 Time here for more systems and it is September 21st 2021 and VoIP MS has been well attacked very heavily over the last couple of days How heavily I don't know. I only have external information. I have no inside information to VoIP MS I actually did reach out to them for comment as did bleeping computer who has an article about the attack as well And they're busy. I get it now We all wish that their Twitter was more detailed other than we're working on it because well I'm directly affected by this I have talked about VoIP MS on my channel before which is also why I wanted to address it here The problem really is my phones don't ring and probably if you're watching this Your phones aren't ringing either depending if it's now or in the future at some point in time And this is a real critical piece of infrastructure it's well on fire and the Answers of we're working on it aren't adequate, but I also want to give a little perspective I'm not here to defend that answer I'm here to explain a little bit of how these things work in one companies are in crisis You have the deeply technical people working to put some type of mitigation in place And they probably don't want to be bothered by the people who tweet and say things like What's the status update? Can you give me a very deeply technical thing? So all the people that are commenting on Twitter can have a better answer and they're like leave me alone I'm trying to solve a problem because well if we don't solve this problem Then people's phones don't ring. So there's a little bit going on back and forth And we'll talk a little bit that later in the video where you can read a little bit more And actually have a discussion on this and it's over by Rob Thomas who has a reddit post We'll get to that in a moment But the answer a lot of people were tagging me in messaging me and everything else or why aren't they using cloudflare? Tom that would just solve all these things and I think it's because cloudflare is such a well known web proxy content delivery network that offers some DDoS mitigation But this is where people have a misunderstanding of how that type of system works for any of these type of systems And let's start there with a fundamental if you have to plan the capacity of your company Let's say we're VoIPMS and we need to have servers in many different regions to provide quality voice services I can predict based on marketing based on how many people sign up how many servers I need to put in any particular region to provide a quality of service to my clients what is way harder to predict is the Workload needed when you have a threat actor who wants to extort you for money and create a denial of service and say pay my Fees or I will keep knocking your service offline. The problem is is where the asymmetrical Cost to denial someone versus defending it It actually is not incredibly expensive to take these large botnets that are for rent if you will This is something that's gone on for a long time. This is not something new It's been around for years and years and the scale and scope until these botnets get broken Well, they become cheap services companies can offer companies would wrong way to say it Maybe threat actors criminal enterprises however, you want to title them But they run it like a business where you they allow you to rent time on their DDoS servers Anyone who's worked in the gaming community is Extremely aware of DDoS for hire to knock your competitors gaming server off so more people use your gaming server That's actually where I would say it's been really popular doing it at the scales or doing it to attack a company like VoIPMS Scaling it up not to knock a gaming server off, but to disrupt specifically voice services This is actually just done a few weeks ago in the UK as well. I have no idea if it's exactly the same Threat actors doing this, but nonetheless, it's very disruptive to lose your phone service. They're for It's a pretty good target in terms of if I was going to go where the money's at these companies We'll probably be the more likely ones to pay up VoIPMS has chose not to be the one to pay up they're trying to defend against it and Planning for this out into the future is difficult as I said you can capacity plan based on client information It's way harder to plan because you can only put a plan as big as you think you're going to be attacked You could put in thousands of servers to help mitigate a larger attack But at some point that comes into the cost of your service going up and up to pay for all the different servers that you have to have up and running to Have an attack thwarted that's a potential attack because voice is an interactive service So unlike delivering a website through a CDN where a tool like Cloudflare would work very well You have to figure out how to scale out when it comes to all the SIP servers that have to take Requests that are coming in for phone calls process them and then service those and when the type of attack You're being attacked with is a we're trying to register fake SIP accounts and didn't you know Putting bad username bad passwords The servers have to go in look at the incoming requests process it do the full normal handshake and Connection over the internet then realize it's a bad username password and say I'm sorry I can't let you connect and then the next one comes in and the next one comes in and at some point These get overloaded the scale and scope of the servers You can just keep adding more and more of them to keep doing it But then the botnet people go crank it up. I only rented a botnet that would spray the information at this rate Let's spray it more and more and more and now it's an arms race at this point of Can they afford to do it and can they afford to spin up or can they spin up servers fast enough to absorb the botnet at The same rate that the botnet grows then what the botnet appears to be doing right now is instead of attacking all the Servers it just kind of Robbins and attacks different ones so you don't know when your server is going to go offline that you're attached to and when it's going to come back online and That's not an easy