DDoS ransom attacks compromise VoIP

Hackers recently attacked VoIP (voice over IP) providers by pummeling them with DDoS attacks, then asking for ransoms to make it stop. In a DDoS (distributed denial of service) attack, hackers try to disrupt a service by overwhelming it with huge amounts of internet traffic.

In a recent attack against voip.ms, the ransomware request reportedly started at $45,000, but was later upped to $4.5 million. The affected VoIP providers have been scrambling trying to stop the attacks from affecting them.

Such attacks can have wide-ranging effects, as most phone calls use VoIP.

VoIP, like many online services, can depend on a chain of services from different providers. A business might, for example, get telephony services direct from the VoIP company. Or it might purchase it from resellers who buy in bulk from the VoIP company and configure and package it to sell it to end-users. And the VoIP company probably uses third-party data centers to run its services.

Most of the time, these chains of services work seamlessly, until one of the chains breaks, such as from a DDoS attack.

This chain of services is both a strength and a weakness. The strength comes from the various providers being able to mitigate issues by changing providers, service locations, or configurations to provide continuity when there is a problem. The weakness is that there are many points along the way that can fail or be attacked.

Understanding DDoS risks

How vulnerable the various providers in the chain are to failures and attacks depends to some extent on how well they understand the risks, and how well they have defended against them. For example, some VoIP providers may use services like Cloudflare or Akamai to mitigate DDoS risk, while others may not have proactively defended against DDoS risk.

So what is the fallout of an attack like this?

The first thing that probably comes to mind would be for someone to sue their provider if their telephony services are interrupted. That lawsuit might be launched directly by a large customer, or as a class action on behalf of many.

But there are several hurdles to that. Most providers have limitation clauses in their service agreements that limit the remedies and damages a customer can get. That might be in the form of a limitation of liability clause, a force majeure clause, or a service level guarantee that sets out an exclusive form of recourse that is typically a rebate. Such clauses are a normal and necessary approach to control risk and service costs. That gets more complicated with a chain of services, where each provider along the chain has their own contracts, limitations, and promises that apply to their direct customer.

On top of that, one must have a cause of action to sue on. If, for example, a provider has taken industry-standard steps to provide and protect its services, there is less ability to obtain damages.

Customer retention

A significant fallout might be the number of customers who vote with their feet and leave for other providers. That could be based on a decision to go with another provider that is perceived to be more reliable. Or the customer might decide to stay with a temporary service provider it enabled to keep going. Of course, such steps could lead to disputes over whether they legally have the option to terminate services if the term of their contract is far from over.

If the disruptions are serious enough, it could lead customers to rethink not just which provider they choose, but whether the technology being used is the right one.

The bottom line is that it is complicated on a technical, business, and legal level.

It is unfortunate that hackers and extortionists effectively increase the cost of services to everyone because of the costs and efforts required to defend against them.

While some continuity risks can be reduced, it’s not always possible to eliminate every risk. The cost to reduce some risks may be perceived as being too high compared to the risk.

Public internet vs private networks

For VoIP services, customers may not understand — and resellers may overstate — the reliability of a VoIP service that primarily runs on the public internet vs a large telco’s service running on its own private network. Customers can be blinded by the lower cost.

Sometimes the reason a service is cheaper can have something to do with the lack of robustness of that service compared to competitors. Using that cheaper service may be worth the risk depending on your needs and whether you can tolerate an outage. It reminds me of the saying that for any given service you can have fast, quality, and cheap — but you can only have 2 of the 3.

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn and Twitter.

Image: ©arrow – stock.adobe.com