TDoS attack : How to protect yourself

Companies are targeted by a wide variety of cyber threats, including TDoS attack. This type of attack consists of flooding the targeted company’s telephone servers with requests and then demanding a ransom in exchange for restoring the servers back to service. The development of VoIP makes TDoS attacks more and more accessible, find out how to protect yourself.

3 tips to protect yourself from TDoS attack?

  • Configure “trusted” IP addresses on your SBC. This will prevent you from handling requests from unknown IP addresses and therefore from being overwhelmed by calls.
  • Set a threshold of requests that should not be exceeded to contain a TDoS attack. If the threshold is exceeded, your SBC blocks new packets and the attack ends.
  • Set rules allowing your IPBX to manage, as well as possible, call volume fluctuations. Like limit of consecutive calls from the same number, limit of consecutive calls received for the same terminal of your infrastructure and redirection or blocking of calls once the limit is reached).

TDoS attack: Hacker’s process

Hijacking a PBX server

The first phase of a TDoS attack is to take control of a telephony infrastructure. Our hacker starts by scanning the Internet network through a search on Shodan.io. Once the vulnerable PBXs have been identified, the next step is to find the vulnerability that allows them to hijack it. In most cases, this is done by exploiting a CVE (Common Vulnerabilities and Exposures). This vulnerability must allow to take control of the PBX.

The hacker looks for a PBX with a large capacity of simultaneous calls. Most often the hacker has a backup fleet, in case the victim’s defenses manage to disable the first wave.

The second “army” is in reserve to keep the attack going.

In a TDoS attack, there are two victims:

  • company victim of the unsolicited call traffic to whom the ransom demand is expressed
  • company whose telephone infrastructure is hijacked.

The company whose PBX has been hijacked may face significant legal penalties if it cannot legally prove the corruption of its system.

Sending massive amount requests

Once this fleet is hijacked, the attacker orders the IPBXs and telephones under his control to flood a targeted server with calls until it is saturated. The hacker tests, beforehand, the efficiency of his Botnet to ensure its power. Important servers, such as those of cloud providers, are often used as a barometer.

The victim company will therefore see its services saturated with calls. The hacker will formulate his ransom directly via the calls made in the form of a voicemail. A pre-recorded voice specifies the amount to be paid and the details of the account to which the money should be transferred. This ransom is most often to be paid using an untraceable crypto-currency. All parameters are controlled by our extortionist to keep himself anonymous.

Attack tools for rent

To facilitate TDoS attacks, a real catalog of tools is available on the darknet. Among these tools, we distinguish Botnets. This expression refers to any network of programs and objects that are hijacked and allow massive amount of requests to be sent to other programs. A real traffic of zombie machines allows the most novices to initiate a TDoS attack. Indeed, it is possible to rent, at increasingly low prices, armies of hijacked machines. These services of a new kind are offered on the Darknet, the prices vary according to the size of the fleet.

The number of objects connected to the Internet is increasing exponentially and their security is often very basic. This resource, offered to hackers, allows them to carry out larger scale cyber attacks using the least amount of resources and effort.

What are the hackers’ motivations?

TDoS attacks can be driven by various motivations.

economic: in this case, the victim server is taken down with a ransom demand to be paid to the hacker.


Competitive: TDoS attacks are very common in the call center market. The victim company is discredited with its customers, which increases the chances of the sponsor company to short circuit them.


Political or ideological: in this case the hackers target the call center of a public service or a political party.

homme au téléphone

Protect your communications

Diskyver is a telephone anomaly detection system, it monitors your telephone infrastructure for malicious activities.

Learn more button

Discover our last articles

What is SIPVicious ? The ultimate VoIP pentest tool

In cybersecurity the border between ethical hacking and regular hacking is often thin. SIPVicious is a perfect example of this phenomenon : made for security professionals, it is also widely used by criminals to identify and exploit SIP networks vulnerabilities. Let's...

Asterisk installation : guide and purchase tips

Which asterisk installation alternative for your virtual IPBX ? Before starting your search for an IPBX solution, you need to define your company's needs. Take your current configuration as a reference and establish requirements: in a numerical way (number of lines,...

Session Border Controller: why your enterprise need it (SBC)

The Session Border Controller is an indispensable part of any telephony infrastructure, it is the gatekeeper. Like a security guard, it controls the network entrances. It is important that its capacities are adapted to the type of flow to be managed.  What is a...

4 tips to set up a user friendly IVR

"At the end of your message, if you want to change it, type pound ... " Beep!  If you hear these words and feel a mixture of frustration and anxiety, you are a normal human being. However, this is the most famous interactive voice server in the world: the...

What is Wireshark and how to use it

What is Wireshark ? Wireshark is a network packet analyzer. It capture network packets and display this data through a graphical user interface. It is a free and open-source tool. Cybersecurity professionals are using Wireshark to troubleshoot networks. With this tool...

STIR/SHAKEN: everything you need to know

The name "STIR/SHAKEN" refers to a set of protocols and procedures designed to fight caller ID spooffing. On March 31st, the Federal Communications Commission(FCC) of the United States voted in favor of the implementation of these rules. What is spoofing? Spoofing...
WordPress Cookie Plugin by Real Cookie Banner