What Makes TDoS Different from Volumetric DDoS
A traditional volumetric DDoS attack aims to saturate the target's network link. The attacker floods bandwidth with UDP amplification, SYN floods, or other high-volume vectors until the pipe is full and nothing gets through. Defense means absorbing or filtering traffic at scale, which is why scrubbing centers and CDNs exist.
TDoS operates on a completely different principle. The goal is not to saturate bandwidth but to exhaust application-layer resources specific to telephony: call state tables, SIP transaction timers, media port pools, and call queue slots. A TDoS attack might use less than 500 Mbps of traffic while making a VoIP platform completely unable to process calls. The attack succeeds not by overwhelming the network but by overwhelming the application.
This distinction matters because the defenses are different. A scrubbing center that filters based on packet volume will pass a TDoS attack straight through because the traffic volume is unremarkable. The attack is only visible when you understand that the traffic is SIP, that it is targeting call processing resources, and that the rate of call setup attempts is abnormal for the specific server being targeted.
The TDoS Threat Landscape in 2026
TDoS attacks have escalated from a rare nuisance to a mainstream threat for three reasons.
Low barrier to entry. Launching a TDoS attack requires minimal infrastructure. Open-source SIP testing tools like SIPVicious, SIPp, and custom scripts built on PJSIP can generate thousands of SIP requests per second from a single server. Unlike volumetric DDoS, which requires a botnet or access to amplification reflectors, TDoS can be launched from a handful of rented VPS instances. The total cost to the attacker is often under $50.
High-value targets. VoIP providers serve businesses that depend on telephony for revenue. Call centers, healthcare providers, financial services firms, and emergency services all have near-zero tolerance for telephony outages. A 30-minute TDoS attack during business hours can cost the target provider hundreds of thousands of dollars in direct revenue loss, SLA penalties, and customer churn. This makes extortion demands of $5,000 to $50,000 economically rational for the victim to consider paying.
Difficult attribution. SIP runs over UDP, which is trivially spoofable. The attacker can send INVITE floods from spoofed source IPs, making traceback nearly impossible. Even when the attack originates from real IPs on rented infrastructure, the attacker uses cryptocurrency for payment and disposable identities for provisioning. Law enforcement has limited tools and jurisdiction to pursue TDoS extortionists operating across international boundaries.
Real-World TDoS Attack Patterns
TDoS attacks follow predictable operational patterns that informed defenders can recognize and prepare for.
The Extortion Playbook
The most common TDoS scenario follows a three-phase pattern. First, the attacker sends an extortion email to the VoIP provider's abuse or operations contact, claiming capability to take their platform offline. Second, they demonstrate with a brief (5 to 15 minute) SIP flood that causes visible call failures. Third, they demand payment to stop future attacks, with escalating threats if the demand is ignored.
The demonstration attack is calibrated to cause maximum disruption with minimum effort. It typically targets the SBC's SIP signalling ports with an INVITE flood at 5,000 to 20,000 requests per second. This rate is enough to exhaust most SBC's call processing capacity while using minimal bandwidth. The attacker often times the demonstration during peak calling hours to maximize the number of affected callers and the urgency of the provider's response.
SIP Gateway Flooding
SIP gateways that bridge VoIP to PSTN are particularly vulnerable to TDoS. Each inbound SIP INVITE that reaches the gateway may trigger an outbound PSTN call attempt, consuming trunk capacity and potentially generating per-minute charges. An attacker can flood the gateway with INVITEs to premium-rate numbers, simultaneously denying service to legitimate callers and generating fraudulent charges that the provider must pay. This combines denial of service with toll fraud in a single attack.
Call Queue Exhaustion
For providers that operate call center platforms, TDoS can target the ACD (Automatic Call Distributor) queue directly. By establishing hundreds of SIP sessions that connect but remain silent (or play hold music back to the attacker's endpoint), the attacker fills all available queue slots. Legitimate callers hear a busy signal or a "all agents are busy" message even though no actual agents are occupied. The attack consumes call capacity without generating any traffic anomaly at the network level.
