TDoS Attacks

  IT Threats, Voice Threats   -  

The TDoS (Telephony Denial of Service) consists in disabling the telephone system of a target entity. By saturating a phone number from the outside, or even the totality of the entity’s communication channels, it is very easy to disable, in just a few minutes, all of the incoming and outgoing calls. TDoS attacks are very similar to denial of service attacks (DoS), seen in the world of IP. To lead such an attack, the attacker must have access to several communication channels or several SIP accounts (usually hacked).  He then uses automated calling machines simultaneously and repeatedly calling one or several of the victim’s phone numbers.  All communication channels of the target entity then become rapidly engaged.  The “tools” or “kits” making a telephony denial of service attack possible (TDoS) are available on the internet.  It is also very easy to commission such an attack from unscrupulous persons.

The affected business cannot receive or make phone calls.  The attack only ceases when the attacker decides to stop – in certain cases, they may demand a ransom in exchange for terminating the attack.

In addition to saturating the telephone communication channels, the effects of the attack may extend to rendering the whole of the unified messaging system unavailable in just a few minutes.  Indeed, calls that remain active leave many voicemails on the messaging service, which can lead to rapid saturation.

Mitigations

The TDoS Attack Mitigation feature in Cisco Unified Border Element (Cisco UBE) enables CUBE to not respond to Session Initiation Protocol (SIP) requests from IP addresses that are not listed in a trusted IP address list. Cisco UBE validates only out-of-dialog SIP requests against IP addresses in the trusted IP address list. It does not validate in-dialog SIP requests because such requests usually arrive from trusted entities. The TDoS Attack Mitigation feature is supported both on IPv4 and IPv6 networks.

The TDoS Attack Mitigation feature prevents Cisco Unified Border Element (Cisco UBE) from responding to Session Initiation Protocol (SIP) requests arriving from untrusted IP addresses, which leads to an improvement in performance. The SIP stack authenticates the source IP address of an incoming SIP request and blocks the response if the source IP address does not match any IP address in the trusted IP address list. To create a trusted IP address list, you may configure a list of IP addresses or use the IP addresses that have been configured using the session target command in dial-peer configuration mode.

Cisco UBE does not respond to REGISTER requests and consumes REGISTER requests if you configure it only for Telephony Denial-of-Service (TDoS) Attack Mitigation and not as a registrar server.

If you configure Cisco UBE as a registrar server for TDoS attack mitigation, it consumes responses for REGISTER requests that do not belong to any application. Cisco UBE does not consume responses to REGISTER requests that belong to a registrar application.