How many of you still participate in-person meetings on a daily basis?
If this question was asked before the beginning of 2020, it would have raised several eyebrows. Our working days prior to the pandemic were often filled with face-to-face meetings. In post-pandemic days, even with people going back into the office, the activity we used to call a meeting with several people in a room to discuss a certain topic is being redefined.
Today, most meetings happen remotely even when people are in the same building. Business meetings that used to include travel abroad now take place remotely to save a lot of money, time and effort.
One thing is clear: remote meetings are now here to stay – and so are the security risks that go with them.
Collaboration tools are critical to business today
Companies around the world rely on third-party providers such as Zoom, WebEx, Microsoft Teams and others to enable remote meetings inside and outside of the organization. Zoom’s revenue, as an example, grew significantly during the pandemic, as shown in Figure 1. Once an organization adopts one of these collaboration tools, it automatically becomes part of the provider’s network.
On one hand, the use of collaboration tools facilitated business continuity during the global disruption of the pandemic. At the same time, it opened the door for cybercriminals, creating a new opportunity to attack critical infrastructures. If a network is under attack and loses its availability, none of its collaboration tools will be available. We can only imagine the impact that this can have on an organization’s productivity and operations.
Collaboration tools’ vulnerability to DDoS attacks
Video conferencing systems are based on Real Time Protocol (RTP). RTP is based on User Datagram Protocol (UDP), a protocol that does not provide guaranteed delivery of packets or have a mechanism to handle out-of-order packets.
UDP is a connectionless protocol that uses datagrams embedded in IP packets for communication without needing to create a session between two devices. In other words, it requires no handshake process. While this enables traffic to run with lower overhead, it also makes UDP more vulnerable to abuse and a variety of flood attacks, including UDP flood attacks.
A UDP flood attack does not exploit a specific vulnerability. Instead, it simply abuses normal behavior at a high enough level that it will cause congestion on a targeted network. It consists of sending a large number of UDP datagrams from potentially spoofed IP addresses to random ports on a target server.
The server receiving this traffic is unable to process every request. The traffic consumes all of the server’s bandwidth as it attempts to send ICMP “destination unreachable” packet replies to confirm that no application was listening on the targeted ports. This protocol is vulnerable to L4 attacks, such as UDP floods, UDP garbage floods, RTP floods and more.
For example, a leading email provider faced a real-world incident at the end of 2021 when it was hit by a DDoS attack. The attack vector was a UDP flood attack threatening to bring down the service. As shown in Figure 2, the attack peaked at 183 Gbps and lasted for two hours.
In order to fight this kind of attack, specific tools to detect and mitigate UDP floods need to be put in place in the DDoS protection engine. These tools help ensure that a UDP flood attack will not have an impact on the service the organization is offering.
The recommended approach
None of us would like to wake up one day to discover our remote meetings all canceled – and no organization can afford it. To prevent that from happening, organizations should reach out to their security vendors and make sure they are completely protected from any vulnerability that can target the UDP protocol.
The key consideration is simply to make sure your security vendor has a specialized solution for UDP floods. Having such a solution in place can be the difference between a normal working day and an “out of service” day for the entire company.