I attached a briefing from the Florida Department of Law Enforcement describing a threat from Anonymous to target federal and local law enforcement and Child Protective Services (CPS) with Telephony Denial of Service (TDoS) attacks. The attack is supposed to occur 3/21/2015. Anonymous is also calling for website defacements from now up to the TDoS attack date.
The bulletin includes links with contact information, instructions for the attacks, and background on alleged corruption. This includes a link to a Facebook page, which is a way to use social networking to organize the TDoS attack (encourage many people to call in).
As stated in the article, TDoS is a flood of inbound calls, which target a set of phones critical to business operation. The target phones (and numbers) can be any part of a business or enterprise, but are generally those making up a public facing contact center, including those used for banking, finance, health care (emergency rooms and ICUs), government, and public safety. A TDoS attack may be of sufficient volume to overwhelm an entire business or enterprise, but can be equally effective with a smaller amount of traffic, if targeting critical resources. In this way, it is more about selecting the proper target phones and numbers (normally pulled of of public websites), timing (during the busiest part of the day and season), and complexity of the attack (spoofing the calling number), than it is about an overwhelming amount of traffic.
There are a number of ways to generate TDoS attacks, including use of SIP trunks and free PBX software such as Asterisk, possibly using Skype as referenced in the article, or using a tool like the one described in the article. The advantage of a tool such as this is:
It can generate a sufficient number of concurrent calls to overwhelm a small or moderately sized target.
Is turnkey and easier to set up than a SIP trunk and Asterisk.
Can generate a complex attack (assuming that it can indeed spoof the calling number for all calls).
Is anonymous and hard to track. It can be used anywhere where there is cellular coverage.
Is difficult for a service provider to shut down, because the calls are coming in through the cellular network
The last point is significant, because this means of originating TDoS calls is more difficult for the service provider to isolate, than say many calls coming from a single SIP trunking provider.
The TDoS attacks enabled by this tool can be used purely for disruption, as a threat to enable extortion, or to flood a victim with calls (or texts) to prevent authentication calls from the victim’s bank.
There have been several advertisements for Telephony Denial of Service (TDoS) attack services popping up. I provided a link to one below. These seem to come and go, as they are removed from sites, but this one has been up for a while. The service is very cheap, $70 for week, which if targeted towards a hospital emergency room, Intensive Care Unit (ICU), public safety site, or any small business, where there are a handful of critical phones and attendants, this service would be very disruptive. Of course there are other ways to do this yourself - using Asterisk and SIP trunking, but this is easier for a non-technical attacker.
They even offer a 10 minute free trial :)
Since I saw the service, it has been enhanced to state that the calls can be made with different source numbers. I don't know how sophisticated this is - are they random, legit numbers, etc., but of course this makes an attack much harder to deal with.
It isn't clear what the flood capacity is. it says the interval between calls is 1-3 seconds. The calls are automatically generated. You have the option of playing an audio file, but that costs more (requires the attacker to generate RTP).
Here is a link on Youtube of a recent video we did on Telephony Denial of Service (TDoS). It covers the concept and then the various types of attacks that we are seeing, including manual TDoS, social networking TDoS, and then different types of automated TDoS. We also briefly cover the Payday Loan Scam/Attack, which is affecting many hospitals and public safety sites:
The FBI just released another private industry notification to warn enterprises about contined Telephony Denial of Service (TDoS) attacks. The FBI warns that the attacks tend to target hospitals and Public Safety Access Points (PSAPs), the administrative part of a 911 center. Here is a PDF - I don't have a link:
The FBI predicts that TDoS will become the go-to attack against any enterprise who is heavily depending upon their voice systems. This includes any enterprise, but in particular, those with public facing contact centers, in the financial, health care, government, retail, and safety sectors.
The notifications states that since 2013, there have been 1000 REPORTED attacks - there have certainly been more that were not detected.
The notification also provides recommendations for mitgiation of the issue. SecureLogix has cloud and premise based solutions that address this issue. Most enterprises experiencing these attacks can point their voice systems to our cloud based solutions and begin solving the issue almost immediately.
For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.
I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
The M3AAWG Special Interest Group (SIG) on voice fraud and security issues has published their agenda. This SIG will be held February 20-21. I will be on the panel discussing current solutions, with a focus on Telephony Denial of Service (TDoS). I hope to see some of you there: