TDoS - A Real Threat to The Contact Center
Over the course of the past several weeks I’ve had a chance to meet with a few customers that are using Ribbon in the core of their network for managing their contact center voice traffic. These are organizations of various sizes, from a regional electrical utility, a large electronics manufacturer, and a US-based airline. Through the course of the conversations there was one thing that came up consistently – Telephony Denial of Service threats, or TDoS.
I think most people that follow internet security are familiar with Distributed Denial of Service (DDoS), where a website is flooded with bogus traffic to make it unusable or unreachable, often for financial gain. TDoS works in very much the same way, except the target is a contact center. Bad actor(s) will flood a contact center with a calls (generally using automated dialers), either disabling it or severely reducing its capability. Motives vary, but financial gain tops the list (e.g., pay the bad guys to make it stop).
Every one of these contact centers experiences attempted TDoS attacks on a regular basis (the surprise for me was how pervasive they are – they happen all the time!). Obviously with automated hacker tools its quite easy to probe for weaknesses – when one is discovered the bad actor can take action.
Here are a couple of resources for reference:
- The FBI has TDoS bulletin along with who to contact (US only) if you’re a victim of an attack.
- The Center for Internet Security (CIS) has published this white paper on TDoS, providing a list of preparative steps to be ready for such an attack, as well as actions to take if attacked.
- Some additional thoughts in a blog from Motorola. Since TDoS attacks are particularly pervasive in public service access points (e.g., 911 service), these agencies need to take extra precautions.
So what are the best ways to prevent a TDoS attack? As with any malicious activity, it’s a constant cat and mouse game, where the contact center needs have preventable tools in place as well as be adaptable to the changing threat landscape.
Level 1 protection is a Session Border Controller (SBC). Given that contact centers are in the business of taking (or making) a large number of calls, I’d be shocked if it didn’t have an SBC in place. An SBC will inspect all traffic, looking for malformed packets or other problems. It will also pace inbound SIP traffic, critical for TDoS.
Level 2 protection would be an analytics tool that can look at traffic and make inferences based on patterns. This is where many of Ribbon customers are heading, as it gives them the ability to ingest a huge dataset and look for patterns or other problematic trends.
For instance, Ribbon offers TDoS Protect as part of its Analytics solution set. TDoS Protect tracks the number of SIP invites based on “Calling Number” patterns on a per-interval basis (for example, by 5 minute intervals). When the number of calling number invites exceeds the customer-defined threshold, then that calling number is tagged as “problematic” and escalated for investigation and/or mitigation.
As you look at your contact center operations, consider solutions to give you a greater degree of data analytics. Given the cost of a contact center shutdown, it’s a pretty easy ROI calculation to bring these sorts of tools into your network.