New DDoS threats on the rise for emergency calling services

Emergency calling services need to offer a 24/7 availability to the citizens. Unfortunately this is not always true due to new cyber threats which have been on the rise in the last years. One of the most devastating types of attacks, known as Distributed Denial Of Service (DDoS) aims at putting a service out of order so that it is no longer available for legitimate users [1]. So, is the emergency service availability on a 24/7 basis really quarranteed?

Emergency services agencies never publicize these attacks, but they do happen. Here’s how and why.

A few years ago a teenager from Arizona managed to break the 911 service by accidentally launching a DDoS attack in 12 states, including Arizona, Washington and California [2]. In principle DDoS can affect any open service on the internet, even if this is an emergency service. Moreover, when we talk abouts VoIP services, these types of threats can also be materialized on the application level in the form of Telephony Denial of Service Attacks (TDoS).

The open nature of the NG911 emergency service offers a fertile ground for attackers. This is because the legislation obliges the telecommunication vendors to connect every emergency call [3]. It becomes apparent that a vendor cannot deny an emergency call because a caller does not have enough credits. Also, if we consider specific technical details of an emergency call, the telecommunication vendor cannot delay or deny a call which is initiated using a video stream, independently how heavy may this stream be for the system in terms of resources.

Due to the technical and ethical nature of emergency call handling, the 911 service accepts all calls for help, like in the aforementioned case of Arizona. This increases the attack surface of the emergency service in different levels, as it gives the opportunity to a spiteful aggressor to collect important information around the architecture and the features of the emergency service. In principle, the knowledge of how a system works internally can be exploited in order to maximize the attack impact.

In Atos we always look for innovative solutions to secure our products against these threats. The first step we always take together is to know the enemy.

Tracking vulnerabilities

Botmasters usually begin with reconnaissance to monitor the network in order to identify vulnerabilities and collect information.

In this way an attacker can just ping the calling centers by following a fuzzy-based logic, with the aim to profile and monitor the business flow in the underlying service. These details can be later used in an insidious way to attack the system.

We do not know if the same happened in the Arizona case, but the attacker targeted services in different states at once.

The important part is that the Next Generation 911 (NG911) service deploys state of the art detection/prevention and honeypot-driven security mechanisms. Thus, even after an apparently successful reconnaissance phase, the system is always ready to defend against the actual attack.

DDoS zombies

Botmasters get their name because they command armies of infected zombie devices (i.e., a botnet). In the Arizona case the attacker used special hidden command and control (C&C) covert channels to instruct the zombies to target directly the 911 infrastructure.

In fact, Arizona wasn’t the only victim. A few months ago a VoIP company in Canada paralyzed due to a DDoS attack [4].

Heads up: Arizona and all other emergency services need to be aware of what’s coming next.

A novel DDoS attack against the emergency calling service

As it was mentioned earlier a caller can easily initiate any type of emergency call – that is not filtered – to regard the Session Description Protocol (SDP) details, meaning the information which concerns the stream that will be established. Say for example that a caller initiates an emergency call using high resolution video streams.

So far this is not an indication of attack activity for typical Session Initiation Protocol (SIP)-driven DDoS detection mechanisms [5]. But, what will happen if an army of infected devices initiates multiple calls with high quality or even incompatible video streams that need transcoding?

Researchers recently published a new scientific paper which exemplifies how it is possible to exploit a botnet in order to launch a novel DDoS attack targeting the NG911 emergency calling service [6]. This attack relies in the exploitation of SDP bodies which are encapsulated in the SIP messages. The attack targets the transcoder elements which are presented in the NG911 architecture, and they are used to translate incompatible RTP streams on the fly. But how many transcoders would be necessary to handle multiple incompatible video streams initiated from a botnet on a large scale?

Fighting the threats

There are different ways to detect this attack, but it is not an option in any way to deny connecting the caller. One of the ways would be to equip the emergency calling service with redundant transcoders that can easily handle multiple CPU-hungry video streams at the same time. But this is not a cheap solution today due to the fact that a call center may need to deploy several Digital Signal Processor (DSP) modules to transcode thousands of incompatible high quality video streams in parallel. I anticipate future detection mechanisms will incorporate features that will examine the SDP bodies and offer early detection for this threat.