Earlier this week, several news outlets including Wired.com reported on a new Telephony Denial-of-Service attack that’s becoming more widespread. In this attack scenario, hundreds or thousands of PSTN calls are launched to the victim’s phone in order to prevent financial institution notifications from arriving while the attacker drains accounts. It’s less clear that attackers can do anything about email or SMS alerts, but based on sheer volumes alone one has to assume the attackers are using VoIP technology to originate the calls. Certainly there are many implications to consider, particularly if TDoS attacks become more common within the PSTN going forward.
Pondering on the effectiveness of this scheme. The victim’s line must be continuously busy so that a call from the financial institution does not get through. Also if the victim has telco supplied voicemail, then they will be able to leave voicemail.
That’s correct – apparently the attackers found thresholds at which neither calls nor voicemail will work and/or filled the voice mailbox. In some cases, this caused victims to change phone numbers out of frustration. What’s less clear is why carriers couldn’t detect and block the source(s) – the degree of distribution was not discussed.
Changing the phone number is 100% effective and immediate. Having the SP block the source is … operationally expensive and as ineffective as blocking (email) spam. It’s a hard problem, for sure, but solvable — if there was still interest in fixing the PSTN, that is.
(the very same attack can be done using 100% SIP).
I had read this article recently and I thought back to your earlier April 8th post regarding UC federations and security. You mention the concerns of federations propagating a DoS attack. Armed with federation knowledge for one organization an attacker could possibly now impact multiple organizations with a ready made channel of attack. I’m looking forward to additional information regarding federations, security concerns and recommendations. As UC federations grow I’d like to point out that one need not ‘attack’ the technology but take the path of least resistance – simply request and be invited in…
Pingback: Security Weekly Updates for 2010-05-16 | Secureforest – Infosec – Pentesting – Secure Forest
As the marginal cost of PSTN access approaches that of IP access, we can certainly expect to see more of this sort of thing, regardless of whether attacks themselves come through service providers or federation partners. When looking specifically at federation use cases, one would expect TDoS to be more of a concern in an environment of brokered or opportunistic federation among large groups of federation participants where trust relationships are less direct than provisioned federation between trading partners.
Frankly we don’t have a lot of real-world experience with the issue yet. Microsoft OCS federation allows for rate-limiting rules to be set for federation partners, but I haven’t yet run into anybody that’s even needed to use them (and frankly I suspect that must IT groups would just break off the federation if such problems surfaced). ViPR is not widely deployed yet, and it’s likely to be many years before ViPR servers in the wild are able to resolve more than a single-digit percentage of the PSTN destinations they encounter into federated SIP addressing. All this means that for an attacker, UC federations simply aren’t attractive targets yet.
Security concerns like TDoS that may appear to slow adoption of federation technologies in the near term within the enterprise are more reflective of organizational inertia than anything else. That’s not to say there aren’t real risks out there to manage, but the nature of federation itself means you have potentially more control when it comes to trust management right from the start when compared with the traditional carrier model, yet it’s up to each federation partner to exercise that control. If one allows many layers of transitive trust to build up unchecked among federation partners because it makes trust relationships simpler to manage, all federation partners in that community will be more exposed. If participants or a federation broker take steps to limit the amount of transitive trust in a federation community, it will be less exposed.