In my Hacking Exposed: UC and VoIP book, I described a process for using Asterisk and a call generator along with SIP-based access to the voice network to launch TDoS attacks. This process is pretty easy to do, but not yet at the "script kiddie" level. It is certainly effective, but takes a little know-how.
The tool that Dancho describes is apparently much more turnkey. It is ready to go and appears to have preconfigured means to send calls into the network (Skype, vulnerable SIP servers, etc.), so it could pretty much be used by anyone. The tool also comes preconfigured with cellular access so it is more anonymous (although you can also easily get public wifi access on just about any street corner). The tool is also multi-threaded, which I assume means it can generate more concurrent calls through multiple origination points.
Many of the recent TDoS attacks are targeting a very small or even a single critical phone number, such as a hospital emergency room or ICU. Many of these attacks use cheap manual labor to generate the calls. The tool described above could easily be used for this same purpose, enabling many simultaneous attacks against many targets. If it can generate 100 concurrent calls, it could be used to attack up to 100 targets at a time. That is a much better model than hiring 100 people to be on the phone.
The Los Angeles (LA) Times ran a story on Telephony Denial of Service (TDoS) attacks. This is one of the first examples of this issue being covered in the mainstream media, outside the IT-specific media. SecureLogix contributed information for this article and it was our firewall that was used to mitigate the attacks. If anyone would like more information, drop me a note:
There has been a lot of press about recent Telephony Denial of Service (TDoS) attacks and the payday loan scam. The FBI issued a warning back in January and since then, there has been a ton of press and articles on the attack (see links in previous posts):
Here is some info on the scam that I have assembled from customers seeing the attack, prospective customers we have had discussions with, and service providers having to deal with the attack. The attackers call a number and state that the callee or other individual owes money on a "pay day" loan. If they don't pay, their number will be overwhelmed with calls - a TDoS attack
The attack seems to have originated with the attackers gaining access to a list of individuals and numbers who have had pay day loans. This makes some sense - these individuals may owe and could be likely to fall for the scam and pay. The attack is affecting Intensive Care Units (ICUs), other emergency facilities at hospitals, Public Service Answering Point (PSAP) adminsitrative lines, and other critical services. It isn't clear to me if these targets just happen to have numbers on the list or much more likely, the attacker has expanded their attack and targets to victims equally likely to pay.
I have heard that so far, as much as $4,000,000 has been paid as part of this scam!!! One individual has been the victim of multiple attacks and paid $60,000 to date!!! I would not have predicted that this many individuals and enterprises would pay, but apparently they have. This number may be quite a bit higher - certainly not all victims will have reported the issue.
This shows a way for attackers to make money off of TDoS. One usually thinks of DoS, DDoS, and TDoS as occurring simply for disruption or as a cover for other attacks. In this case, someone is directly making money off of it, so we will certainly see more.
The attacker requests that the victim load funds onto pre-paid VISA debit cards. The attacker then uses funds on the cards at their leisure.
Those who report being attacked have complained about a persistent flood of calls, that overwhelm their numbers or even their entire voice system. Some victims have obviously went ahead and paid the extortion, but that is the worst thing you can do. There is no assurance that the attack will stop and there is a good chance it will just continue or get worse, because the attacker now knows that they have a gullible victim. You will be much wiser to look for a means to mitigate the attack, such as voice firewall/IPS solutions from SecureLogix, which work for SIP and TDM networks. You can also try to ride the attack out.
There have been a number of additional bulletins warning of Telephony Denial of Service (TDoS) attacks on 911 centers. Below is a summary of the bulletins I am aware of. If anyone knows of any others, please let me know and I will include them here:
So what was the motive of the individual/group doing the scanning? It could be a lot of things, but there is a good chance the scanner was looking for SIP servers to use to freely originate calls into the network for a variety of attacks, including voice SPAM, voice phishing, Telephony Denial of Service (TDoS), and possibly toll fraud (inbound calls that hairpin out to premium numbers). I would be particularly concerned about TDoS - if the attacker has found a large collection of SIP servers used to originate calls, they could easily use them to overwhelm an enterprise and/or contact center.
There has been a ton of press lately about Telephony Denial of Service (TDoS). There are real attacks occuring against 911 centers and financial contact centers. The targets are getting flooded with malicious calls that prevent legitmate users from accessing critical emergency or financial services. I will provide posts about the actual attacks and methods of attack mitigation. Interestingly, I am wrapping up a chapter on the new Hacking Exposed: VoIP and UC on this exact topic.
Here is a video describing a Dial Through Fraud (DTF) attack. DTF is a form of toll fraud, there the attacker dials into a compromised PBX, gains dial tone, and then dials a new destination, usually an international number. They "hairpin" though the PBX. The destination is often a premium number and the attacker is using the compromised PBX as a way of generating traffic and revenue.
