Companies are targeted by a wide variety of cyber threats, including TDoS attack. This type of attack consists of flooding the targeted company’s telephone servers with requests and then demanding a ransom in exchange for restoring the servers back to service. The development of VoIP makes TDoS attacks more and more accessible, find out how to protect yourself.
Table of Contents
3 tips to protect yourself from TDoS attack?
- Configure “trusted” IP addresses on your SBC. This will prevent you from handling requests from unknown IP addresses and therefore from being overwhelmed by calls.
- Set a threshold of requests that should not be exceeded to contain a TDoS attack. If the threshold is exceeded, your SBC blocks new packets and the attack ends.
- Set rules allowing your IPBX to manage, as well as possible, call volume fluctuations. Like limit of consecutive calls from the same number, limit of consecutive calls received for the same terminal of your infrastructure and redirection or blocking of calls once the limit is reached).
TDoS attack: Hacker’s process
Hijacking a PBX server
The first phase of a TDoS attack is to take control of a telephony infrastructure. Our hacker starts by scanning the Internet network through a search on Shodan.io. Once the vulnerable PBXs have been identified, the next step is to find the vulnerability that allows them to hijack it. In most cases, this is done by exploiting a CVE (Common Vulnerabilities and Exposures). This vulnerability must allow to take control of the PBX.
The hacker looks for a PBX with a large capacity of simultaneous calls. Most often the hacker has a backup fleet, in case the victim’s defenses manage to disable the first wave.
The second “army” is in reserve to keep the attack going.
In a TDoS attack, there are two victims:
- company victim of the unsolicited call traffic to whom the ransom demand is expressed
- company whose telephone infrastructure is hijacked.
The company whose PBX has been hijacked may face significant legal penalties if it cannot legally prove the corruption of its system.
Sending massive amount requests
Once this fleet is hijacked, the attacker orders the IPBXs and telephones under his control to flood a targeted server with calls until it is saturated. The hacker tests, beforehand, the efficiency of his Botnet to ensure its power. Important servers, such as those of cloud providers, are often used as a barometer.
The victim company will therefore see its services saturated with calls. The hacker will formulate his ransom directly via the calls made in the form of a voicemail. A pre-recorded voice specifies the amount to be paid and the details of the account to which the money should be transferred. This ransom is most often to be paid using an untraceable crypto-currency. All parameters are controlled by our extortionist to keep himself anonymous.
Attack tools for rent
To facilitate TDoS attacks, a real catalog of tools is available on the darknet. Among these tools, we distinguish Botnets. This expression refers to any network of programs and objects that are hijacked and allow massive amount of requests to be sent to other programs. A real traffic of zombie machines allows the most novices to initiate a TDoS attack. Indeed, it is possible to rent, at increasingly low prices, armies of hijacked machines. These services of a new kind are offered on the Darknet, the prices vary according to the size of the fleet.
The number of objects connected to the Internet is increasing exponentially and their security is often very basic. This resource, offered to hackers, allows them to carry out larger scale cyber attacks using the least amount of resources and effort.
What are the hackers’ motivations?
TDoS attacks can be driven by various motivations.
economic: in this case, the victim server is taken down with a ransom demand to be paid to the hacker.
Competitive: TDoS attacks are very common in the call center market. The victim company is discredited with its customers, which increases the chances of the sponsor company to short circuit them.
Political or ideological: in this case the hackers target the call center of a public service or a political party.