Easily-accessible, low-cost VoIP tools and information needed to launch huge volumes of simultaneous, computer-generated IP calls have many serious security and operational implications for the enterprise. Parties engaged in flooding a bank of enterprise phone lines with volumes of simultaneous calls might be engaged in any number of attacks to disrupt operations or steal information and/or money. And although these calls are often originating as auto-generated IP calls, they can touch any enterprise voice network, whether traditional TDM or newer SIP-based VoIP/UC.

Some TDoS types of activities are annoying and disruptive to business, such as large quantities of voice spam experienced during normal business hours. Another more threatening example includes brute force telephony denial of service (TDoS) attacks aimed at crippling the organization’s voice services, IVR systems, or other resources in order to terrorize or disrupt normal business operations and revenues. But perhaps the most insidious and sophisticated forms of TDoS attacks are those that are coordinated with other types of fraudulent activities in order to steal money and information.

Some of these more sophisticated TDoS attacks are relatively new - the FBI was first notified about this type of attack back in November of 2009. However, it is even more alarming that these voice-related, often voice over IP (VoIP), attacks against U.S. businesses and their customers are rapidly increasing in severity, sophistication, and frequency. The FBI issued another urgent TDOS warning on May 11, 2010 noting a surge in TDOS-related schemes to help steal money from U.S. bank accounts. During these integrated attacks, the TDOS component is used as a critical diversion to help perpetrators complete their fraudulent transactions.

One specific example attack occurs when a fraudster succeeds in disrupting or denying access to a company’s phone system. The most common TDoS attack is carried out in two parallel moves. Cyber thieves obtain account information and then contact institutions, changing information such as phone numbers, email addresses or even bank account numbers so that they can later access these accounts to transfer money or empty them. At the same time, they flood the business’ phone lines with spam calls in order to block verification calls coming in from the banks and other institutions. Since these calls cannot get through, and since victims don’t realize that something suspicious is going on - they think they are experiencing a glitch with their carriers - the attack goes undetected and is subsequently successful. As a result, bank, online trading and money management accounts are pillaged.

Another, more sophisticated attack is being initiated from within competitive local exchange carriers. Criminals target businesses with call centers and/or extensive IVR systems. They flood the systems with the intention of keeping the lines live as long as they can (they stay within IVR cues or if answered, play white noise, garbled, incomprehensible language or other sounds that make a listener pause before hanging up). During this diversion, criminals launch social engineering calls/schemes against contact center agents in an attempt to steal corporate or customer account information and identities which they later use to steal money from these same accounts. The longer the call is live, the more money the carrier receives for assisting in the transmission of the call.

TDoS attacks on businesses are profitable for criminals and are difficult for the enterprise to detect. Only upon recognition of financial loss, when employees report recurring calls with no caller on the line, or a location loses service completely, do companies take action and consider an attack a possibility.

The SecureLogix® ETM System provides an arsenal of tools to detect and mitigate TDoS attacks. The ETM System voice network firewall and Intrusion Prevention System (IPS) applications enable real-time detection and mitigation of attacks. The call recording application enables audio recording for new attack analysis. The usage management application enables generation of all manner of reports to analyze and document attacks.