DDoS (Distributed Denial of Service) may be getting all therecent press, but now the FBI, Homeland Security and several morefederal agencies have issued a no-nonsense warning about a spike in the number of TDoS (telephony denialof service) attacks which wipe out a victim's telephoneservice.

The focus of the warning was a jump in TDoS against publicsector emergency services agencies (police, ambulance, etc.) Thewarning noted: “The perpetrators of the attack have launched highvolume of calls against the target network, tying up the systemfrom receiving legitimate calls. … Many similar attacks haveoccurred targeting various businesses and public entities,including the financial sector” (emphasisadded).

The scariest part: security researchers talk about TDoS kitsthat can be rented for as little as $20 per hour. And that servicewill generate ample junk calls to put your credit union's telephonesystem down for the count.

Although the federal alert focused on TDoS aimed at publicsafety agencies, security experts insisted to Credit UnionTimes that many financial institutions – including creditunions – have been victims.

Sometimes, too, TDoS attacks have been associated withsimultaneous frauds occurring inside a financial institution. notedRob Kraus,director of research at Solutionary, an IT security company.

The way that works is that just when a credit union decides topick up the phone to verify a large wire transfer to, say, a Kievaccount, TDoS knocks out the phone systems, so no outgoing calls.And the bad wire transfer may be put through.

TDoS also is commonly linked with ransom demands, noted thefederal law enforcement agencies, The promise is that the TDoS willcease upon payment of a fee, often in a four-figure range, saidexperts.

The feds are adamant: Do not pay the blackmail.

For good reason. Paying it probably only sets the stage foranother attack a few days later and a new demand for money.

But exactly what credit unions and other TDoS targets should doto protect themselves is frankly up in the air. “Right now, it isvery difficult to defend against TDoS,” said Richard Henderson, asecurity strategist with Fortinet.

Here's the problem: not only is TDoS cheap to unleash, thetechnology allows for instant spoofing of phone numbers andgeographic misdirections. The calls may look as though theyoriginate in Long Island, but they may in fact start out in Moscow– there just is no easy way for most organizations to know, saidmalware researcher Cameron Camp.

That ability to disguise the calls is what is maddening aboutTDoS and it also is at the heart of why most security expertsbelieve very few credit unions have significant internal TDoSmitigation knowhow.

The current, best advice for coping with TDoS is to begintalking with internal and external telephone experts about how torespond.

A suggestion from Kraus is that just as many credit unions havedisaster recovery and business continuity plans that call for athird party to pick up answering incoming calls in the event of anoutage, that same firm could be called upon to handle calls in theevent of a TDoS wipe out.

There may be other options. The bigger point: start planning nowfor a TDoS attack because one just may be coming at you.