Telephony Denial of Service, often abbreviated TDoS, is a coordinated attack to flood a voice network with calls or activation requests. This can be seen as the “flash mob” version of denial of service, after the way in which a suddenly-appeared mob of regular looking people at a retail store can overwhelm security. Because this uses real people and real infrastructure instead of automated data network attacks, it is also much harder to tell a denial-of-service attack from an unexpected increase in real customer interest.
The Challenge of TDoS Detection
A main challenge to defense against TDoS is that each call individually may look like a completely legitimate call. Calls often pass initial validity checks as the calls appear to come from a known and trusted telecommunications provider, have valid identity headers, and originate from a legitimate telephone number.
On the other hand, hundreds of concurrent calls starting within seconds of each other from one or several sources (distributed TDoS) could be legitimate as well: a local emergency at a hospital would trigger legitimate bursts of traffic from callers who are either anxious to get information or seeking help, and they will be even angrier if their calls are being blocked. As a result, TDoS detection is a heuristic problem to be solved by pattern analysis rather than by simple, cold calculations.
The Science of TDoS Heuristics
Several important signals and behavior characteristics have to be analyzed to detect an attack:
- Call Duration and Abandonment Rates: Normal customer call patterns are highly predictable. The typical call abandonment rate, if unanswered in two minutes, is 34%. This rate increases to 85% if the wait time is increased to eight minutes(Source: AINora). Additionally, a legitimate call duration is typically between three and six minutes, once connected. If patterns of incoming call behavior vary widely from the average, it is likely a TDoS attack.
- Disconnect Behavior: Determining who hung up. Although it is normal for the customer to disconnect first, if many employees experience the caller disconnecting first, it is a strong indication of an abusive, marketing or spam call.
- Identity and Reputation: Checks have to consider the reputation of the originating telco, and perform checks on identity information to validate that the number is not spoofed. If the originating telco is trusted, and passes the identity validation checks, the number should be accepted as legitimate.
- Number of Parallel Calls and Call Gaps: The number of simultaneous calls made from a single source or the precise time gap between these calls can indicate automated attacks.
- Network Mapping: Tag incoming calls to particular SBCs or telco trunks and then cross-checking numbers to figure out why so many calls from a given area are going out simultaneously.
Strategic Prevention and Mitigation
Effective TDoS defense requires a multi-layered approach to filter and manage traffic:
- Pattern Filtering: Filtering calls based on simple rules such as geo-fencing and time-of-day rules can help identify anomalous calls.
- Suspicion Scoring: Calls can be given a “suspicion score” based on the heuristic signals discussed above.
- Secondary Screening: If the call’s suspicion score reaches a pre-defined threshold, the call can be diverted to a secondary screening process, instead of being outright blocked. This could be an IVR (Interactive Voice Response) service or a voice captcha, which can be used to confirm that the caller is a human, before routing the call to an agent.
Real-World TDoS Cases
Hospital Emergency Line Under Siege
A large metropolitan hospital experienced a sudden spike in incoming calls that overwhelmed their emergency line, delaying genuine patient calls. The source was traced back to a TDoS attack where attackers used hundreds of spoofed numbers. By analyzing call patterns, the hospital deployed heuristic-based filters and a voice captcha system to confirm callers’ legitimacy. This approach reduced malicious calls by 70% within days, ensuring critical lines remained open for real emergencies.
Airline Customer Service Disrupted Before Holiday Travel
An international airline faced a TDoS attack during the busy holiday season. The attackers flooded the customer service center with thousands of calls attempting to rebook nonexistent flights, causing delays and frustration for real passengers. The airline used geo-fencing and suspicion scoring to isolate unusual call volumes originating from unexpected regions. Secondary screening with a tailored IVR filter helped reduce the attack’s impact without blocking genuine travelers, preserving customer trust during peak travel times.
Municipal Government Hotline Targeted During Election Season
During a local election, a city government’s voter information hotline was targeted by a TDoS attack designed to confuse voters and disrupt polling information. Attackers used a botnet to call continuously, exploiting the system’s inability to distinguish automated calls from real voters. After implementing parallel call limits and call duration heuristics, combined with behavioral pattern recognition, the city was able to maintain hotline availability and safeguard voter access to essential information.
TDoS attacks are not just technical problems; they’re business risks. A successful attack can lead to lost revenue, damaged reputation, and even safety concerns in critical environments like healthcare or emergency services. That’s why investing in smart detection and mitigation strategies is essential for any organization that relies on telephony as a frontline communication tool. Connect with us to help you mitigate any voice threat to your organisation.