TDoS/Harassing Call/Phone Bombing Attack on MI6

Here is an article and several Youtube videos describing an attack on the UK MI6 organization (their equivalent of the CIA). The article uses the term "phone bombing", where the attacker uses automation to flood the target with calls, thereby preventing legitimate callers from getting in. This is just another term for Telephony Denial of Service (TDoS).

The video's narrate the attacker calling in themself and taunting the MI6. If this weren't such as serious type of attack, it would be humorous.

The PSTN is not what it used to be, closed and somewhat safe. It has so much VoIP/SIP in it, that it is starting to look  like the Internet in terms of threat level. We will see more and more harassing calls, TDoS/phone bombing, voice SPAM, voice phishing (vishing), etc.

http://www.msnbc.msn.com/id/47032601/ns/technology_and_science-security/#.T4hJ4VGDTcM

http://www.youtube.com/watch?v=wtoOo-e5mNY&feature=channel&list=UL

http://www.youtube.com/watch?v=SAFf-9ohNJo

http://www.youtube.com/watch?v=PEBQoxHh1uU&feature=channel&list=UL

 

Telephony Denial of Service (TDoS) Attack on BBC

Here is an example of a Telephony Denial of Service (TDoS) attack on the BBC. The attack involved data DoS, as well as TDoS through what is stated as automatically generated calls. The attack calls may have been automatically generated, performed by many individuals organized through social networking, or a combination.

http://www.bbc.co.uk/news/technology-17365416

 

Social Media Used for Harassing Caller/TDoS

We have seen a number of cases where social medial/networking sites, such as facebook and twitter, were used to organized calling campaigns against corporations, the government, politicians, etc. Here is the latest example I have seen, titled "Occupy the Phones", where the organizer sets up facebook events to organize dialing campaigns. While these campaigns/attacks are very sophisticated, they can definitely tie up an organizations phone lines.

http://www.facebook.com/pages/Occupy-the-Phones/258843427490295

 

Robo-dialing/Automated Calling Website

Here is a website that offers a robo-dialing capability that you can use to send a voice message to polititians. The website states that since they are doing it to you, you may as well do it back to them. It doesn't let you dial other people or load up a ton of calls for one destination. I am sure we will see other "services" like this and also hackers using the same capability to generate harassing, spam, voice phishing, or outright Telephony Denial of Service (TDoS) calls.

http://reverserobocall.com/

Article About VoIP DDoS Attacks

Here is an article about Distributed Denial of Service (DDoS) attacks against VoIP services:

http://www.cio.com.au/article/402962/massive_ddos_attacks_growing_threat_voip_services/#closeme

Another Example of Using Social Networking to Generate a TDoS Attack

Here is a link to an article that describes how a well known person used social networking, in this case twitter, to prompt a flash mob to overload the emergency phone system at the Los Angeles (Compton) sheriffs office. Hundreds of calls came in over a 3 hour period, resulting in a TDoS condition. This is another example of how social networking sites, such as twitter, facebook, etc. can be used to start flash mobs of users that can overwhelm the phone lines of victims.

http://www.foxnews.com/entertainment/2011/08/14/rapper-game-may-face-charges-tied-to-flash-mob-calls/

 

Using Social Networking (Facebook) to Organize TDoS Attacks

I have seen several recent cases where social networking sites such as Facebook are being used to organize Telephony Denial of Service (TDoS) attacks. In one case, several Facebook pages and events were set up to communicate information such as techniques and phone numbers (DIDs), and then encourage all participants to call the numbers, to attempt to overwhelm the target. This isn't a new type of attack, but social networking makes it so much easier to coordinate the attack. Fortunately, these attacks are not super sophisticated yet, but can be over time. If the attackers start to coordinate distributed automated attacks, that could get really nasty.

Since the Facebook pages were events, they are no longer viewable. I did capture some screen shots, which are annotated provided below. There are a couple of other examples, which I will provide in later posts. I will wrap up by saying that SecureLogix is unique, in that we have solutions for these attacks, for both SIP and TDM networks.




 

 

Voice and Unified Communications: State of Voice Security Webinar

The webinar we did on our Voice and Unfied Communications: State of Voice Security Webinar is available online. Sorry, you still have to register. Here is the link:

https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=299143&sessionid=1&key=1D85F3B3947BA08EE7CBE695FAD8983D&partnerref=ecweb&sourcepage=register

 

 

State of Communications Security Report

SecureLogix and the folks at NoJitter will be releasing a "Security In Communications: Report to the Industry" next week at the Enterprise Connect conference (www.enterpriseconnect.com). This report discusses voice/communications security, which threats are the most severe, why these threats are here now and why they will get worse, and then threat data from real-world assessments and deployments. 

For a glimse of what is in the report, take a look at the summary posted on the NoJitter site:

http://www.nojitter.com/feature/229219335

 

More on WikiLeaks Call For VoIP Security DoS Attacks Against FAX Machines

I posted a link a bit ago where some WikiLeaks supporters were calling for attacks against financial organization FAX machines. Here is the link:

http://news.netcraft.com/archives/2010/12/13/operation-paybacks-next-ddos-target-fax-machines.html

While I hope these sort of attack does not occur, I can say that they could be very disruptive. While there are alternatives to FAXes, they are still very commonly used to communicate with customers. This is true for just about all industries, but is certainly the case with banks, other financial organizations, insurance, etc. Loss of FAX machines (or servers) can really disrupt communications with customers.

FAX machines are pretty easy to find - they may be published on websites and can also be found by war dialing (simply calling numbers and looking for FAX machines/tones). Once the attacker has access to the number used by one or more FAX machines, it is very easy to execute a DoS attack. The attacker does not have to generate actual FAX calls - they simply need to call the FAX number. The FAX machine will normally try to connect (typical time is around 45 seconds) before it gives up. An attacker can easily overwhelm a single FAX machine by simply manually calling over and over. The attack can obviously be even more effective if they are automatically generating calls. If the attacker has access to SIP and can generate multiple/many calls at one time, they can overwhelm multiple FAX machines or a FAX server with multiple concurrent call capacity.

There isn't a lot of simple countermeasures to these attacks. You can change numbers, perhaps timeouts on FAX machines, monitor CDR for wardialing, etc. Of course you can also deploy Voice/VoIP firewalls on FAX machine trunking.