The “PhoneHome” DDoS Attack — Everything You Need to Know
[ Under attack? Click here if you require emergency DDoS protection. ]
A vulnerability in enterprise collaboration suite MiCollab by telecommunications company Mitel has been abused for distributed denial-of-service (DDoS) attacks with record-breaking amplification potential.
In mid-February 2022, security researchers, network operators, and security vendors observed a spike in DDoS attacks targeting internet service providers, financial institutions, logistics companies, and a variety of organizations in other markets.
Akamai collaborated with other members of the InfoSec community to research the attacks and published a detailed analysis on March 8. The attacks could be traced back to hardware components (TP-240 VoIP interface cards) that are part of Mitel’s MiCollab and MiVoice Business Express products, an advanced business telephone system.
The research task force determined that about 2,600 of these systems were configured in a way that allowed malicious actors to abuse them to launch DDoS attacks against other networks over the internet. This vulnerability, named “TP240PhoneHome” and tracked as CVE-2022-26143, is being actively exploited.
What is the significance of the TP240PhoneHome DDoS attack?
TP240PhoneHome is remarkable with regard to its amplification potential, which dwarfs that of all previously known DDoS attacks. Normally, a malicious actor would be required to maintain a stream of network traffic to the abused server to maintain their attack. In this attack, a malicious actor is only required to send a small amount of network traffic, once, to initiate the attack. The abused server then sends a higher, amplified amount of traffic continuously to the target systems with the goal to overwhelm them and cause a denial of service, practically causing an outage.
Previously, the largest known amplifier was able to increase attack traffic by a factor of 51,000. TP240PhoneHome raises that record to over 4 billion — for one single attack initiation packet sent to the abused server, an astounding 4,294,967,296 network packets of attack traffic are being generated and sent to the target network. As these packets also increase in size, this results in a traffic amplification of over 220 billion percent.
How dangerous is the TP240PhoneHome DDoS attack?
The short answer is: Despite its record-breaking amplification efficiency, the risk from this exploit is low for companies that have solid DDoS protection measures in place. For those without such protection layers, this attack (and many other DDoS attacks) can cause severe damage and business interruption by rendering systems and applications unreachable and unusable for long periods of time.
The TP240PhoneHome attack relies on misconfigured Mitel MiCollab systems, and according to our findings there were only about 2,600 of those out there at the time of research. This limits the overall volume, and a further limitation is caused by the fact that attacks can only be executed serially, but not in parallel.
Mitel has been informed about the issue and has meanwhile released a security advisory and instructions to eliminate the vulnerability. Mitel customers whose systems are being abused might suffer collateral effects like partial or full interruption of voice communication, and degradation of performance and functionality.
How can Akamai help you?
Customers using Akamai Prolexic, our DDoS protection solution, are already on the safe side as Prolexic can handle amplification attacks like TP240PhoneHome and keep the attack traffic away from your network and servers. Prolexic can easily handle the expected volumes and has been updated with mitigation rules specifically for TP240PhoneHome. Thanks to its zero-second service-level agreement (SLA), Prolexic would mitigate a potential attack instantly, with no noticeable interruption of service or performance degradation on your systems.
Customer web applications on the Akamai Intelligent Edge Platform, like those using Kona Site Defender or traffic served via content delivery network (CDN) solutions, are inherently protected from these kinds of DDoS attacks due to the nature of the platform. Our platform is designed as a reverse proxy and only accepts well-formed HTTP(S) traffic. All network-layer DDoS attacks are automatically dropped. Prolexic should defend against attacks that bypass the Akamai platform by targeting the origin servers directly.
How does Akamai detect and mitigate DDoS attacks?
Akamai has a wide array of capabilities for mitigating the biggest, most complex, and latest DDoS vectors in the world. Akamai runs the world’s largest and most trusted cloud delivery platform, with nearly 365,000 servers in 135 countries, and we see and analyze more network traffic than anybody else. The Akamai Security Intelligence Response Team (SIRT) collaborates with customers, other members of the InfoSec community, product development, network operations, and our security operation centers to identify and mitigate threat vectors and provide optimal protection for business-critical services.
What are recommended best practices for DDoS protection?
Akamai recommends various best practices for managing DDoS risks. The first and most important is implementing a cloud-based solution for DDoS remediation, like Edge DNS or Prolexic. This is where you have the capacity to consume these attacks and mitigate them with the best opportunity for a successful outcome.
Secondly, we strongly recommend that companies partner with a managed security service (MSS) provider with the expertise and technical capabilities to identify these threats, provide a recommendation mitigation plan, and execute that plan to stop attacks without business interruption. Conducting regular threat validation, risk assessment, and operational and attack readiness quickly overburdens internal teams and is best done with a strong partner that specializes in providing cybersecurity services and can aggregate and leverage threat intelligence from a broad variety of clients.