How to protect against TDoS attacks
Jul 15, 2020 • Telecom Reseller
Telephony denial of service (TDoS) is a type of cyberattack that can be used to disable telephony systems. Similar in concept to a typical data network DoS (denial of service), its purpose is to deny users access to a particular telephony service. In this article, we will discuss how TDoS attacks are conducted and what measures you and your telco can take to protect your systems.
What is a DoS attack?
The goal of a DoS attack is to make a system unavailable to its legitimate users by temporarily or permanently disrupting its services. This is typically done by overwhelming the system with a swarm of fake machine-generated requests for system resources, thus incapacitating the system from responding to the requests of legitimate users. In the case of a web server, for example, tens of thousands of fake HTTP requests can be sent to such a server, from hundreds or thousands of computers on the internet. This results in the web server’s resources (memory, CPU cycles, network bandwidth) becoming too overwhelmed to respond to genuine requests for content, rendering the service unavailable to users.
To use a brick-and-mortar analogy, a DoS attack would be like a group of people who have no intention of purchasing anything crowding around the entry door of a shop, making it difficult or impossible for legitimate customers to enter, resulting in a disruption of trade.
What is a TDoS attack?
A TDoS attack is a DoS attack on a telephony system. Unlike attacks on network servers, the primary resource targeted by TDoS schemes is the voice channels themselves. For example, an enterprise telephony network has a finite number of voice channels to the PSTN. If all of those channels are engaged, no additional calls can be routed, either in or out. TDoS attackers find ingenious ways of creating bogus calls that can quickly saturate PSTN connections.
TDoS attackers and their targets
TDoS targets can be either enterprise telephone systems, contact centers, or even the telcos themselves. 911 emergency services have also been targeted. There have been examples of attackers using TDoS to either advance a particular political agenda, or to exact revenge against a specific company or group of people. Sometimes TDoS is used as leverage for extortion, where attacks will continue unless a ransom is paid. There are also documented cases where a TDoS occurred unintentionally, as is the case in 1981 when the song 867-5309/Jenny was released and became a hit, prompting callers all over the U.S. to call the number asking for Jenny.
The most common way in which telephone systems are attacked involve the saturation of the voice channels of that system. For contact centers, enterprise networks, and emergency services, this can be done in various ways:
- Machine dialers – Also known as robo-dialers, these are machines connected to the PSTN that can generate multiple calls to particular numbers, saturating telephone lines. They can either take the form of an older stand-alone device connected directly to a phone line, or in the form of a program in a computer, which takes advantage of VoIP, making robo-dialers generally inexpensive and readily automated to perform their attacks.
- Caller ID Spoofing – Using machine dialers, calls can be made simultaneously to thousands of telephone numbers, all with a fake or spoofed caller ID – specifically, the caller ID of the victim. These calls are immediately hung up when they are answered, or if the call is not answered after a certain amount of time. When these thousands of subscribers see the caller ID, some will attempt to call back, causing a temporary saturation of calls on the victim’s telephone system.
- Brute force – Attackers simply hire telemarketers or even just anyone, to make calls to a particular number at a specific time to intentionally overwhelm their systems.
How VoIP and conventional telephone networks differ when it comes to TDoS
Both conventional and VoIP telephone networks are vulnerable to TDoS attacks. However, they are affected by them in different ways:
- Traditional telephony systems
- These are comprised of a fixed number of voice channels provided over either analog lines or ISDN PRI trunks. Once these are saturated, communication in and out of the system is essentially disabled.
- Since there is no other type of network connectivity, traditional PBXs are not subject to other types of network attacks.
- VoIP telephony systems
- These use SIP trunks for their connection to the PSTN. Although configured with a specific number of voice paths, the number of these paths is not fixed and can be dynamically changed. This provides a greater level of protection, as described below.
- Such systems are typically connected to an IP network and thus may be vulnerable to traditional DoS and other data network attacks, if insufficiently protected.
How to protect systems against TDoS
Regardless of what kind of system you have, the first line of defense is the telco. It is responsible for having systems in place that will detect TDoS attempts and protect your network from them. Establish an effective partnership with your telco and find out more about what kind of protection services it provides.
Telco protection features can include:
- The blocking of known malicious caller IDs.
- Enabling algorithms on SIP trunks that can recognize TDoS events and dynamically block calls, while temporarily increasing the number of available voice paths, ensuring at least partial service for legitimate users during an attack.
- Cooperation with authorities by disclosing caller IDs and call routing information within the telco’s network to discover, halt, and prosecute TDoS attackers.
Because no mitigation techniques can truly be 100% effective, some additional preparation tasks you should execute include:
- Ensure you have a backup means of communication with the PSTN for a limited number of internal telephone devices. This is good practice not only for TDoS mitigation, but also for redundancy and emergency services reachability in the event of other types of failures.
- Train employees to recognize, record, and report suspicious caller IDs, such as those seen on calls that routinely hang up as soon as the call is made.
- For VoIP systems, ensure that the appropriate network security measures are put into place, especially on the network edge, to protect against network attacks.
Recommended actions to take during a TDoS attack include:
- Limit the number of internal phones that the attack is targeting, focusing on hunt groups, busy-no-answer forwarding, and voicemail termination.
- Use social media and other channels to advertise an alternative number to call in the event that the main number is under attack.
- Determine if the calls may be coming from a legitimate source whose systems have been compromised for use in the TDoS attack.
- Remember that TDoS attacks are illegal and subject to prosecution with serious repercussions. Get the authorities involved as soon as possible.
TDoS attacks can be a scary prospect, especially for enterprises whose primary source of income depends heavily on telephony service. Being prepared for such attacks can go a long way towards mitigating and resolving them, as well as finding the perpetrators.