thing to mitigate against either they can then focus all of that during the Attack phase to one area or another so they take out the New York servers Then they go back and take out the Chicago servers then they rotate over and take out servers on another region So this is not something as easy as people think of just put some type of content delivery network in front of it Now at least one part people were correct about and this is over at security trials is yes They didn't have cloud player for DNS They did have their DNS set up over at internet app and steadfast, so they had two different providers they had four DNS servers and Three of them were with internet and one of them was at steadfast This is something you want to do any sub DNS servers you keep them regionally different So if one fails or another fails or another one is on another provider, so you know for DNS That's fine, but they were able to knock these DNS servers off So they migrated them over to cloud flare here Which cloud flare being more robust and having lots of servers and being a huge company that does come at an expense to set This up they are now having them do the DNS now Let's talk about the subdomains of which there are two hundred and fifty four and where that is this is where An understanding and once again, this is just external information me looking this up You can see how spread out across many different Locations that this is hosted so we have New York three hoping an internet. We have Montreal at iWeb We have Phoenix two at Omni Networks and so on and so forth So you'll see lots of different ones. They have a few of them wiki That's her wiki, but Ohio here Ohio. VoIP MS is over at Amazon software, etc So there's all these different things and this is by the way free to view over at security trails And there's more on here like you can see that their infrastructure is all spread out now This brings us over to the reddit post by xrob a you also known as Rob Thomas on Twitter Who is the founder of free pbx? So we're gonna see Rob knows quite a bit about voice services delivering them and understands the protocols and the Complexities of this he has a lot of technical right up here and some of the same things that are linked over in the bleeping computer He also has his speculative because he does not work for VoIP MS what they are probably doing to help mitigate this attack So this is a speculative right up here but it comes with a lot of technical knowledge and there's plenty of discussion for those you that want to Discuss all the different things going back and forth about this service about how this works in ways to mitigate this I thought this is pretty good right up here. He talks about them moving all their IP addresses of their pops This seems to be confirmed by tweeting people should be using and trusting DNS again Asking their hosting provider for more control over their networks because Banning the IPs is definitely something they want to do But that's a lot of IPs to ban and there's a lot of things because even if you ban it and you know are blocking those requests That's still a lot of requests coming at your individual devices that still have to be mitigated So it's still a problem so upstream to the providers and blocking it at different levels as part of the Goal to stop this attack Beefing up hardware putting a cluster of set proxies in front of everything which can horizontally scale and absorb this level for attack There's a lot of details in here. So like I said leave a link to this reddit post now some final overall thoughts on this entire process It's a mess. This is something that it's kind of a nightmare for any type of person starting up a SAS service You want to stop start up some type of service that can't just be easily proxied because it's a flat and static website Which is pretty much any type of interactive or hosted type of service voice is obviously an easy target It's such a critical piece of infrastructure that if you attack it It seems there's a likelihood of those companies paying when they don't pay Hopefully it tells the threat actors that they should find something better to do But they probably won't and its attack will continue for a while and maybe scale up I don't really know what the end result is in the meantime We're kind of stuck without phones ringing and services not working properly. Like I said, it's obviously a high Value target to those doing this type of attack. There's no easy answers. No easy solution to this I just wanted to offer some perspective my thoughts on it if you will So I can just reply this video to all the DMs tweet tags under social media posts that I've been Messaged about and yeah, I'm suffering through it as well We figure out how we deal with this kind of as an ongoing basis and hopefully all these problems get resolved And maybe you're watching in the future going oh I remember when that was the thing and it's not a thing anymore because it was resolved with x y and z and a solution was proposed and Implemented that we just didn't see at the time of the attack So I hope the you're watching this in the future when everything's great And if you're watching it very recently now, I feel your pain with you. It sucks. That's all I really got to say about this And thanks All the links down below and for more in-depth discussion. However to my forums And thank you for making it to the end of this video if you enjoyed this content Please give it a thumbs up if you like to see more content from this channel hit the subscribe button and the bell icon To hire a sure project head over to Lawrence systems calm and click on the highest button right at the top To help this channel out in other ways there is a join button here for YouTube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links and descriptions of all of our videos including a link to our shirt store We have a wide variety of shirts and new designs come out. Well randomly. So check back frequently and Finally our forums forums that Lawrence systems commas where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you in the meantime check out some of our other videos