Security Experts:

Cheap Attacker DDoS-for-Hire Schemes Target Phone Systems

Ask about distributed denial-of-service attacks (DDoS), and many people will envision a website being non-responsive. However, according to researchers at Arbor Networks, cybercriminals are also advertising to launch DDoS attacks against a less likely target – your telephone.

"DDoS affects many types of systems," blogged Curt Wilson of Arbor Networks. "Some have used the term TDoS to refer to DDoS or DoS attacks on telecommunications systems (Telecommunications Denial of Service)….Typical motives can be anything from revenge, extortion, political/ideological, and distraction from a larger set of financial crimes.  Just as we’ve seen the Dirt Jumper bot used to create distractions by launching DDoS attacks upon financial institutions and financial infrastructure at the same time that fraud is taking place (with the Zeus Trojan, or other banking malware or other attack technique), DDoS aimed at telecommunications is being used to create distractions that allows other crimes to go unnoticed for a longer period."

Often, session initiation protocol (SIP) flooding attacks take place because attackers are running brute-force password guessing scripts that overwhelm the processing capabilities of the SIP device, but pure flooding attacks on SIP servers have occurred as well, he said.

"Once the attackers obtain credentials into a VoIP or other PBX system that system can become a pawn in their money-making scheme to perform DoS, Vishing, or other types of attacks," explained Wilson. "Default credentials are one of the security weaknesses that the attackers leverage to gain access to the VoIP/PBX systems, so organizations should ensure that their telecommunications systems credentials are strong enough to resist brute force attack, and that the ability to reach the telephone system is limited as much as possible in order to reduce the attack surface and convince the attacker to move on to the next victim."

The price of the TDoS attacks varies. Just recently, Arbor researchers discovered a handful of advertisements for phone attacks that ranged in price for $20 per day to $30 per hour.

"Any system is subject to availability attacks at any point where an application layer or other processor-intensive operation exists as well as the networks that supple these systems via link saturation and state-table exhaustion," he said. "Telecommunications systems are no exception to this principle…clearly, there is money to be made in the underground economy or these services would not be advertised."