Plenty of detail has been provided for preventing DDoS attacks in recent years, but I haven't seen as much mention concerning telephony denial-of-service attacks (TDoS). Can you explain what TDoS attacks are and how organizations should prepare their telephony systems for such attacks?
Ask the Expert
Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
A TDoS attack is the act of rendering an organization's voice communications infrastructure useless or seriously degraded. This is often done by flooding an organization's voice infrastructure with phone calls, thereby consuming large amounts of voice resources and leaving little, if any, bandwidth available for legitimate use.
Prior to the days of Voice over Internet Protocol (VoIP), effectively executing a TDoS attack was no easy feat as the resources needed to simulate large volumes of simultaneous phone calls were not widely available. Today, however, the proliferation of unified communications technologies has been extremely rapid, allowing nefarious individuals to easily and prolifically execute TDoS attacks.
VoIP servers, such as Cisco Systems Inc.'s CallManager, are similar to old private branch exchanges (PBXs) as they can handle a finite number of concurrent connections. A VoIP communication setup utilizes the Transmission Control Protocol (TCP) for signaling purposes and the connectionless Unit Datagram Protocol (UDP) to transmit voice data. While this is a natural method of call setup, especially to those with experience in the quickly fading SS7 technology, it is also intuitive to attackers that have even a moderate amount of knowledge regarding TCP/IP.
Many attackers attempt to configure the three-way-handshake feature of TCP packets so as to manipulate the VoIP server into accepting more concurrent connections than it is built to handle. For example, an attacker could initiate a TCP communication with the VoIP server by sending a TCP SYN packet. The server then responds with a TCP SYN ACK packet and waits for the third part of the handshake, the TCP ACK packet. However, if the ACK never comes, many VoIP servers will keep the call data in their buffers, and if TCP timeout has not been properly configured, resources will be quickly consumed; the attacker in this scenario will almost certainly have thousands of spoofed IP addresses at his or her disposal, sending TCP SYN packets simultaneously with no intention of sending the requisite ACK packets.
In order to guard against such an attack, security professionals should ensure that the TCP timeout feature on their VoIP server infrastructure is properly configured. Additionally, analysis should be conducted to inform the security professional regarding the required capacity of their VoIP server.
This was first published in December 2013