Major upstream VoIP provider Bandwidth suffers DDoS attack

Bandwidth.com, a major voice over Internet Protocol (VoIP) provider,, has become the victim of a distributed denial of service (DDoS) attack, continuing this month’s trend of threat actors targeting VoIP providers, leading to outages in the US and beyond.   

Bandwidth provides voice telephony over the Internet services to hundreds of businesses and resellers and is one of the largest providers out there. Its customers include big customers like Google and Microsoft, and impacted services included: 

• Standard Voice. 
• V2 Voice. 
• 911 Traffic. 
• Portal and API services. 
• Toll-free messaging. 

News originally broke on September 25th at 15:31 EDT on their status page, where Bandwidth announced that they were “investigating an incident impacting Voice and Messaging Services. Calls and Messages may experience unexpected failures. All teams are actively engaged”. While initially 911 services were not affected, by 16:34 EDT Bandwidth had announced “911 calls are experiencing failures” as well that customers may have “portal and portal API time-outs, slowness, or unresponsiveness”. 

Issues with the service persisted for the next few days, with Bandwidth announcing via their status page on Monday that “they were investigating delayed ports at this time along with V2 Voice, Standard Voice, 911 traffic, Portal & API with intermittent service disruptions” in regards to this network incident. 

Bandwidth Support have also apparently reached out to customers, according to an email that was shared on Reddit, saying that they had suffered a “DDoS attack which is intermittently impacting our services” and that their “network operations and engineering teams continue active mitigation networks”. 

Today, David Morken, the CEO of Bandwidth, announced on the Bandwidth site to customers and partners that Bandwidth had “been targeted by a rolling DDoS attack” along with “a number of critical communications service providers”. They also said they were still working to “minimize the impact of this attack” and “will not rest until we end this incident”.   

As of today, the company announced they were still investigating incidents impacting their Standard Voice and V2 Voice calls. 

The Cascade 

Many other VoIP vendors that rely on Bandwidth have reported outages over these past few days since the cyber attack, including the likes of RingCentral, Accent, Twilio, Phone.com and DialPad. 

While it has not been confirmed if these outages are related to Bandwidth's service disruption, all of the above carriers stated that another upstream provider has caused their outages. 

RingCentral stated on their status page that the “underlying carrier has reported that the issues within their network that caused customers to experience IVR issues, as well as intermittent inbound and outbound calling issues, including to emergency services and E911 registrations for existing users has been resolved” while maintaining “A portion of RingCentral customers may be experiencing intermittent inbound and outbound calling issues, including to emergency services due to an underlying carrier”. 

Meanwhile, Accent has posted an update that their “upstream provider continues to see network and service operations as normal” and that they “will continue to monitor and provide updates through the course of today”. Although they advised on the 27th that “Customers should be prepared for potential impairments of inbound services within 12-16 hours as the potential exists for this DDoS attack to return” and that monitoring would last 72 hours before the incident was declared resolved. 

While Dialpad posted on their status page today that they were “continuing to investigate” an issue related to a Partial Denmark Inbound Outage, although this has been reportedly resolved now. 

Another VoIP provider, VoIP.ms, also has recently posted on Twitter that “the main US upstream carrier is currently experiencing intermittent issues on their network affecting inbound and outbound calls and messaging to some US numbers” and that they were “in close contact with their NOC team to learn more and resolve this situation as soon as possible”. At this time, many suspect they are also referring to Bandwidth. 

Trend of attacking VoIP services 

It seems to be a particularly difficult month for VoIP services in general.  

Recently VoIP.ms were targeted by a week-long DDoS attack which took down the availability of the majority of their services and portals, greatly impacting services for customers.  

The cyber attack was a DDoS extortion attack, where threat actors, believed to be impersonating the infamous ransomware group 'REvil' as an intimidation technique, ended up demanding a ransom of 100 bitcoins, which is the equivalent to 4.5 million dollars, to get them to cease. 

Similarly, UK Voip Unlimited and Voipfone also suffered a DDoS attack that affected operations and led to partial outages at the start of the month. 

Part of the reason why VoIP has fast become tantalising targets for threat actors is because VoIP services are much more connected to the internet than traditional telephone networks. The stronger connectivity and seeming cost reductions come at the cost of cybersecurity as VoIP are commonly routed over the Internet and need their servers and endpoints to be publicly accessible, which can leave Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports open to risk. 

To perform these DDoS attacks, threat actors typically will utilise botnets, made of up hundreds or thousands of infected computers, to flood VoIP servers, portals, and gateways with incomplete Session Initiation Protocol (SIP) call-signalling message requests. This takes up all the available bandwidth, making legitimate users unable to access these affected devices and servers. 

Currently, it is unclear if Bandwidth have received an extortion demand from the threat actors concerning the DDoS attack like other VoIP services have in the past.