Kathleen Reed of VoIPon Solutions speaks to Suzanne Bowen on Internet security threats such as DDoS or distributed denial-of-service.

You can Listen to the Podcast and see the full transcript below:

VoIPon: Broadcasting from various countries around the world, using voice over IP technology, this is VoIP Uncovered – A VoIPon Solutions UK podcast. I am Kathleen Reed.

Joining us today is Suzanne Bowen. Her business and technical background is an eclectic mix of VoIP, social media marketing, public speaking, Internet security, documentation, and teaching English. Organizations she has worked with include Ditel, Select, Vonage, Publishers Circulation Fulfillment, State of Florida, Astraqom, BlockDDoS, and thousands of global IP communications companies via Super Technologies, and DIDx, which she co-founded in 1999, with Rehan Allahwala Ahmed.

Today, we’re going to discuss Internet security threats such as DDoS or distributed denial-of-service, the need for pro-activity all year round, but especially during the holiday season for banks and retailers, but we’ll focus on the potential of DDoS on VoIP traffic. Welcome, Suzanne.

In most of your work life, you have found yourself in the teacher-trainer mode, whether in the classroom or in a blog – such as your TMC Monetizing IP Communications. Would you explain what DDoS in a way that just about anyone can understand?

Suzanne Bowen, BlockDDoS: Wow, let’s see. Graham Cluley – he is a senior technology consultant for an anti-virus company called Sophos. I read somewhere where he once compared a DDoS attack to 15 fat men trying to get through a revolving door at the same time. I took that picture on my head – they’re all trying to get through and they’re all going to get through eventually, but it’s pretty messy. But really, DDoS is an acronym for distributed denial-of-service. It’s where multiple sources take actions over the Internet to stop service from occurring at their target or targets. They have a single target or sometimes multiple ones. Then, the target or targets can be anything on the Internet, such as blogs, websites, VoIP traffic.

They could belong to banks, retailers, government entities, VoIP companies, and so forth and so on. I’m thinking – because the sources where the attacks are coming from are multiple, it makes it really difficult to detect those sources and then block them. A DDoS attack can stop legitimate traffic like what you and I are doing right now. It could cause something that feels like a network meltdown and make customers leave your business forever, and choose competitors because your website keeps going down. Of course, that destroys the company’s reputation permanently, sometimes. Customers don’t really care on what happened to one’s company during a DDoS attack. They simply know that your service or website was down because of a lack of security – and that’s pretty scary. 

VoIPon: It sure is. Let’s talk about the DDoS attacks on banks, and then we’ll switch to those that target VoIP traffic.

Suzanne Bowen, BlockDDoS: Okay. From October 16th through October 18th, BB&T Corp, HSBC Holdings, and Capital One were pummeled by DDoS attacks. During the next five weeks, I believe (and I might have this wrong, but I’m pretty close), more targeted US banks such as Bank of America, Chase Bank, Wells Fargo, PNC Bank, U.S. Bancorp, SunTrust, and Regions Bank. I’m not going to pretend to know who’s responsible, or why, I don’t know, I have no idea… And I’m not going to repeat what everyone is saying on the Internet, because again, I don’t know what is fact and what is conjecture. There is evidence though that the denial-of-service attacks were originated from various geographical locations over this period of time.

VoIPon: I can see how that would lower the trust of corporate and personal account holders in these institutions.

Suzanne Bowen, BlockDDoS: Yeah. Kathleen, in fact, just imagine yourself: You have great trust in this big bank, where you have your checking account, savings account, and so forth. Say, the website is down for an hour – and then, a few hours later, it’s down again and you hear the security problems. As a result, many account holders cancel their accounts and move from their current bank service provider to competitors.

A person doesn’t need a technical college degree to understand that if these DDoS attackers can collaborate to make such high-profile, big bank websites (or other services over Internet) stop working, because of too many ping demands, the DDoS attacks at one time, they can also take advantage of the confusion for the bank IP teams during that time period, creating bank website increments at oddities with targeted queries that can actually flood bank-end transaction servers. And it could be a masquerade to conceal a chance to access customer accounts, customer information, gather intelligence or some other plan to action. 

VoIPon: Yeah, for sure. So what are some of the proactive steps to protect against and prepare for DDoS attacks?

Suzanne Bowen, BlockDDoS: I think that’s probably the best that we’re talking about at this point, because people do need to know. I’m not the expert, but companies such as BlockDDoS have taught me quite a bit about Internet security in the past years. These companies have experience and guidance, ready for you and me and podcast listeners to learn from. 1) First, collaboration among the banks and their managed security service providers, especially DDoS mitigation service providers, should be proactive and should prepare to react smartly together with their customers against future attacks. 2) I guess banks and other businesses – whether they have been attacked already or not – should educate the consumers just a little bit on the fact about DDoS and what the organization does to protect accounts.

In fact, I was even thinking that they could share this podcast with their customers to get a little bit of information there. I think the way that you and I are going about it, Kathleen, is very easy to understand. We all know that communication has a potential to assure, whereas the lack of it reduces trust – so the banks do need to talk about what’s going on to the consumers and make sure they understand. 3) Make sure that bandwidth is protected by vendors and is easily expandable. 4) Lastly, make a smart move now – not when it’s too late to spend against potential attacks. Some of the words they use are mitigation protection – that type of thing.

