As voice becomes just another data service, telephones are opened up to increasing denial-of-service threats from the Internet.
Unified communications—bundling all communications channels on a single IP platform—offers the promise of simplified IT management and cost savings, because an enterprise has to maintain and manage a single network rather than separate networks for voice and data. But as voice becomes just another data service, phones are being increasingly exposed to threats from the Internet.
Denial of service attacks against phone systems, or TDOS, have become more frequent in the past two years, and a report from SecureLogix on Voice and Unified Communications predicts that the problem is likely to get worse before it gets better.
“In the future, these attacks will be much more severe,” the company warns. “By simply generating more calls or using more entry points to the UC network, many more calls can be generated, resulting in a very expensive attack or one which degrades the performance of a contact center, rendering access unavailable to legitimate callers.”
It should be noted that, as a provider of TDOS mitigation services, SecureLogix has a horse in this race and might not be 100 percent objective. But it is hard to deny the problem.
Earlier this year the Homeland Security Department altered government emergency communications centers after a rash of phone DOS attacks flooding public safety answering points in an apparent attempt to extort money. As early as 2010 the FBI warned that TDOS apparently was being used as diversions for more serious crimes, and last year, researchers at Arbor Networks reported hackers advertising TDOS-as-a-service.
What is new, or at least changing, is the growing ease of launching such attacks. Free software is available to automatically generate robocalls, and VOIP-aware botnets can generate massive numbers of calls from many locations, making the distributed attacks harder to spot.
“On the origination side, the public voice network looks more like the Internet every day from a call generation point of view,” the report says, making it easy for an attacker to generate floods of calls. “This change is accelerating and is out of the control of the enterprise.”
On the receiving side, if an enterprise that has integrated its voice systems into its data network, phones become one more entry point for attackers. And even if phones are not plugged into the network, phone DOS attacks can tie up customer services, cut off phone service, and leave the agency vulnerable to fraud and blackmail.
There is little an agency can do to prevent keep attackers from launching attacks. But as a potential target, phone DOS is one more problem to keep in mind. If your voice system is integrated into your data network, remember that VOIP needs to be managed like all other services. And if it is not in your data network, bear in mind that your phone system still is a critical communications link that should be monitored like other links. Pay attention to volume and capacity and be aware of unusual patterns that degrade your quality of service or even shut it down completely. Ensure that your analysts, service providers and security providers are ready to identify and track these activities and have the ability in place to block malicious traffic.