[VoiceOps] Mitigating or stopping TDOS attacks - any advice?

Matthew Yaklin myaklin at firstlight.net
Tue May 16 16:41:03 EDT 2017


Is this idea corny?


Perhaps a solution could be like they do for web pages to prove you are human.


Direct all the customer's incoming calls to an asterisk box. The asterisk box plays a recording asking for them to type in a digit string that is random for each call.

If the person types in the right string.. allow the call. If the wrong string is entered.. drop the call.


A beefy asterisk box can handle many calls. Probably more the the switch's incoming trunks if the hardware is up to it.


Just use this when needed and after the TDOS fades away.. disable it.


Just an idea... probably has several holes in it.


---


I also saw this while googling. Not enough info on the web page for me to even guess if the solution really works.


https://securelogix.com/threats/telephony-denial-of-service-tdos-attacks/ . I think it uses Splunk on the back end.


Matt



________________________________
From: VoiceOps <voiceops-bounces at voiceops.org> on behalf of Alex Balashov <abalashov at evaristesys.com>
Sent: Monday, May 15, 2017 1:15:38 PM
To: voiceops at voiceops.org
Subject: Re: [VoiceOps] Mitigating or stopping TDOS attacks - any advice?

On Mon, May 15, 2017 at 01:09:01PM -0400, Ivan Kovacevic wrote:

> I think putting this à “block the offending traffic pattern” into practice
> is the crux of the issue. Maybe I am short-sighted or don’t give AI
> sufficient credit, but I think identifying the offending traffic pattern is
> not going to be easy (or maybe possible at all).
>
> Anyone initiating a TDOS attack can manipulate the call pattern and caller
> ID easy enough to make it look like ‘normal’ traffic.

I suppose it depends on how many concurrent channels/call paths the
customer has. Given a very small number, almost any amount of calls can
tie them up.

But, in general, it's not a DoS attack if it doesn't ... DoS. :-) If
the attackers slow down the call setup rate enough that it doesn't meet
frequency-based DoS detection, chances are it's not a very impactful
attack. Of course, there is a grey area; everything is vague to a degree
we do not realise until we try to make it precise (with apologies to
Bertrand Russell).

-- Alex

--
Alex Balashov | Principal | Evariste Systems LLC

Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20170516/c78697fb/attachment.html>


More information about the VoiceOps mailing list