Telecoms wholesaler ICUK restores services after two-day DDoS pelting

London-based wholesale telecoms biz ICUK is back on track after a multi-day DDoS attack on its network and systems.

MI6 reveals 'Silent Courier' dark web portal upgrade it hopes will help it recruit new spies

READ MORE

Customers wrote to Reg Towers on Monday, letting us know that ICUK's VoIP and web services were disrupted by what its status page described as a denial of service attack.

ICUK told The Register that the DDoS attacks began on Monday evening, at around 2000 local time (1900 UTC), first targeting its core network, which caused service delivery disruption.

The company's Cloudflare DDoS protection kicked in and, within two hours, it had fully mitigated the attack. The attackers launched "several further attempts" against the network since then, but ICUK said Cloudflare blocked each of them.

However, by 11:20 UK time the following day, ICUK's status page indicated that its VoIP platform was still experiencing issues "as a knock-on effect from yesterday evening's network impact."

ICUK performed an emergency restart of its VoIP platform that evening, after business hours, and by 18:03 its services were running at near-normal levels again.

While ICUK was handling that side of the attack, a second wave of DDoS traffic was being fired, this time at the company's Control Panel app and infrastructure. The telecoms provider, which serves resellers, said the attacks used DNS amplification techniques as part of this.

Some customers were unable to access their ICUK control panel until after business hours on Tuesday, at which point the company said the matter was resolved.

Leslie Costar, owner of ICUK, told The Register on Tuesday evening that the company had been working hard to counter the DDoS attacks.

He said: "Throughout today, we've been working hard with our upstream providers to counter these attacks, and we're making strong progress. Importantly, today's incidents have not impacted broadband or connectivity services, as our Control Panel operates on separate infrastructure. 

"While the Control Panel already benefits from Cloudflare protection at the application level, we're planning extensive changes to extend Cloudflare's protection to the network layer as well."

All of ICUK's systems are now fully operational, according to its service status page, and Costar confirmed that the attacks were exclusively DDoS in nature. No other types of compromise were detected.

"Communication with our customers has been open, frequent, and transparent throughout this process," said Costar. "The directors and staff at ICUK would like to sincerely thank all customers for their patience, support, and understanding during this challenging time."

As ICUK continues to gather data surrounding the attack, there does not appear to be a known reason why it was targeted, or who was behind it, but it follows a more serious attack on fellow London telco Colt, which is still wrestling with its suspected ransomware cleanup job.

An update issued this week stated it reached a "significant milestone" in its recovery by restoring delivery and assurance systems, but Colt will still face difficulties in clearing its order backlog until key commercial systems come back online.

The telco also said that it was two-thirds of the way through its "employee laptop rebuild programme," with most now having received a new device with beefed-up security.

• Cloudflare DDoSed itself with React useEffect hook blunder
• Researcher who found McDonald's free-food hack turns her attention to Chinese restaurant robots
• 1,200 undergrads hung out to dry after jailbreak attack on laundry machines
• DDoS is the neglected cybercrime that's getting bigger. Let's kill it off

Security expert Kevin Beaumont said that he'd recently spoken to a Colt staffer who claimed they had been without a laptop for the entirety of the attack, which began in August.

Colt is expecting systems that underpin commercial operations to be reinstated by the end of the week, and in the same timeframe, its voice services are also expected to return.

Its cyber update page states: "The success we've seen over the last two weeks reinforces our confidence in completing full restoration within the timelines we've shared.  While some areas of the business still require a level of manual workaround currently, we're gaining capability every day – and moving purposefully towards being fully back to normal.

"We are committed to keeping you informed of our progress and returning to the level of service and reliability you expect from Colt." ®