Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:28 PM
Connect Directly

Hacking The TDoS Attack

Rising telephony denial-of-service (TDoS) attacks are not quite as prevalent as a DDoS, but they can be just as deadly

When an ICU nurse refused to pay scammers who insisted she owed money for a payday loan, they unleashed a robo-dial flood of hundreds of calls per hour that ultimately shut down the phone system of the hospital's intensive care unit. In another case, supporters of a popular company that received a negative rating from a major financial firm voiced their displeasure by crowdsourcing phone calls to the firm in an attempt to block its trading and other functions -- and they organized it via a Facebook Event post.

These real-world cases of telephony denial-of-service (TDoS) attacks in the past year didn't get the publicity that distributed denial-of-service (DDoS) attacks did, but security experts say these types of attacks have been on the rise in the past couple of years and can be just as damaging as a DDoS.

"Personally, I believe that it's a more invasive approach to target a company's [or] individual's primary means of communication. Just like DDoS attacks, based on my observations, they tend to abuse the infrastructure of legitimate services, Skype, ICQ, major U.S-based carriers, and relevant SIP providers," cybercrime researcher Dancho Danchev said in an interview via email.

TDoS attacks -- which earlier this year were becoming prevalent enough that the U.S. Department of Homeland Security issued an alert about a threat of TDoS attacks on public sector entities in an attempt to extort money -- are typically similar in motivation and goals as DDoS attacks that flood networks, websites or other servers with massive volumes of traffic meant to bring an organization's data structure to its knees. Call centers are the most popular TDoS targets -- they're easy to contact and flood with calls -- and, increasingly, there are more tools readily available tools for launching these attacks on any organization or individual's location.

Danchev says he started noticing a major increase in TDoS-for-hire services about a year-and-a-half ago, and he sees new vendors emerging regularly. "Since the attacks are requested on demand/for hire, virtually anyone can be targeted based on the preferences of the customer," he says.

Mark Collier, CTO and vice president of engineering for SecureLogix, a TDoS mitigation vendor, says TDoS tools are readily available, especially ones that exploit VoIP. "One major reason it's getting worse is that attackers have access to VoIP, so if they want to flood a major bank with tens of thousands of calls, they can get free Asterisk PBX software. There's inexpensive SIP access," he says.

Arbor Networks says it has seen an increase in TDoS attacks that use Session Initiation Protocol (SIP) traffic to flood VoIP systems. In a recent 24-hour period, Curt Wilson, a research analyst with Arbor, spotted global SIP message-flooding traffic accounting for 31 percent of the total scan traffic found via monitoring with Arbor's ATLAS intrusion detection system.

[There are now more than five phone fraud calls placed per minute, and the volume of these scams increased by 29% in the first half of this year. See Phone Fraud Up 30 Percent.]

Wilson says a SIP flood TDoS attack requires the same mitigation tactics as a DDoS. The most common response to a DDoS attack is to redirect and scrub traffic, as well as block offending sources of the traffic. In the case of the targeted financial firm that ultimately became a customer of SecureLogix, its call center traffic was five times its usual levels at the target time of 11 a.m. Eastern on the Monday morning of the planned attack. SecureLogix employed a multilayer call-blocking ruleset that killed the malicious calls and allowed legitimate calls inbound.

In the case of the ICU nurse, the scammers were all about extortion against payday loan customers. They kept harassing the nurse -- who had previously paid off the loan with the real lender -- with phone calls threatening her credit rating. The volume of automated calls targeting the ICU shut down its phone system such that the ICU's doctors and nurses couldn't make or receive calls. And the attacks continued to threaten other areas in the hospital from the same scammers and other groups, according to SecureLogix, which was commissioned as the hospital group's vendor after the ICU incident.

Just like some DDoS efforts, there are both sophisticated and do-it-yourselfer TDoS attackers. Danchev says he can distinguish between TDoS attacks by sophisticated groups with their own tools and the ones who use DIY tools.

Still, TDoS today isn't on the radar screen for organizations the way DDoS is. "The threat's not taken seriously because organizations want data to present in order to get the necessary budget to implement solutions that would prevent such an attack from taking place within their organizations' boundaries," Danchev says. "Since there's lack of such data/statistics on just how widespread is the problem -- which is something having to do with the fact that since day one TDoS has been largely popular in Russia/Eastern Europe -- it would inevitably put these organizations in a catch-up mode in the long term."

Arbor's Wilson says he sees more DDoS services in the cybercrime underground markets offering TDoS services as well. Most of these ads appear on Russian forums, he says, with some ads appearing in English as well.

TDoS has come a long way from the original attacks against consumers three years ago that flooded them with traffic so no one could verify the fraudulent bank account withdrawals from the victims' accounts. "Over time they began flooding contact centers, different enterprises and 911 centers for purposes of extortion," SecureLogix Collier says.

Meanwhile, the main office of a major U.S. retailer -- and a customer of SecureLogix -- was recently hit with thousands of calls during a period of hours. The calls were about 30 seconds long with an audio recording aimed at tying up circuits while keeping the call alive, SecureLogix discovered. The reason for the attack remains unknown, but SecureLogix officials say the motive was most likely to prevent inbound phone calls.

"TDoS has exploded and is going prime time," says David Heard, vice president of product marketing management for SecureLogix, but it hasn't received much attention, he notes. "TDoS needs a poster child as breakout issue to draw mainstream attention," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.