboration systems were ‘deployed’ for attacks last month on financial institutions, logistics companies, gaming companies and others.

Attack vector on steroids

“This particular attack vector differs from most attack methods in that the exposed system test facility can be abused to launch a sustained DDoS attack lasting 14 hours by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1,” said the researchers in a joint advisory note. 

The Mitel MiCollab and MiVoice Business Express services can act as a gateway for transferring PBX phone communications to the Internet and vice versa. An attacker could launch a high-impact DDoS attack using a single packet. There’s not much end users can do to protect themselves from this new form of DDoSes, said the researchers in an advisory note.

Defaulty settings

However, as commenter TwoForFlinching said in response to the Arstechnica story, “Manufacturer recommendations? You mean those things buried in bloated/incomplete documentation no one ever has time to read since their bosses are demanding results yesterday? Awesome. Seriously, if you need to recommend [that] something be off or inaccessible in production, make it that way by default.”