Why Sub-Second Detection Matters
Voice calls are uniquely intolerant of disruption. A web application can absorb 30 seconds of degraded performance and most users will simply retry. A voice call that experiences 5 seconds of silence, one-way audio, or robotic distortion causes the caller to hang up. A call center that cannot process new calls for 60 seconds loses dozens of customer interactions that will never be recovered.
Detection speed directly determines business impact. Consider the timeline of a TDoS attack against a VoIP provider processing 1,000 concurrent calls:
# TDoS attack impact timeline
T+0s: Attack begins. INVITE flood at 10,000/sec hits SBC.
T+2s: SBC call processing queue fills. New call setups begin failing.
T+5s: Active calls unaffected, but no new calls can connect.
T+15s: SBC begins dropping keepalive responses. Some active calls
detect the far end as unreachable and disconnect.
T+30s: Registration refresh failures begin. Endpoints lose registration.
T+60s: Cascading failure. Unregistered endpoints cannot make or
receive calls. Provider is effectively offline.
Detection at T+2s: Mitigation deploys at T+4s. Brief blip, no call drops.
Detection at T+30s: Mitigation deploys at T+35s. Hundreds of calls
dropped, mass re-registration storm follows.
Detection at T+120s: Provider has been offline for 2 minutes.
Customer-visible outage. SLA breach.
The difference between 2-second detection and 2-minute detection is the difference between a non-event and a customer-impacting outage. For VoIP infrastructure, detection latency is not a performance metric. It is a service quality requirement.
Automated Mitigation That Preserves Legitimate SIP Traffic
The challenge of TDoS mitigation is surgical precision. The attack traffic is SIP. The legitimate traffic is also SIP. Both arrive on the same ports, use the same protocol, and may even target the same SBC. Mitigation that blocks too broadly will stop the attack and also stop your phone system.
Effective automated mitigation for TDoS combines several techniques:
- Trusted peer allowlisting: Known trunk providers, peering partners, and registered endpoint subnets are allowlisted at the kernel level. Their traffic is never subject to rate limiting or filtering, regardless of the attack state. This ensures that the provider's revenue-generating call paths remain unaffected.
- Dynamic source rate limiting: Unknown sources that send SIP traffic above a per-source threshold (calibrated to be well above what any single legitimate endpoint would send) are automatically rate-limited using nftables or iptables rules injected by the detection agent. The threshold adapts based on the current attack intensity.
- SIP method filtering: When the detection system identifies the flood method (OPTIONS, REGISTER, INVITE), mitigation can selectively drop that specific SIP method from untrusted sources while allowing other methods through. A REGISTER flood can be stopped by dropping REGISTER from unknown sources without affecting INVITE processing for legitimate calls.
- Automatic expiry: All mitigation rules include automatic expiration timers. When the attack subsides, the rules expire and normal traffic processing resumes without manual intervention. This prevents stale rules from blocking legitimate traffic after the attack ends.
The goal of TDoS mitigation is not to block all attack traffic. It is to reduce attack traffic to a rate the SBC can process without degradation, while ensuring zero impact on traffic from known legitimate sources.
Setting Up TDoS Defense with Flowtriq
Flowtriq's agent deploys directly on SBCs and SIP gateways, providing detection that is tuned for VoIP workloads. The agent classifies traffic by service port, maintaining separate baselines for SIP signalling and RTP media. It detects TDoS attacks by correlating multiple signals: SIP transaction rate spikes, source diversity changes, method distribution skew, and failed authentication rates.
When a TDoS attack is detected, the agent triggers automated mitigation within seconds. Mitigation rules are port-aware and protocol-aware, targeting the specific attack pattern without disrupting legitimate call traffic on adjacent ports or from trusted sources. The provider's operations team receives an alert with full attack details, but the mitigation is already active before any human intervention is required.
For VoIP providers serving latency-sensitive workloads like healthcare, emergency services, and financial trading, the difference between automated sub-second response and manual intervention is the difference between maintaining SLA compliance and explaining an outage to customers.
Defend your SIP infrastructure from TDoS. Flowtriq provides sub-second TDoS detection with automated mitigation that preserves legitimate call traffic. See how it works for VoIP providers or start your free trial.