VoIP DDoS Preparations – Remember your Regulatory Obligations

 

By Peter Farmer

There’s a bit of a fracas going on now, as we know from reports about sustained and targeted DDoS attacks against at least two voice providers.

We do not know why these organisations were targeted – whether they were singled out for personal reasons only known to the hackers, or whether they uniquely have a vulnerability not shared by the rest of the industry, or simply bad luck. What we do know is that the attacks have had a serious impact on the end users of those organisations.

As we adapt our own preparation plans in the light of the emerging threat and seek to cajole customers to take measures themselves (here and here of recent note), there is one piece of regulation that we would like to bring to your attention – General Condition of Entitlement A3.2;

Regulated Providers must take all necessary measures to ensure:

(a) the fullest possible availability of the Public Electronic Communications Network and Publicly Available Telephone Services provided by them in the event of catastrophic network breakdown or in cases of force majeure; and

(b) uninterrupted access to Emergency Organisations as part of any Publicly Available Telephone Services offered.

There are some nuances, but, broadly, if you are in the switching path between Simwood and the end user, then you are a Public Electronic Communications Network. If you are offering a service with telephone numbers, then you are offering a Publicly Available Telephone Service. You are the Regulated Provider in this case; indeed, if you have the contract with the end user, you are more of the Regulated Provider than Simwood.

This means that you have an obligation (and risk a fine of upto 10% of your turnover and/or revocation of your authorisation to operate your services in the UK) to take all necessary measures to keep your network running and connect emergency calls.

We know from previous experience that in the case of 999 calls, this is not always the case – which is why we fear that in the event of Simwood becoming a DDoS target, our wholesale customers may be impacted more than they otherwise need to be if they act now.

We have held voluntary testing of adapted plans last night and will be doing so again tonight (as communicated in our Community Slack). Participation in this would appear to come into the category of ‘all necessary measures’ in GC A3.2 and we strongly encourage all of our wholesale customers to take these opportunities to avoid disruption in the event of an attack. Admittedly you are only testing measures which are very low down our list of escalations, but it’d be foolhardy (and expensive) to not bother.