TDOS (DDoS) mitigation tips?

Every Thursday morning, around 8:50 AM, there is an incredible spike in inbound calls to our system. The numbers all begin with local area codes. Checking the log from last week, we got about 6000 calls between 9 AM and 1 PM. When my users answer these calls, they just hear dead air. It is a major issue because on a normal Thursday, its a busy time for phone calls. My users don’t have a way to filter out or differentiate the calls.

It leads me to believe that someone (or some group) has automated an attack at the times described above. I tried blacklisting some of the numbers that came up, but it feels fruitless because phone numbers can easily be spoofed (and is probably what is going on here). I reached out to the SIP provider, but they told me I had to block the numbers at my PBX, but that doesn’t seem feasible with 1000’s of phone numbers (some of which could be legit). I checked the CDR log from the provider and learned that most of the calls are coming from the same 3 IP addresses - they belong to a company called Intellquent. I added iptables rules to drop the traffic but I don’t know if it’s effective.

Any suggestions on what I can do to prevent/mitigate these attacks?

a bit of PBX info
FreePBX 15.0.23
Asterisk 16.20.0
SIP provider is Flowroute
public IP interface
system firewall and responsive firewall enabled

Please let me know if there is any other information needed.

An IVR requiring DTMF input from the caller would manage this easily. You could even do a time condition so that the IVR only handles Thursday morning calls. You could use the Allow List module to allow trusted callers thru without hitting the IVR.

I had a similar issue one time, contacted Sangoma/Sipstation about it. I was told there wasnt anything I could really do since every call came from a different CID. The attacks/spammers were hitting a 1-800 number, since it was toll-free. I basically just got rid of the 1-800 number.

I guess the info @lgaetz is giving would have possibly worked too.

Sorry if I didn’t explain myself well… that volume of calls is unexpected; it should be maybe 200, 300 calls at most in the AM (it’s a small community non profit, not a large call center or anything). All these inbound calls are starting to add up on the bill.

We have had IVRs with DTMF options set up since we created this FreePBX instance; not sure if there is something else that can be configured there? It’s a fairly normal setup, call in and you are prompted to select a language with a keypress, and then the options go to ring groups.

I like the idea of the Allow List, and I will have to talk to the staff if there are particular callers that we can add to the list, should it be implemented.

I know I was told in another thread that too much information can be bad but here is some more “too much information”.

This needs to be reported to the FCC. The laws and regulations that have come into effect over the last three years address issues like this. In 2021 the FCC cracked down on roughly 3-4 VoIP providers for allowing this type of traffic to happen. All the orders were basically the same, clean up the violator within 30 days or the other carriers will be ordered to block their traffic.

On top of that, both Flowroute and Intelliquent have violated the RoboCalling Mitigation rules which mandate that the carriers are supposed to mitigate robo calls on both ingress and egress from their networks. The fact they both let you get peppered with over a 160 calls an hour for 4 hours straight is unacceptable.

There are new processes and rules in place, they need to be used in order for things to work and the offenders to get busted.

So the incoming ‘dead air’ calls are successfully getting thru the IVR to ring thru to an extension? Is the IVR configured to time out to go a live person? If so, that would not accomplish anything to filter out robocalls.

If you ‘answer’ a call in any fashion, you are exposed to a cost if you are paying by the minute or call, so that’s a catch-22 if you “don’t know the caller” but only your provider can ease that problem.

Thank for the insight. The first IVR timeout was set to the ring group. For now I changed it to hang up if it times out. (sometimes the simplest things are the easiest to miss)

I assume an actual human caller will press the digits at the prompt.

I’ll write to Intellquent and see what they have to say, and escalate after if need be.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.