Problem solve Get help with specific problems with your technologies, process and projects.

Preparing your system for telephony denial-of-service attacks

Can your organization's telephony system survive a telephony denial-of-service attack? Expert Brad Casey provides pointers for TDoS survival success.

Plenty of detail has been provided for preventing DDoS attacks in recent years, but I haven't seen as much mention concerning telephony denial-of-service attacks (TDoS). Can you explain what TDoS attacks are and how organizations should prepare their telephony systems for such attacks?

Ask the Expert

Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

A TDoS attack is the act of rendering an organization's voice communications infrastructure useless or seriously degraded.  This is often done by flooding an organization's voice infrastructure with phone calls, thereby consuming large amounts of voice resources and leaving little, if any, bandwidth available for legitimate use. 

Prior to the days of Voice over Internet Protocol (VoIP), effectively executing a TDoS attack was no easy feat as the resources needed to simulate large volumes of simultaneous phone calls were not widely available.  Today, however, the proliferation of unified communications technologies has been extremely rapid, allowing nefarious individuals to easily and prolifically execute TDoS attacks.

VoIP servers, such as Cisco Systems Inc.'s CallManager, are similar to old private branch exchanges (PBXs) as they can handle a finite number of concurrent connections.  A VoIP communication setup utilizes the Transmission Control Protocol (TCP) for signaling purposes and the connectionless Unit Datagram Protocol (UDP) to transmit voice data.  While this is a natural method of call setup, especially to those with experience in the quickly fading SS7 technology, it is also intuitive to attackers that have even a moderate amount of knowledge regarding TCP/IP

Many attackers attempt to configure the three-way-handshake feature of TCP packets so as to manipulate the VoIP server into accepting more concurrent connections than it is built to handle. For example, an attacker could initiate a TCP communication with the VoIP server by sending a TCP SYN packet.  The server then responds with a TCP SYN ACK packet and waits for the third part of the handshake, the TCP ACK packet.  However, if the ACK never comes, many VoIP servers will keep the call data in their buffers, and if TCP timeout has not been properly configured, resources will be quickly consumed; the attacker in this scenario will almost certainly have thousands of spoofed IP addresses at his or her disposal, sending TCP SYN packets simultaneously with no intention of sending the requisite ACK packets.

In order to guard against such an attack, security professionals should ensure that the TCP timeout feature on their VoIP server infrastructure is properly configured. Additionally, analysis should be conducted to inform the security professional regarding the required capacity of their VoIP server.

This was last published in December 2013

Dig Deeper on DDoS attack detection and prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This seems to indicate two things (1) most traffic should be encrypted (and this has become more imperative since Ed Snowden whistelblew what the NSA has been up to) (2) unless a customer needs to connect to your system, to not allow customer connections and only accept them from well-known senders. (Customers do have to connect to your web server; customers should be sending their e-mail to their ISP and let it deliver their mail. And if they connect to your web server they should be using encryption.)
TDOS, is to make a significant number of phone calls and to keep those calls up for long durations, or to simply overwhelm agent or circuit capacity. By keeping long duration calls active, the attacker prevents voice network resources from being used by legitimate callers. This not only impairs voice network availability in general, but can also be used as a means to enable other forms of fraud and misuse