What Is a TDoS Attack
Telephony Denial of Service (TDoS) is a category of attack that specifically targets voice communication systems. Unlike volumetric DDoS attacks that overwhelm network bandwidth with raw traffic volume, TDoS attacks overwhelm the telephony layer by flooding the target with phone calls. The goal is to exhaust SIP trunk capacity, tie up call queues, and prevent legitimate callers from getting through.
TDoS is not a new concept. Before VoIP, attackers would use banks of modems and auto-dialers to flood PSTN lines. The migration to SIP-based voice infrastructure made TDoS dramatically easier and cheaper to execute. An attacker with a handful of SIP accounts and a script can generate thousands of simultaneous call attempts at negligible cost. No physical phone lines required. No hardware investment. Just SIP INVITE packets.
The FBI and the Department of Homeland Security have issued multiple advisories about TDoS attacks targeting 911 call centers, hospital switchboards, government offices, and financial institutions. These attacks are not theoretical. They happen regularly, and the consequences are severe when emergency communication channels are blocked.
TDoS vs. Volumetric DDoS: Key Differences
It is important to understand how TDoS differs from volumetric DDoS, because the detection and mitigation strategies are fundamentally different.
Volumetric DDoS attacks generate massive bandwidth. A SYN flood, DNS amplification, or UDP reflection attack pushes gigabits or terabits of traffic toward the target. The goal is to saturate the network link. Detection is straightforward: if traffic to a destination exceeds the link capacity or rises far above normal levels, something is wrong. Mitigation involves filtering or black-holing traffic at the network edge.
TDoS attacks generate relatively modest network traffic. Each SIP INVITE is around 1 KB. Even 10,000 concurrent call attempts produce less than 10 Mbps of signaling traffic. That is invisible to traditional DDoS detection systems that trigger on gigabit-per-second thresholds. The damage is not at the network layer. It is at the application layer: SIP trunk exhaustion, call queue overflow, database overload from authentication processing, and resource depletion on the SIP proxy.
Here is a comparison that illustrates the difference:
Volumetric DDoS (SYN Flood) Bandwidth: 12 Gbps Packets/sec: 8.5 million Target: Network link saturation Detection: Volume threshold exceeded Impact: All services on the target IP unreachable TDoS (Automated Call Flood) Bandwidth: 8 Mbps Packets/sec: 6,200 Calls/sec: 4,800 concurrent Target: SIP trunk capacity (5,000 channels) Detection: ??? (below all volume thresholds) Impact: 96% trunk utilization, legitimate calls fail
The TDoS attack consumes 96% of the SIP trunk capacity while generating less bandwidth than a video stream. No volumetric DDoS detection system will flag 8 Mbps as anomalous.
How Automated Call Generators Work
Modern TDoS attacks use automated call generators that create realistic-looking SIP call flows. These tools are not sophisticated custom malware. Many are built on open-source SIP testing frameworks that were designed for legitimate load testing and have been repurposed for attack.
A typical automated call generator operates in several stages:
- Target enumeration: The attacker identifies the target's SIP endpoint IPs, either through DNS lookups (SRV records for SIP are publicly queryable), port scanning for open 5060/5061 ports, or social engineering to obtain direct inward dialing (DID) ranges.
- Call generation: The tool sends SIP INVITE requests at a controlled rate. Sophisticated generators maintain proper SIP dialog state, responding to 100 Trying and 180 Ringing responses so that the calls appear legitimate to SIP-layer monitoring tools.
- Session maintenance: Once a call is "answered" (either by an auto-attendant, voicemail system, or IVR), the generator holds the session open by sending periodic RTP keepalive packets. This ties up a SIP trunk channel for the duration of the call.
- Caller ID spoofing: The generator randomizes the From header and caller ID for each call, making it impossible to block based on a single calling number. Some generators use valid number formats from the target's own area code to further blend in.
The most effective TDoS attacks use distributed infrastructure. The attacker runs call generators across multiple VPS providers and SIP trunk services, so the calls arrive from many different source IPs and SIP carriers. Blocking any single source has minimal impact on the overall attack volume.
SIP Trunk Exhaustion
Every VoIP provider has a finite number of SIP trunk channels. This is the maximum number of concurrent calls the platform can handle, determined by SIP proxy capacity, media gateway resources, and trunk licensing. When TDoS calls consume these channels, legitimate callers get busy signals or "all circuits are busy" messages.
