TDOS
The non-emergency call centre in Howard County, Maryland typically receives 300 to 400 calls a day. On August 11, 2018, however, the non-emergency call centre of the County, was flooded with 2,500 calls in a 24-hour span of time in an attack known as telephony denial of service (TDoS).
What Is Telephony Denial of Service (TDoS) Attack?
Telephony denial of service (TDoS) is a type of denial of service (DoS) attack in which the attackers launch high volume of calls and keeping those calls active for as long as possible against the target network, preventing legitimate calls to come in. TDoS is a threat not just to government and large enterprises, but also to small and medium-sized organizations.
TDoS attacks have evolved from manual to automation. An example of a manual TDoS attack is leveraging social media such as Facebook and Twitter to organize individuals into a TDoS calling campaign. A report by SecureLogixshowed that the vast majority of TDoS attacks use automation to generate the attack calls. The Howard County TDoS attacker, for instance, used automation in attacking the County.
James Cox, network-server team manager for the Howard County, told Ciscothat a lone foreign malicious actor was responsible for the TDoS attack on the County. The motive of the attack, Cox said, was money. This foreign malicious actor, he said, was being paid by a third party for tying up the phone lines by having long conversations.
The TDoS attack on the non-emergency call centre in Howard County was pulled off by acquiring phone numbers and using a server based in Europe and made it look like the phone numbers were local numbers. With this set-up, every call made was considered as an international call, which carriers paid, allowing the 3rd party to profit from this scheme. The foreign malicious actor, meanwhile, made pennies for every minute a phone line is tied up.
TDoS attack isn’t a new threat. In 2013, the U.S. Federal Bureau of Investigation (FBI) and U.S. Department of Homeland Security (DHS) issued a joint alert regarding the TDoS threat, a copy of which was reposted on security journalist Brian Krebs’s site. The joint alert reported that dozens of TDoS attacks targeted the administrative public safety answering points lines (not the 911 emergency line), launching high volume of calls against these lines and tying up the system from receiving legitimate calls.
“Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications,” the alert said.
In the joint alert, the specified motive of the attackers was money. The FBI and DHS said that the attack starts with a continuous stream of calls that last for several hours, preventing both incoming and outgoing calls from being completed. These TDoS attacks are then followed by a call from an individual demanding payment of $5,000.
Supposedly, this amount serves as payment of an outstanding debt incurred by a current or former employee or an employee who never did work in the targeted organization. The TDoS attacks in these cases were pure extortion attempts.
Automated TDoS Attacks
To launch automated TDoS attacks, attackers often use open source software tools to automatically generate hundreds or thousands of concurrent calls. Attackers pull off automated TDoS attacks by installing any of these open source call generator software programs on a Linux server and configuring the software to suit to one’s needs such as setting the victim’s phone numbers, choosing how to spoof the calling number, deciding what audio to play and choosing the call rate. Anyone interested in setting up one of these open source call generator tools can readily find available resources online.
Complex TDoS Attacks
In recent years, TDoS attacks have become complex – attacks which combine sophisticated calling number spoofing and distributed origination. In 2016, a teenager launched a complex TDoS attack against the 911 emergency call centres in Phoenix, Arizona.
The teenager developed a TDoS malicious software (malware) that was distributed via his Twitter account. The teenager’s Twitter followers unwittingly downloaded the malware as these followers were tricked to click on a link on a Twitter post that leads to a malicious website. From this malicious site, the malware was downloaded onto the victims’ smartphones.
As a result, thousands of automatic 911 calls were made from these compromised smartphones and call centres in Phoenix (where most of the victims’ reside) were soon flooded with calls in a matter of minutes. The said attack could have devastating effects, had the teenager had tons of Twitter followers. The good thing is that he only had a relatively small number of Twitter followers.
“If coordinated with an actual physical terrorist attack, this would be particularly catastrophic, resulting in a large number of victims losing the ability to connect with emergency services.” the U.S. Department of Homeland Security (DHS)noted about this complex TDoS attack launched by the teenager.
TDoS attacks could also have devastating effects when synchronized with the traditional distributed denial-of-service (DDoS) attack against the target’s website, driving more traffic to the voice systems. In a DDoS attack, an attacker hijacks vulnerable devices such as internet of things (IoT) devices and used these hijacked devices to overwhelm a target (typically a website) with a flood of internet traffic, rendering the website inaccessible to legitimate users.
TDoS attacks are a real threat to the security of your organization’s Voice over Internet Protocol (VoIP) network as attacks are becoming automated and complex.