The U.S. Department of Homeland Security recently issued a bulletin titled “TDoS Attacks on Public Safety Communications” and while it was “Law Enforcement Use Sensitive/For Official Use Only” a copy was obtained by Brian Krebs who wrote about it on his site and also published the DHS bulletin publicly.
This resulted in a small flurry of related articles that Mark Collier listed on his VoIP security blog. Most of the articles, unfortunately somewhat predictably, seem to be rehashes of Brian Krebs’ post and/or the DHS bulletin. However, the point is definitely solid – these are real attacks that are happening on call centers out there, including those operated by emergency services organizations. No one wants to be on the receiving end of hundreds (or thousands) of phone calls clogging up your call center and making it unusable for regular business.
The connection to VoIP is that made by Brian Krebs in his article:
According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.
This is the key point. VoIP systems make these kind of attacks much easier to create. Anyone can take one of the various free VoIP servers and create a script that will generate a crazy number of phone calls. And of course the Caller-ID can be easily spoofed using the same servers. I’m sure there are already scripts out there that automate all of this for would-be attackers.
The challenge is then finding either a VoIP service provider (or “ITSP” or “SIP Service Provider”) who will let the attacker send out phone calls to the PSTN – or to find victims that allow incoming SIP connections (which means that attacks could come from any Internet connection). Or to find components of the SIP signaling infrastructure that have weak (or no) authentication and through which an attacker can send calls. For example, SIP gateways that allow incoming SIP calls with minimal (or easily spoofable) authentication.
It’s not necessarily easy to do, but VoIP systems do make it easier than it was in the past, largely because the attackers can obtain a degree of anonymity through masking their source, and also because of the automation of the calling possible through the systems.
Defending against a TDoS is not the easiest, particularly when the attackers can use spoofed Caller IDs to hide their origin. Here is a place where VoIP actually helps because if the calls are coming in over IP, firewalls and other network monitoring tools can be used to recognize patterns and potentially identify and block sources of the attacks. There are companies such as SecureLogix (whose CTO is Mark Collier, whom I linked to earlier) who do sell products and services to help address these threats. As we increasingly move to IP-based communications there will no doubt be many more companies and service providers offering such services.
We as an industry do need to do what we can to help people understand both the threat posed by these attacks, and also the mitigations and possible solutions.
In the meantime, expect more people to be talking about this issue due to this DHS bulletin and the surrounding attention in the media.
What do you think? What should be done within the VoIP vendor/organization community? What are good steps to promote to defend against TDoS attacks?
Hey Dan, thanks for the post. I believe we will see more of these attacks, as the public voice network blends more and more with the Internet. They are already affecting contact centers and 911 centers. Plus attacks like call pumping some times turn into TDoS when the attackers get greedy or sloppy.