SIP trunk exhaustion is particularly damaging because of how it cascades. When trunk A is full, incoming calls may overflow to trunk B. If the TDoS attack also floods trunk B, the overflow goes to trunk C. A well-executed TDoS attack that slightly exceeds total trunk capacity causes 100% call failure, even though each individual trunk may appear to be just "very busy" rather than under attack.
The recovery time after a TDoS attack also creates extended impact. Even after the attack calls stop, the SIP proxy may need several minutes to process the BYE requests and release the call channels. If the proxy has a backlog of queued call setup requests from legitimate callers who were waiting during the attack, it may experience a second wave of overload as it tries to process the queue.
TDoS Targeting Emergency Services and Call Centers
TDoS attacks are not just a commercial concern. They represent a serious public safety threat when directed at emergency communication infrastructure.
911/PSAP targeting: Public Safety Answering Points (PSAPs) have limited call-taker positions and trunk capacity. A TDoS attack that ties up even 50% of a PSAP's trunks can delay emergency response times by critical minutes. The FCC has documented multiple incidents where TDoS attacks against PSAPs delayed police, fire, and EMS dispatch.
Hospital switchboards: Hospitals rely on their phone systems for internal coordination, patient communication, and emergency department routing. A TDoS attack during a mass casualty event could prevent coordination between departments, delay surgical consultations, and block incoming emergency transfer requests.
Financial institution call centers: Banks and brokerages are targeted with TDoS to prevent customers from calling in during unauthorized account activity. The attacker initiates fraudulent transactions and simultaneously launches a TDoS attack against the institution's customer service lines, buying time before the fraud is reported.
Government offices: State and federal agencies have been targeted with TDoS as a form of protest, harassment, or distraction during other offensive operations. The FBI considers TDoS against government infrastructure a significant threat vector.
Why TDoS Is So Hard to Detect
TDoS is one of the most challenging attack types to detect because it is designed to look exactly like legitimate traffic. Here are the specific factors that make detection difficult:
Low Bandwidth Footprint
As discussed above, TDoS generates minimal network traffic. Traditional DDoS detection systems that monitor bits-per-second and packets-per-second will not trigger on TDoS traffic because it falls well below volumetric thresholds.
Valid SIP Dialog State
Sophisticated TDoS tools maintain proper SIP dialog state. They respond correctly to SIP provisional responses (100 Trying, 180 Ringing), send ACK after receiving 200 OK, and even negotiate media parameters. At the protocol level, each call looks identical to a legitimate call.
Distributed Sources
When calls arrive from hundreds of different source IPs across multiple SIP carriers, there is no single source to identify and block. Each individual source may generate only 5 to 10 concurrent calls, which is well within normal behavior for a small business PBX.
Realistic Call Patterns
Advanced TDoS tools vary their call timing to avoid detection by pattern analysis. Instead of launching all calls simultaneously, they ramp up gradually over 10 to 15 minutes, mimicking a natural traffic increase. Some even introduce random call durations and call intervals to further blend in with organic traffic.
Caller ID Diversity
The attacker randomizes calling numbers, often using valid number formats from the target's local area code. Basic allow/deny lists based on calling number are ineffective because each number is used only once or twice.
How Flowtriq Baseline Anomaly Detection Catches TDoS
Flowtriq detects TDoS by monitoring the metrics that actually matter for telephony: concurrent session counts, call setup rates, and per-port traffic patterns. Instead of relying on volumetric thresholds, Flowtriq builds baselines for these telephony-specific indicators and alerts when they deviate from normal patterns.
Here is what Flowtriq monitors for TDoS detection:
- SIP transaction rate on port 5060/5061: The number of new SIP transactions per second. During a TDoS attack, the transaction rate spikes even though the bandwidth does not.
- New flow creation rate: Each call attempt creates a new network flow. Flowtriq tracks the rate of new flow creation per destination IP and compares it against the learned baseline. A sudden increase in new flows to your SIP proxy is an early TDoS indicator.
- Source diversity metrics: Flowtriq tracks the number of unique source IPs generating traffic to your SIP infrastructure. A TDoS attack from distributed sources causes a sudden increase in source IP diversity that deviates from normal patterns.
- Port 5060 to RTP port ratio: During normal operation, the ratio of SIP signaling traffic to RTP media traffic remains relatively stable. TDoS attacks that establish calls but send minimal media (or no media at all) cause this ratio to shift dramatically.