I was wondering, can we talk about the potential issues regarding DDoS in VoIP traffic now, Kathleen?

VoIPon: Sure. Olle Johansson, in a social network discussion about the relationship, said, “One problem is that VoIP is commonly handled by people with a telephony background, not a networking background or systems background.” He mentioned that they are often taking unnecessary risks, just because they have no training in network and system security. This is probably also the reason why SIP security is not implemented anywhere, really. During his 10 years of working with VoIP, he has only installed TLS certs for testing and not for protection.

Suzanne Bowen, BlockDDoS: Yeah. I thought that was pretty amazing and I really appreciated Olle Johansson’s input. Perhaps what has to be accomplished to implement typical SIP mitigations is not as important for some reasons as that of the other types of mitigation we’ve already talked about. But I was thinking – this doesn’t mean that VoIP providers should not be prepared, like Mr. Johansson also described the advantages of using open source platforms such as Asterisk and Kamailio. There’s a network of people all over the world who are willing to participate in distributed denial-of-service attack for learning, but there is also a huge country of open source telephony developers and security experts around the globe. They investigate code around the clock and fix the issues.

Who’s more organized and ready? Well, I’m thinking – I’d love to see if the listeners would comment about that later and interact with us. Olle also mentioned that, for example, Asterisk has made changes over the years to avoid allocating resources on messages early on. And while I’m at it, let me stop and give credit to some in my professional networks (some were often yours, Kathleen) for assisting me to gather information and sharing this podcast in the area of DDoS potential on VoIP traffic. Dayton Turner, the CEO and co-founder of Vancouverbased Voxter Communications participated. Olle Johansson – he was on VoIP, IM and presence based, on SIP and SMTP specialist… book author Sue McKenzie from Singapore, and Yossi Neiman, FreeSWITCH developer and the owner of Cartis Solutions Incorporated.

I think we’re really lucky to have so many people in our networks who are willing to collaborate with us to things like this.

VoIPon: Oh, for sure. I know you, Suzanne, and I do thank them also (and also VoIPon for sponsoring this audio podcast interview.) A typical problem with voice over Internet is no call audio after 30-60 seconds. The most common response is something like, “This is probably caused by the building router…” So just log into it, look for the following settings, DDoS denial-of-service, flood protection, intruder protection. The customer may be told that if they find any of these settings, turn them off.

Suzanne Bowen, BlockDDoS: I’m thinking back when Super Technologies offered the services of Super Song and so forth. I do remember customers having issues like this. It had something to do with trippers (I’m probably pronouncing it incorrectly, but I remember this certain terminology all the time) and having to log in and change things within the router to not block voice over IP. Let me say, I appreciate VoIPon too and I wish that they would record more podcasts, more often with different people on pertinent issues such as quick little comparisons, which they are experts at, Internet security, open source news, and mixing in IP communications with social media. When I was talking about the super phones, devices and so forth, the problem with the routers and the networks, I know what you mean about that – routers tend to label SIP calls like a sudden flood of traffic, so it automatically cuts the call after a certain number of seconds.

Mr. Neiman summarizes this situation really well. He said, “Think of it in terms of SMTP. If you want to be able to receive any number of anonymous inbound calls for business or other reasons, you seriously hamper that ability to receive that inbound traffic if you start implementing a lot of security measures that are currently available…” So by the way, I was wondering if you would tell us a little bit more about VoIPon? Like they’re the one sponsoring this podcast, before we close out, Kathleen.

VoIPon: Sure. VoIPon distributes a market-leading range of VoIP hardware and services to businesses around the world, such as VoIP PhonesWireless IP PhonesVoIP Conference Phones,Video PhonesIP Video ConferencingAnalog AdaptersVoIP GatewaysAsterisk HardwareIP PBXsSIP Door Entry and VoIP Paging Access Control and Speakers. VoIPon has consistent customer service and end-to-end support, which really helps them build solid relationships. They help businesses use the right system, via open source, proprietary or hosted, and the company’s extensive range and knowledgeable staff makes their customer’s jobs really easy. VoIPon staff has extensive knowledge and understanding of their products and they use the same technologies that they sell. They are great at tailoring solutions to any customer’s budget requirements, so when customers are looking for great value, they choose VoIPon.

We really want to thank you, Suzanne and the folks at BlockDDoS, for participating in this podcast.

Suzanne Bowen, BlockDDoS: Well, thank you too. I did visit the VoIPon website and I loved how they had a great variety of equipments to choose from. They have an affluent knowledge base. I’ve studied it a little bit. I’m thanking you, your company, Big Vox Marketing and VoIPon. I know that I really enjoyed this talk. The BlockDDoS (blockddos.net teams) sends their wishes to you all and the listeners.

VoIPon: Well, thanks again, Suzanne. This has been a VoIPon, VoIP Uncovered podcast brought to you by VoIPon solutions. For more information, please visit www.voipon.co.uk.

Share this story with your friends or work colleagues.  If you want to stay up to date with our latest products, industry news and offers you can sign up to our monthly newsletters, keep up to date with us on Facebook or follow us on twitter @VoIPon