Denial of service attack and ransom demand defeated

We learned of a recent Telephony Denial of Service (TDoS) attack, which included a ransom demand. We’re sharing information about the attack to help others be on their guard.

A small, interconnected VoIP service provider was hit with a flood of traffic on their inbound toll-free number. The attacker used many different calling numbers. Ordinarily, this would make it difficult to block the attack. Interestingly, the calling numbers were all owned by a single DID provider.

We’ve observed TDoS attacks before, where the victims were a travel business, an auto dealer, and a managed service provider. The motive is often business disruption. Sometimes it’s extortion—the attacker demands a ransom to make the attack stop. That was the motive in this recent case. This time, however, the intended victim was a small voice service provider rather than an enterprise customer.

This attack began with a burst of calls, followed by a steady stream of calls for 19 minutes. By that time, the provider’s engineers had configured a TDoS prevention policy to cover the attack. Just in time, too, as the attacker sent another burst of calls, which were blocked.

Figure 1: TDoS Attack Timeline

As the attack was starting, the victim/service provider received an email demanding a ransom to make the attack stop. Fortunately, the provider was able to block the attack with no disruption to other calls and no ransom payment. The attacker gave up after about 30 minutes of blocked calls.

TransNexus solutions

TransNexus is a leader in developing innovative software to manage and protect telecommunications networks. The company has over 20 years’ experience in providing telecom software solutions including toll fraud prevention, robocall mitigation and prevention, TDoS prevention, analytics, routing, billing support, STIR/SHAKEN and SHAKEN certificate services.

Contact us today to learn more.