When you make an emergency call like 911 in America, you need to get to a Life-Saving Call Taker at an Emergency Call Center (ECC) or Public Safety Answering Point (PSAP). And to do that, the 911 network has to be functioning, whether it's classic E911 over TDM, or NG911 over IP. But what if the PSAP is under attack?
NENA: The 9-1-1 Association issued its Third Annual report, "Pulse of 9-1-1" reporting that in the past year, nine percent of Public Safety Answering Points experienced a Telephony Denial of Service (TDoS) or other cyberattack.
For example, in August this year, authorities reported an potential attack from a group with links to Russia against a 911 contact center in Massachusetts.
One form of Telephony Denial of Service (TDoS) attack occurs when an attacker launches so many calls against a PSAP that the system is overloaded. One way of doing this would be to triggering users' devices in a single geographic area to launch calls to 911. Another form would be to trigger the a small number of users, a single enterprise customer, for example, to launch many calls in rapid succession.
ECG's Work Developing Informational Standards
NG911 systems, which are based on IP networking, bring a new era of technology. The SIP Standards, Session Border Controllers, software-based call processing systems, are all new and subject to new risks from bad actors (cyber-attackers). ECG worked with NENA: The 9-1-1 Association as an expert source in the standard NENA-INF-045.1-2025: Telephony Denial of Service (TDoS) Information Document (issued 2022, re-affirmed this year.)
Surprising Realities about the Telephony Denial of Service (TDoS) Risk
E9-1-1 (using TDM) has essentially no viable TDoS Mitigation
Today's E9-1-1 systems based on TDM have no real way to handle calling overloads. They cannot meaningfully filter calls, and cannot distinguish attack vs valid traffic. E9-1-1 uses a system of signaling the caller number, CAMA, developed in the 1970s. Local Routers (LRs) that process the calls in E9-1-1 have to allocate a call path for each attack call and wait at least until the calling party number is outpulsed before applying logic to determine if this is a problematic calling party number.
Real TDoS attacks often don't spoof caller ID.
When an attacker compromises legitimate devices on a network, they do not have to spoof caller ID to launch telephony denial of service attacks. For example, if 10,000 unpatched Fiber-to-the-Home Optical Network Terminals (ONTs) providing voice service are simultaneously attacked and triggered to launch 911 calls, then those calls would come from 10,000 different calling party numbers.
Synthetic attacks can rotate spoofed numbers on every call.
When an attacker generates new traffic, for example on a compromised, unscreened PBX trunk, they can generate a new spoofed calling party number for each call. This makes filtering based on the calling party number functionally impossible.
NG9-1-1 "Bad Actor" filtering is defined in the standard, but not widely deployed.
The NENA i3 "Bad Actor" functionality allows a PSAP to filter calls based on calling party number (CBN) or some other value present in the incoming calls, such as a consistent P-Asserted-Identity. This filter defines the calling party, and blocks all calls that include this matching value.
STIR/SHAKEN cannot authenticate calls that touch TDM E9-1-1 networks.
Even when STIR/SHAKEN is present on 9-1-1 calls, if they flow through a TDM segment of the network, then the STIR/SHAKEN header information can be lost.
High-Volume TDoS Mitigation uses Internet DDoS scrubbing infrastructure.
Internet DDoS Mitigation generally uses BGP reroute functionality to send traffic through a scrubbing service. To use this, ESInets must be capable of supporting BGP reroute, and have access to these online resources. But many ESInets are not built with BGP reroute and DDoS mitigation.
A single ESInet with national call diversion could theoretically handle extremely large attacks.
National Call Diversion can be arranged in advance by a PSAP. It allows an overloaded PSAP/ECC to reroute calls to other ECC's around the country so that other call takers can process calls. For example, the PSAPs of the New York City area could reroute calls to other parts of the state or the country. But this must be configured in advance.
There is virtually nothing available in SIP spoofing detection - except for STIR/SHAKEN.
STIR/SHAKEN Call authentication is not required for 9-1-1 calls today. Right now, even for calls going into NG9-1-1 networks, STIR/SHAKEN Call Authentication can be helpful but it's not strictly required. This is partly because a large number of calls in the USA do not have STIR/SHAKEN capability, due to TDM trunks.
ECG Gladly Supports 9-1-1 Infrastructure
The ECG team is glad to support public safety in designing, improving and troubleshooting IP based 9-1-1 systems. ECG consults for both Service Providers, Public Sector organizations, and Enterprises on reliable implementation of critical communications, regardless of vendor.
