Traffic/Call Pumping Attacks (and Comments on TDoS Attacks)

There was a recent post on another blog about different types of phone or toll fraud. I want to make a few comments about call/traffic pumping, which is a relatively new attack that is being seen in IVRs and contact centers.

Call/traffic pumping occurs when the goal of the attacker is to share part of 1-800 revenue. This attack normally targets IVRs/contact centers with 1-800 service. A well designed call pumping attack will spoof the caller ID/ANI for calls, possibly vary the length of calls, and most importantly, stay in an IVR as long as possible. I have seen attacks that loop in the IVR by playing the main menu tone over and over. This could be extended to calls that do the same thing, but use a more randomized pattern that is harder to detect. I have also seen attacks using selected audio, which is also effective, but if the calls last long enough to leave the IVR and are received by agents, they are detected. Of course detection is a lot different than mitigation – the attacks can go on and on, tie up the IVR and agent time. If the attack involves more than a few simultaneous calls, then these negative value calls time up resources, waste agent time, and create some level of a Telephony Denial of Service (TDoS) condition. If enough calls are generated or target a specific part of an IVR/contact center, then a TDoS condition will definitely occur.

Actual TDoS attacks are really not that much different – it is more of a case of attacker intent and volume of calls.

Solving call pumping requires a solution that works with TDM and SIP. Fraud has nothing to do with SIP trunking – the fraud will occur no matter what type of trunking you have. Do you think the attacker cares? No they just generate calls. Trying to solve fraud with an SBC does nothing for TDM and most SBCs won’t detect more sophisticated fraud and call pumping. I recognize that many contact centers have moved or are moving to SIP, but this is a slow process and if you are being attacked, you need a solution now, not in a year or two after you have migrated a large IVR or contact center. For information on solutions, see our website at www.securelogix.com.