This attack is interesting because it shows how inbound call or robocall generation can be used for DTF and toll fraud. First someone compromises an IP PBX so that an external user can dial in, get dial tone, and dial to an international premium number. Once this access is gained, the attacker can use it at any time for DTF themselves or sell it to an attacker who wants to generate the actual fraud.
Most people think of DTF as being the case there the access to the compromised PBX is sold to many individuals who use it to make international calls, say to talk to relatives in their native countries. This still occurs, but by far the more common attack is to automatically generate inbound calls to the compromised PBX, which hairpin into outbound international calls to the premium numbers, thereby generating a lot of traffic and revenue. This really isn't much different than automated call pumping or Telephony Denial of Service (TDoS) attacks. The attacker sets up an automated call generation operation, probably using Asterisk, a call generator, and SIP trunks. They build an audio file that pauses, enters a code to get dial tone, enters the desired international destination number, and then just keep the call up for some period of time. They run the attack and call a number for the compromised PBX that will give them dial tone. They probably spoof their calling number. The calls are kept up as long as practical, but keeping the calls shorter and/or variable length can make the attack a little less likely to be detected. The calls will usually be generated overnight and/or on the weekend to avoid attention.
If you watch the video, this is what happened. The attacker generated the calls at night and the victim had a ton of calls, all to Somalia start up at the exact same time. The calls continued for about 5 hours, at which time the victim noticed the attack. They happened to be an organization that takes calls at night, so they noticed the attack.
As with any DTF or toll fraud attack, paying for the fraud is the responsibility of the enterprise.
I am going to write a series of posts on Telephony Denial of Service (TDoS). I thought I would start with a brief description of how attackers actually generate automated TDoS attacks. I will follow up with other techniques, info about the impact to enterprises, and how they can detect and mitgate the attacks.
The bottom line is that TDoS attacks have become cheap and easy to implement. The barrier to entry is much lower, due to the availability of VoIP, SIP, and UC. The 5 basic steps to execute a TDoS attack are as follows:
First, it is easy to get and set up free and powerful IP PBX software such as Asterisk. Asterisk has all the capabilities you will ever need to generate a TDoS attack. You also need a call generator or way to use Asterisk to generate calls. One such tool is "spitter", which SecureLogix wrote a while back for the Hacking Exposed: VoIP book. We are updating this tool as we speak for a revision to the book. You can get the current version from the SecureLogix SIP Testing Tools website as part of a set of VoIP testing tools.
Second, you need to determine the numbers you want to call. This is trivial. There has been a lot of discussion about attacks against 911 services. What could be easier than this - everyone knows the target number - it is always 911. It is just as easy to target a financial contact center - just go to the website of the target bank or other enterprise and search or browse for their 1-800 numbers. You only need 1 or a few numbers. You can also easily flood administrative parts of an enterprise. You can either discover their DID range or just pick a few numbers, because multiple calls to 1 DID will roll over, still consume trunks, and be answered by voice mail.
Third, you need to pick some audio to play. This could be silence or white noise if you are lazy. If your target is 911, maybe the audio sounds like a legitmate emergency call. If you don't want to use your own voice, google "text to speech" and you will find 100's of services and applications that will convert the text you type into audio that you can use. You can even select the language, dialect, and accent. If you are targeting a financial contact center, maybe you want to tie up an IVR, so you could do a little research on your target and build an audio file that just loops through the menus. Or perhaps it flies through the menus to get to the agent, where you play some sort of audio that keeps the agent on the line as long as possible.
Fourth, it is easy to get VoIP/SIP access into the public voice network. In the old days, you would need an expensive PBX and PRI access into the network in order to generate calls. Now you just need Asterisk and a SIP trunk. If you google "SIP trunks", you will find 100's of companies that provide an inexpensive way of generating calls. Some of these services are as cheap as $0.01 a call. Remember that the target may or may not be using SIP (odds are they are still using TDM), so you still must traverse the public voice network. SIP trunks are easy to set up and you can be generating calls in a very short amount of time. Of course if you are really serious, you can also scan for vulnerable SIP servers and try to generate your traffic for free. Or you can set yourself up as a service provider. Another somewhat effective approach is to use one of the "legitimate" call generation services. Just google "robocalls" and you will find many services, that for a fee, will generate lots of calls for you.
Finally, you need to run the attack. When you run it is important. For 911 it may not matter, but any time where it is likely there will be a lot of emergencies, perhaps during a storm or in the evening could be more effective. For a financial contact center, do it during the day during peak times, between say 10 am and 2 pm. Monitor the attack - you will be able to tell if it is effective if the calls being generated are failing.