Traditional voice and Voice Over IP (VoIP) security application attacks, such as toll fraud, contact center fraud, social engineering, voice phishing, harassing callers, and TDoS are common. Increasing use of VoIP at the attack origination point and within service provider networks is making these threats more common, severe, and difficult to detect. While internal-LAN VoIP-specific attacks get a lot of attention, application attacks are actually the most serious, because they occur often, are getting worse, and offer a financial incentive to the attacker.
VoIP is making application attacks more common and severe, because it makes setting up automated call generation much less expensive and easier. In the past, expensive PBX equipment, T1/PRI access, and specialized expertise were needed. Now, it is trivial to install very powerful and free PBX software, such as Asterisk/Trixbox, on standard server platforms. Many add-on tools use Asterisk to automatically generate calls for the purposes of TDoS, traffic generation, harassment, voice phishing, and even SPAM. It is actually possible to set up a dialing operation in less than a day. These tools (and VoIP in general) also make it even easier to mask or spoof Caller ID, which makes it very difficult for traditional algorithms to detect attacks.
VoIP is also lowering the barriers to generating attacks through the increasing availability of low-cost Session Initiation Protocol (SIP) trunks and access. SIP trunks can be used to interface easily with Asterisk and quickly and cheaply introduce large numbers of automatically generated calls to the network. There are many sources of SIP trunks, including well known, low-cost VoIP providers such as Skype. The combination of free VoIP PBXs, SIP trunks, and attack software enables automatic call generation with no TDM equipment, access, or expertise.
The volume and sophistication of attacks is rapidly growing, based on information from enterprises, service providers, hosted content center providers, and independent organizations such as the Comunications Fraud Control Agency (CFCA)
Enterprises are experiencing TDoS attacks now. Many enterprises are affected, some of which may not even know they are affected. This statement is based on working with multiple large enterprises, as well as tier 1 service providers. While the exact number of attacks is not known and the motive is not 100% clear, it appears that the attacks are part of a “traffic pumping” scheme, where the attacker uses VoIP and automated dialing software to introduce 10,000s of calls into the network and profit from the traffic. Enterprise 1-800 numbers are selected because there is a cost generated by calling these numbers and possibly because major contact centers are large enough that the attacker hopes that the attack will not be quickly noticed. The attack has been detected by some enterprises and hosted IVR providers, and has been sufficiently disruptive to completely overwhelm some smaller sites.
The attacks can use simple audio content, including white noise or silence (which could be dismissed as a technical problem), foreign language audio (representing a confused user), or repeated DTMF attacks, which attempt to dwell in IVRs. These techniques are part of early attacks, where the attacker is experimenting with what works best in general and for specific enterprises (and IVRs and contact center policies).
These attacks are very difficult to detect, because the attacker masks or spoofs their caller ID on most if not all calls. This makes it very difficult even for service providers to quickly detect the attacks. Unless the attacks can quickly be traced back to an originating carrier that typically does not generate many calls to the contact center, they are very difficult to detect. The attacks also move through multiple service providers, making them time consuming to trace back to the source. Since the service providers are not allowed to examine the audio, they are forced to look for attacks based the limited information they do have available
In the future, these attacks will be much more severe. By simply generating more calls or using more entry points to the voice network, many more calls can be generated, resulting in a very expensive attack or even one which degrades the performance of a contact center. This can be especially damaging at sites with limited trunk capacity. These attacks will get harder to detect, be more common, and create a greater impact. These attacks will also expand and affect other parts of an enterprise, through generation of voice phishing, harassing caller, and voice SPAM attacks. The technique for generation of all these attacks is the same – automatic generation of calls, but with a different audio payload and attacker intent.
I will put another post up shortly to discuss new mitigation approaches. For more information on TDoS issues and mitigation (and Voice Over IP security in general), check out SecureLogix's Web Site