DDoS attacks targeting traditional telecom systems
DDoS affects many types of systems. Some have used the term TDoS to refer to DDoS or DoS attacks on telecommunications systems (Telecommunications Denial of Service). This is just another application for a DDoS attack, and was mentioned in 2010 by law enforcement and since discussed on a variety of blogs. Typical motives can be anything from revenge, extortion, political/ideological, and distraction from a larger set of financial crimes. Just as we’ve seen the Dirt Jumper bot used to create distractions by launching DDoS attacks upon financial institutions and financial infrastructure at the same time that fraud is taking place (with the Zeus Trojan, or other banking malware or other attack technique), DDoS aimed at telecommunications is being used to create distractions that allows other crimes to go unnoticed for a longer period.
Recently, ASERT came across a few advertisements for traditional DDoS services that also included phone attack services starting at $20 per day. Screenshot (translated from Russian):
The original advertisement was posted around the end of 2011. On June 27 2012 the DDoS service provider placed another advertisement focusing only on the telephone flooding capabilities:
Another DDoS provider has advertised this at $30 per hour:
And a third provider also advertising such attacks charges $5 per hour, $20 for 10 hours, and $40 per day (roughly translated from Russian).
When discussing a recent ideological telecommunications-based DDoS attack upon a law enforcement entity around April of 2012, the attackers revealed some details about their approach. In that case, their attack script was based around Asterisk and put to use on a compromised server.
ASERT has helped mitigate SIP flooding attacks on several occasions. Often, SIP flooding attacks take place because attackers are running brute-force password guessing scripts that overwhelm the processing capabilities of the SIP device, but we have also seen pure flooding attacks on SIP servers. Once the attackers obtain credentials into a VoIP or other PBX system, that system can become a pawn in their money-making scheme to perform DoS, Vishing, or other types of attacks. Default credentials are one of the security weaknesses that the attackers leverage to gain access to the VoIP/PBX systems, so organizations should ensure that their telecommunications systems credentials are strong enough to resist brute force attack, and that the ability to reach the telephone system is limited as much as possible in order to reduce the attack surface and convince the attacker to move on to the next victim.
In other instances, I have seen telephone systems connected to the Internet that were very brittle – even a simple port scan could bring them to their knees quickly. In such cases, an attacker could bring down an organizations phone system quickly if they were able to reach the controller. The benefits of proactive security testing can help identify such brittle systems ahead of time, before an attacker might latch onto the vulnerability.
Any system is subject to availability attacks at any point where an application layer or other processor-intensive operation exists as well as the networks that supply these systems via link saturation and state-table exhaustion. Telecommunications systems are no exception to this principle, as we have seen. Clearly, there is money to be made in the underground economy or these services would not be advertised.
Thanks to Roland Dobbins of Arbor ASERT for operational insight.