S&T Snapshot: Stopping Attacks That Disrupt Voice Communications

Imagine if your call to 911, your financial institution, a hospital or even your child’s school doesn’t get through.

In the past few years, 911 emergency call centers, financial services companies and a host of other critical service providers and essential organizations have been victims of telephony denial of service (TDoS) attacks. These attacks are a type of denial of service (DoS) attack in which a voice service is flooded with so many malicious calls valid callers can’t get through.

The DHS Science and Technology Directorate (S&T) is working to make sure TDoS attacks cannot disrupt critical phone systems, explained TDoS Program Manager Daniel Massey. The program is part of S&T’s Homeland Security Advanced Research Projects Agency’s Cyber Security Division (CSD) portfolio.

A TDoS attack can be an ‘old-school’ attack, in which the victim is flooded with calls from a group of people using mobile or landline phones. These type of attacks often are coordinated through social networking. This TDoS attack approach most often is used to harass a victim or disrupt its operations.

In a high-tech twist, attackers are using technology such as automated dialing software, Voice over Internet Protocol (VoIP) and compromised mobile phones to send thousands of automated calls to tie up a target’s phone system, rendering it unusable for legitimate incoming and outgoing calls. These attacks are relatively easy and inexpensive and can be launched from anywhere in the world. In many cases, the objective of these attacks is to extort money. Victims range from government agencies to private companies and even individuals.

A typical extortion-type TDoS attack unfolds this way:

A person calls a company claiming to be a debt collector seeking repayment of a past-due loan. The caller threatens to lock up the company’s phone lines with repeated calls unless immediate payment is received. Sometimes the TDoS attack threat prompts victims to pay the ransom because they are either unsure whether they owe the money the attackers demand or they want to avert public embarrassment to the company’s image.

If the payment is not provided, the attack is launched. The ensuing steady stream of calls can last several hours, stop for a while and then resume. Some attacks have continued over an extended period of weeks or even months.

But not all TDoS attacks seek a payment. For instance, last October an Arizona teenager was charged with sending thousands of calls to 911 emergency call centers and law enforcement agencies in multiple states. The teen had exploited a flaw in a leading mobile operating system to initiate the TDoS attack through compromised cell phones.

To stop these insidious attacks, CSD is funding two research projects designed to harden defenses against TDoS attacks.

The first project addresses the growing attack sophistication, frequency, call volume and complexity of call-number spoofing, says Massey.

Led by SecureLogix, a VoIP security specialist, the team is developing a prototype solution for complex TDoS attacks that will use a multi-level filter approach to analyze and assign a threat score to each incoming call in real time. That score will help distinguish legitimate from malicious calls and help mitigate an influx of malicious calls by terminating or redirecting them to a lower priority queue, to a partner service that could manage the calls or to an additional service that could verify each call’s legitimacy.

The prototype is based on an existing voice-security solution, which provides a base to build upon so it can be deployed in complex voice networks. It also has an integrated business rules management system and machine-learning engine that can be extended easily with limited software modifications.

SecureLogix will deploy the prototype at a customer location, within the cloud and at a service provider network. The company also is working with multiple pilot partners including a 911 emergency call center, other emergency responders and large financial organizations, to deploy and validate the prototype in operational practice.

In the second project, a research team led by the University of Houston is addressing the vulnerability of Emergency 911 and Next-Generation (NG) 911 systems to TDoS, Distributed Denial of Service (DDoS), and robocall attacks, all of which pose significant threats to public safety.

The research team includes SecureLogix, FirstWatch, the Industry Council for Emergency Response Technologies, and cybersecurity analysts who specialize in penetration tests of telephony systems.

The team has assessed and modeled threats to the emergency response and public-safety communication network posed by DoS attacks. It is developing an integrated defense mechanism that is cost-effective, easy-to-manage, TDoS-defense capable, and customizable for the unique characteristics of varying 911 infrastructures.

The platform monitors each incoming call’s signaling messages, metadata and voice contents to determine if it is suspicious. It then prioritizes the call according to an analysis of its content and audio to ensure real emergency calls are routed to 911 operators for immediate action. Additionally, the team developed a novel approach to check for synthetic voice to identify and address potential TDoS calls generated by phone bots.

In the not-too-distant future, these new defenses will help bring an end to TDoS attacks, thereby denying malicious actors a potent tool.