tp240_phone_home_reflection_ddos

Explanation

This security event in the Netography Fusion Portal is designed to detect TP-240 reflection attacks. Voice-over-IP systems with TP-240 VoIP-processing interface cards can be used by attackers to amplify DDoS attacks. In a TP-240 reflection attack, the attacker sends UDP packets with spoofed source addresses to a vulnerable Voice-over-IP system, which will then respond with potentially thousands of reply packets.

What to Look For

When examining the results of the this security event, look for anomalous network traffic patterns involving UDP packets. Specifically, look for large amounts of traffic from a single source address, which may indicate a potential TP-240 reflection attack.

If a TP-240 reflection attack is detected, take immediate steps to block the malicious traffic. If hosts on your network are being used as reflection amplifiers, take action to deactivate vulnerable services, or block access to those systems from the internet.

Related MITRE ATT&CK Categories

Network Denial of Service, Technique T1498 - Enterprise
Endpoint Denial of Service, Technique T1499 - Enterprise