Manage Learn to apply best practices and optimize your operations.

TDoS attacks on the rise: Who is at risk and what to do under attack

Telephone denial of service, or TDoS, attacks are increasing and no one is exempt. Learn what to do during a TDoS attack and how to prevent one.

A telephone denial-of-service attack is one that few organizations understand, and many are surprised to learn...

they are susceptible. In fact, these attacks are almost impossible to prevent. They incapacitate phone systems, regardless of whether they're hosted, premises-based, TDM-based or VoIP-based.

Understanding TDoS attacks and who is at risk

Telephone denial-of-service (TDoS) attacks are increasing. Earlier this year, the FBI and Department of Homeland Security issued public warnings about them. They are often part of an extortion scheme: An individual demands payment, then launches a continuous stream of phantom calls that block normal calls until payment is received. Usually, the attacks start and stop randomly until the ransom is paid. Frequent targets include hospitals, government offices and public-safety answering point offices.

TDoS attacks are similar to Internet DoS attacks, which bring down websites with overwhelming IP traffic. Any Internet-connected server is susceptible to a DoS attack, including telephone systems. One of the common motivations to acquire session border controllers (SBCs) is that they can protect the core telephony solution from unauthorized Internet traffic.

This basic extortion scheme has been happening since 2010, but as the TDoS attacks have moved more to government and public services, it's become a concern for national security.

TDoS attacks target phone numbers rather than IP addresses. The attack can use the public switched telephone network, or PSTN, instead of the Internet, which makes time-division multiplexing, or TDM, circuits just as susceptible as Voice over IP (VoIP) trunks. There are so many ways to generate calls that it's very difficult to defend against this type of attack. Calls can come from any city or Automatic Number Identification, so there is no reliable method that can accurately identify and filter fake and attack calls from legitimate calls.

The Internet makes these attacks easy to launch and make it cheaper than ever to make calls. All it takes is a stolen credit card to provision Session Initiation Protocol (SIP) trunks. Remember, these calls don't actually pass any media streams, so they can scale very efficiently with just a few SIP trunks. Combined with common techniques for caller-ID spoofing, these simple attacks can cripple an organization's communications system. A script to accomplish such a task only requires about 30 lines of code.

Carriers are equally helpless in attack prevention and mitigation. In this online forum, a customer blames Comcast, but all the carrier can do is activate anonymous call rejection which does little to nothing. There is no way to block the source because it can be different with each call. Using a hosted provider isn't safe either. An attack on one company could even affect other unrelated firms on the same provider, in the case of shared trunking.

TDoS attacks are illegal, but there have been only a few public convictions. Members of the New Hampshire Republican Party were convicted for a TDoS attack that jammed the lines of a Get Out the Vote operation in 2002. Nine hundred calls were made over 45 minutes, disrupting the call center. Most organizations are unwilling to talk about TDoS attacks, but the Internet Crime Complaint Center has received hundreds of reports about them. Victims are paying $500 to $5,000 to end the attacks, typically by transferring funds to a prepaid debit card account. Funds are then withdrawn from an ATM.

This basic extortion scheme has been happening since 2010, but as the TDoS attacks have moved more to government and public services, it's become a concern for national security. The U.S. Department of Homeland Security declines to discuss the attacks, other than to say it is working to "develop effective mitigation and security responses."

What to do during a TDoS attack

A long-term solution will require major changes in current communications infrastructures. In the meantime, there are a few suggestions on how to mitigate a TDoS attack. To minimize the impact of an attack, it's best for an organization to separate its physical trunks into different groups so that a single number can't tie up all of its capacity. Also, network and telecom engineers should designate some trunks for outbound-only phone calls or ensure they are not shared with published numbers. 

During a TDoS attack. the FBI recommends that organizations make detailed notes of the attackers' demands and instructions. Ideally, victims should record all interactions with the suspects. Organizations should attempt to capture the start and stop times and the metadata from the calls. Logs should collect information such as caller IDs and IP addresses, and save it. TDoS attacks should be reported to the local police and the Internet Crime Center. The Internet Crime Center is jointly sponsored by the FBI and the National White Collar Crime Center. When organizations deliver a report, it is recommended that they use the term "TDoS" within the complaint for tracking.

TDoS attack solutions

Long term solutions are being evaluated. They will likely include tightened rules aimed at restricting Caller ID spoofing, as well as bigger punishments for those convicted. There are some discussions around network layer improvements to add more accountability, traceability and control within the network. There is also a technique used with websites that secures sessions to certified domains. This solution is limited to organizations that can restrict calls to and from known parties, so this unfortunately won't work for most businesses.

Some potential solutions to TDoS attacks involve IP multimedia subsystem (IMS) signaling, which is used within most carrier networks. Conceptually, if the party on the far end of a call is on a known service provider network, its identity can be confirmed and sent to an enterprise IMS-based system (such as Avaya Aura) or a high-end SBC. Unfortunately, few enterprise solutions support IMS. Another approach is to use IMS to separate known and unknown parties into separate groups, prioritizing the known parties.

The important near-term step is to understand that all organizations are vulnerable and that such attacks are increasing. Enterprises should take steps to mitigate the potential impact until a longer-term solution can eliminate the risk.

Dig Deeper on Unified Communications Security