# Flowtriq TDoS detection alert
{
"alert_type": "anomaly",
"classification": "TDoS - SIP Trunk Exhaustion",
"target_ip": "203.0.113.10",
"target_port": 5060,
"metrics": {
"new_flows_per_sec": 312,
"baseline_new_flows_per_sec": 28,
"deviation": "11.1x",
"unique_sources": 847,
"baseline_unique_sources": 120,
"source_diversity_deviation": "7.1x"
},
"sip_signaling_to_rtp_ratio": "14:1",
"baseline_ratio": "1:8",
"recommendation": "investigate_tdos"
}
Notice the signaling-to-RTP ratio inversion. Normally, RTP media traffic significantly exceeds SIP signaling traffic (the baseline ratio is 1:8, meaning 8x more RTP than SIP). During the TDoS attack, this flips to 14:1 (14x more SIP than RTP) because the attack calls either do not establish media sessions or send minimal keepalive RTP. This ratio analysis is one of the strongest TDoS detection signals available.
Mitigation Strategies for TDoS
Because TDoS traffic is protocol-valid and low-bandwidth, mitigation requires a more nuanced approach than simply blocking traffic at the network edge:
Source Network Filtering
Flowtriq identifies the source networks generating the highest call volumes and pushes FlowSpec rules to block or rate-limit traffic from those sources. This is effective against TDoS attacks originating from concentrated VPS hosting providers, which is common because attackers need SIP connectivity from their generating hosts.
Geographic Call Gating
If your VoIP service operates in specific geographic regions, you can configure Flowtriq to trigger geographic filtering during a detected TDoS event. Calls originating from IP ranges outside your service area are deprioritized or blocked during the attack, preserving trunk capacity for legitimate callers in your coverage area.
Call Rate Anomaly Response
Flowtriq can trigger call rate limiting that is proportional to the detected anomaly. Instead of a static rate limit, the system calculates the expected legitimate call rate based on the time-of-day baseline and applies a rate limit that is slightly above that level. This ensures legitimate call volume is preserved while capping the total at a level your infrastructure can handle.
Upstream Coordination
For TDoS attacks that originate through SIP peering partners or PSTN gateways, Flowtriq provides the evidence your team needs to coordinate with upstream carriers. The PCAP captures, source analysis, and attack timeline documentation can be shared directly with your SIP trunk providers to request upstream filtering at the carrier level.
Regulatory and Reporting Requirements
TDoS attacks carry regulatory implications that go beyond typical DDoS incidents, particularly when they target emergency services or critical infrastructure:
- FCC requirements: VoIP providers that serve as covered 911 service providers may have reporting obligations when TDoS attacks disrupt 911 connectivity. The FCC's Network Outage Reporting System (NORS) requires reports when outages affect 911 access for a defined threshold of users and duration.
- FBI IC3 reporting: The FBI's Internet Crime Complaint Center (IC3) accepts reports of TDoS attacks. Reporting helps law enforcement track TDoS campaigns and identify repeat offenders. The FBI recommends reporting all TDoS incidents, regardless of whether they target emergency services.
- State-level requirements: Several states have enacted TDoS-specific legislation that criminalizes attacks against 911 centers and imposes additional reporting requirements on service providers whose platforms are used to originate TDoS calls.
- STIR/SHAKEN compliance: The FCC's STIR/SHAKEN framework for caller ID authentication has implications for TDoS detection and prevention. VoIP providers that have implemented STIR/SHAKEN can use attestation data to identify and block calls with spoofed caller ID, which is a common TDoS technique.
Flowtriq's incident reports include all the data required for regulatory filings: attack start and end times, affected infrastructure, peak call volumes, mitigation actions taken, and estimated customer impact. This documentation is available in the dashboard and can be exported in formats suitable for FCC NORS filings and IC3 complaints.
Protecting Your VoIP Platform from TDoS
TDoS is one of the most underestimated threats to VoIP infrastructure. It generates minimal bandwidth, mimics legitimate call patterns, and can completely shut down a voice platform while traditional monitoring tools show nothing unusual. Detecting TDoS requires monitoring the right metrics: session creation rates, source diversity, signaling-to-media ratios, and per-port traffic baselines.
Flowtriq provides all of these capabilities out of the box. Deploy the agent on your SIP infrastructure edge routers, let it build per-port baselines for 7 days, and you will have TDoS detection that catches automated call floods before they exhaust your trunk capacity.
For emergency services providers: If you operate PSAP interconnection or 911 gateway services, contact our team for guidance on TDoS-specific detection tuning. We can configure Flowtriq's alerting thresholds and auto-mitigation rules to meet the faster response times required for emergency communications infrastructure.
Flowtriq plans start at $9.99/node/month with TDoS detection included on all tiers. No separate VoIP add-on required. Start your free trial and protect your voice platform from the attacks that traditional DDoS tools cannot see.
Back to Blog