Traditional voice and Voice Over IP (VoIP) security application attacks, such as toll fraud, contact center fraud, social engineering, voice phishing, harassing callers, and TDoS are common. Increasing use of VoIP at the attack origination point and within service provider networks is making these threats more common, severe, and difficult to detect. While internal-LAN VoIP-specific attacks get a lot of attention, application attacks are actually the most serious, because they occur often, are getting worse, and offer a financial incentive to the attacker.
VoIP is making application attacks more common and severe, because it makes setting up automated call generation much less expensive and easier. In the past, expensive PBX equipment, T1/PRI access, and specialized expertise were needed. Now, it is trivial to install very powerful and free PBX software, such as Asterisk/Trixbox, on standard server platforms. Many add-on tools use Asterisk to automatically generate calls for the purposes of TDoS, traffic generation, harassment, voice phishing, and even SPAM. It is actually possible to set up a dialing operation in less than a day. These tools (and VoIP in general) also make it even easier to mask or spoof Caller ID, which makes it very difficult for traditional algorithms to detect attacks.
VoIP is also lowering the barriers to generating attacks through the increasing availability of low-cost Session Initiation Protocol (SIP) trunks and access. SIP trunks can be used to interface easily with Asterisk and quickly and cheaply introduce large numbers of automatically generated calls to the network. There are many sources of SIP trunks, including well known, low-cost VoIP providers such as Skype. The combination of free VoIP PBXs, SIP trunks, and attack software enables automatic call generation with no TDM equipment, access, or expertise.
The volume and sophistication of attacks is rapidly growing, based on information from enterprises, service providers, hosted content center providers, and independent organizations such as the Comunications Fraud Control Agency (CFCA)
Enterprises are experiencing TDoS attacks now. Many enterprises are affected, some of which may not even know they are affected. This statement is based on working with multiple large enterprises, as well as tier 1 service providers. While the exact number of attacks is not known and the motive is not 100% clear, it appears that the attacks are part of a “traffic pumping” scheme, where the attacker uses VoIP and automated dialing software to introduce 10,000s of calls into the network and profit from the traffic. Enterprise 1-800 numbers are selected because there is a cost generated by calling these numbers and possibly because major contact centers are large enough that the attacker hopes that the attack will not be quickly noticed. The attack has been detected by some enterprises and hosted IVR providers, and has been sufficiently disruptive to completely overwhelm some smaller sites.
The attacks can use simple audio content, including white noise or silence (which could be dismissed as a technical problem), foreign language audio (representing a confused user), or repeated DTMF attacks, which attempt to dwell in IVRs. These techniques are part of early attacks, where the attacker is experimenting with what works best in general and for specific enterprises (and IVRs and contact center policies).
These attacks are very difficult to detect, because the attacker masks or spoofs their caller ID on most if not all calls. This makes it very difficult even for service providers to quickly detect the attacks. Unless the attacks can quickly be traced back to an originating carrier that typically does not generate many calls to the contact center, they are very difficult to detect. The attacks also move through multiple service providers, making them time consuming to trace back to the source. Since the service providers are not allowed to examine the audio, they are forced to look for attacks based the limited information they do have available
In the future, these attacks will be much more severe. By simply generating more calls or using more entry points to the voice network, many more calls can be generated, resulting in a very expensive attack or even one which degrades the performance of a contact center. This can be especially damaging at sites with limited trunk capacity. These attacks will get harder to detect, be more common, and create a greater impact. These attacks will also expand and affect other parts of an enterprise, through generation of voice phishing, harassing caller, and voice SPAM attacks. The technique for generation of all these attacks is the same – automatic generation of calls, but with a different audio payload and attacker intent.
I will put another post up shortly to discuss new mitigation approaches. For more information on TDoS issues and mitigation (and Voice Over IP security in general), check out SecureLogix's Web Site
Thanks for posting this. There is an unsettling lack of information out there about the seriousness of the TDOS threat. Aside from the FBI's press release last month and coverage in Wired, nobody is talking about it. I'm looking forward to reading your follow-up about mitigation approaches!
Posted by: David Merrick | June 26, 2010 at 03:06 AM
Thanks for the comment. We may be seeing more public information about more serious attacks. I will post some info on mitigation techniques next week.
Posted by: Mark Collier | June 27, 2010 at 11:28 AM
I like the new name "Telephony DoS (TDoS)" given to this attack scenario. I would like to know how in real VoIP network IDs are spoofed? Isn't the VoIP service providers allows the authenticated users only to setup calls to the other legitimate users? Thanks for the post. Your efforts are really admirable in this regard.
Posted by: M Zubair Rafique | July 07, 2010 at 06:35 PM
Thanks for the comment. There is no active legislation that prohibits spoofing caller ID, either in VoIP or TDM networks. Even it there was, it wouldn't stop determined attackers. Service providers do not enforce caller ID authentication. And by the way, the caller ID for the TDoS calls I am aware of DID have spoofed caller ID.
Posted by: Mark collier | July 07, 2010 at 08:02 PM
Nice post, but what about the sip trunks? how they are affected?
Posted by: Fffrrr.wordpress.com | July 14, 2010 at 12:09 PM
Thanks for the post. The attack is pretty much identical for SIP or TDM. It just appears as a flood of calls with some audio content. Most of the attacks we heard of are on TDM (because the vast majority of trunking in NA is TDM), but some occurred on SIP as well. Solutions to the problem are pretty much the same for TDM and SIP.
Posted by: Mark Collier | July 14, 2010 at 12:27 PM