Here is a link on Youtube of a recent video we did on Telephony Denial of Service (TDoS). It covers the concept and then the various types of attacks that we are seeing, including manual TDoS, social networking TDoS, and then different types of automated TDoS. We also briefly cover the Payday Loan Scam/Attack, which is affecting many hospitals and public safety sites:
The FBI just released another private industry notification to warn enterprises about contined Telephony Denial of Service (TDoS) attacks. The FBI warns that the attacks tend to target hospitals and Public Safety Access Points (PSAPs), the administrative part of a 911 center. Here is a PDF - I don't have a link:
The FBI predicts that TDoS will become the go-to attack against any enterprise who is heavily depending upon their voice systems. This includes any enterprise, but in particular, those with public facing contact centers, in the financial, health care, government, retail, and safety sectors.
The notifications states that since 2013, there have been 1000 REPORTED attacks - there have certainly been more that were not detected.
The notification also provides recommendations for mitgiation of the issue. SecureLogix has cloud and premise based solutions that address this issue. Most enterprises experiencing these attacks can point their voice systems to our cloud based solutions and begin solving the issue almost immediately.
For those not familiar with STIR, it is an effort (working group) attempting to solve the issue of spoofed calling number (caller ID). It has become so easy to generate calls with random anonymous numbers or specific/targeted spoofed numbers, that the source number has lost most of its value as an indicator of who is calling. This enables some attacks, but more importantly, makes other attacks such as Telephony Denial of Service (TDoS), voice SPAM (robocalls), scams, voice phishing (vishing), and harassing/threatening calls much more of an issue.
I just finished attending the 2014 SIP Network Operators Conference (SIPNOC). I couldn't attend some of the conference and missed the update on the Secure Telephony Identify Revisited (STIR). However, I checked the checked the IETF website and there has been quite a bit of activity and there are several new documents that are worth a read. You can find these documents at:
Patrick McNeil covers how to hack SIP servers, at service providers and enterprises, to make money. The presentation is useful because it covers why someone might bother to hack these servers, namely:
Toll fraud or International Revenue Sharing Fraud (IRSF) - basically using someone elses PBX to generate calls to premium numbers set up by the hacker or where the hacker has an agreement with the owner to generate traffic.
Telephony Denial of Service (TDoS) - using someones PBX to target a business or individual. The attacker makes money through extortion.
Robocalling/SPAM - using someone's PBX to make many SPAM or vishing calls to individuals (this was briefly mentioned).
At the end of the presentation, there is a brief TDoS demo.
Note that another way to make money is call pumping, where the calls are to 1-800 numbers and the attacker gets a share of the revenue, but this arrangement is more difficult to set up.
The M3AAWG Special Interest Group (SIG) on voice fraud and security issues has published their agenda. This SIG will be held February 20-21. I will be on the panel discussing current solutions, with a focus on Telephony Denial of Service (TDoS). I hope to see some of you there:
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is holding a special interest group in their annual conference in San Francisco, February 17-21, to focus on issues unique to voice. This includes Telephony Denial of Service (TDoS), robocalls, voice SPAM, voice phishing, etc. I will attend and be on the solutions panel. Here is a link to an article discussing the special interest group.
Here is a bulletin from the FBI warning about toll free, 1-800 call pumping attacks. The basic idea (I cover this extensively in my Hacking Exposed: UC and VoIP book) is that the attacker, usually an unscrupulous service provider, generates many (perhaps millions) of calls into 1-800 numbers. They profit because they receive a piece of the 1-800 revenue, which is paid by the owner of the 1-800 number. See the bulletin below:
There are two types of attacks, one will "spray" many numbers with very short calls, in order to get a piece of the connect time revenue. Another will generate long calls, usually to a smaller number of 1-800 numbers and IVRs, in order to get a piece of the connect and per-minute charges. The latter form may require some analyis of the target 1-800 IVR, and use of tailor audio which dwells in the IVR through use of menu-looping DTMF tones or other audio.
Either type can generate a TDoS condition, if the attacker generates too many calls or if the calls target a part of an IVR or enterprise with limited bandwidth. This is especially true for calls which dwell in the IVR, because they consume more resources.