FBI Warns of New TDoS Attacks

Earlier this week, several news outlets including Wired.com reported on a new Telephony Denial-of-Service attack that’s becoming more widespread. In this attack scenario, hundreds or thousands of PSTN calls are launched to the victim’s phone in order to prevent financial institution notifications from arriving while the attacker drains accounts. It’s less clear that attackers can do anything about email or SMS alerts, but based on sheer volumes alone one has to assume the attackers are using VoIP technology to originate the calls. Certainly there are many implications to consider, particularly if TDoS attacks become more common within the PSTN going forward.

This entry was posted in Miscellaneous, Security, VoIP Security on by .

About Andy Zmolek

Andy has been involved with product development and network security for over a decade, and is a co-author and technical editor for the book, “Practical VoIP Security,” published in April 2006 by Syngress. Andy was most recently a senior manager in Avaya’s Unified Communications Division, driving security and identity planning and strategy for across the Avaya product line, focusing primarily on on applications and next-generation platforms. Previously at Avaya, he led teams within Information Technology, Services, and Strategy & Technology Business Units. Andy was an early advocate for Avaya initiatives in Security, SIP, Presence, and VoiceXML; he has two patents granted and at least nine others pending from his work in Unified Communications.

Prior to joining Avaya, Andy directed network architecture and operations at New Era of Networks (now Sybase), a pioneer of enterprise application integration (EAI) technology. Andy got his start in the industry building real-time simulation networks for missile and satellite programs at Raytheon, most notably Sidewinder and Tomahawk. Andy holds a degree in Mathematics from Brigham Young University and lives in Highlands Ranch, Colorado.

6 thoughts on “FBI Warns of New TDoS Attacks

  1. Aswath Rao

    Pondering on the effectiveness of this scheme. The victim’s line must be continuously busy so that a call from the financial institution does not get through. Also if the victim has telco supplied voicemail, then they will be able to leave voicemail.

    Reply
  2. Andy Zmolek Post author

    That’s correct – apparently the attackers found thresholds at which neither calls nor voicemail will work and/or filled the voice mailbox. In some cases, this caused victims to change phone numbers out of frustration. What’s less clear is why carriers couldn’t detect and block the source(s) – the degree of distribution was not discussed.

    Reply
  3. Dan Wing

    Changing the phone number is 100% effective and immediate. Having the SP block the source is … operationally expensive and as ineffective as blocking (email) spam. It’s a hard problem, for sure, but solvable — if there was still interest in fixing the PSTN, that is.

    (the very same attack can be done using 100% SIP).

    Reply
  4. Mark Rubino

    I had read this article recently and I thought back to your earlier April 8th post regarding UC federations and security. You mention the concerns of federations propagating a DoS attack. Armed with federation knowledge for one organization an attacker could possibly now impact multiple organizations with a ready made channel of attack. I’m looking forward to additional information regarding federations, security concerns and recommendations. As UC federations grow I’d like to point out that one need not ‘attack’ the technology but take the path of least resistance – simply request and be invited in…

    Reply
  5. Pingback: Security Weekly Updates for 2010-05-16 | Secureforest – Infosec – Pentesting – Secure Forest

  6. Andy Zmolek Post author

    As the marginal cost of PSTN access approaches that of IP access, we can certainly expect to see more of this sort of thing, regardless of whether attacks themselves come through service providers or federation partners. When looking specifically at federation use cases, one would expect TDoS to be more of a concern in an environment of brokered or opportunistic federation among large groups of federation participants where trust relationships are less direct than provisioned federation between trading partners.

    Frankly we don’t have a lot of real-world experience with the issue yet. Microsoft OCS federation allows for rate-limiting rules to be set for federation partners, but I haven’t yet run into anybody that’s even needed to use them (and frankly I suspect that must IT groups would just break off the federation if such problems surfaced). ViPR is not widely deployed yet, and it’s likely to be many years before ViPR servers in the wild are able to resolve more than a single-digit percentage of the PSTN destinations they encounter into federated SIP addressing. All this means that for an attacker, UC federations simply aren’t attractive targets yet.

    Security concerns like TDoS that may appear to slow adoption of federation technologies in the near term within the enterprise are more reflective of organizational inertia than anything else. That’s not to say there aren’t real risks out there to manage, but the nature of federation itself means you have potentially more control when it comes to trust management right from the start when compared with the traditional carrier model, yet it’s up to each federation partner to exercise that control. If one allows many layers of transitive trust to build up unchecked among federation partners because it makes trust relationships simpler to manage, all federation partners in that community will be more exposed. If participants or a federation broker take steps to limit the amount of transitive trust in a federation community, it will be less exposed.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *