By Dr.
Supranamaya “Soups” Ranjan
With the May 2007 deadline for CALEA
compliance getting closer, debates
surrounding the social and moral ramifications
of Lawful Intercept (LI) have begun
raging once again. However, an issue
that has neither been initiated nor
discussed at length is whether the
LI solutions are sophisticated enough
to handle a clever adversary. Are LI
solutions and standards in denial about
denial-of-service attacks? The short
and scary answer is yes, since a clever
adversary can either launch attacks
that thwart successful interception
or exploit vulnerabilities in an LI
system to launch other attacks. In
the first case, an adversary can prevent
Law Enforcement Agencies (LEAs) and
ISPs from successfully intercepting
targeted events and traffic data by
simply launching a denial-of-service
attack on the ISP's infrastructure.
Secondly, a poorly architected LI solution
may introduce new points of vulnerability
within an ISP's network, leading to
much larger attacks against the ISP’s
infrastructure post-compliance. The
picture may appear gloomy, but ISPs
can proactively address the challenge
either by deploying LI solutions with
built-in security capabilities, or
by complementing LI deployments with
proven network security solutions.
LI Solutions
All LI solutions can be characterized
either as active, passive or hybrid.
Active LI solutions consist of an intercept
device interacting directly with network
equipment such as media gateway control
servers to obtain all the flows that
match the user/service targeted by
an LEA. In contrast, passive LI solutions
sniff traffic off the wire, and the
traffic is then analyzed offline by
the intercept device and matched against
the target. A hybrid LI solution is
one that performs the initial target
match passively against sniffed traffic,
and on successful match, it configures
the network equipment actively to intercept
the media streams corresponding to
the target.
Attacker Model
Irrespective of whether the intention
is to deny successful interception
or to exploit LI infrastructure to
launch other attacks, attackers have
access to an extensive and bewildering
set of techniques that they can use
to achieve their goal.
To illustrate the ease with which
an attacker may thwart successful interception,
consider an attacker who learns of
an impending warrant against his VoIP
phone number. His first reaction would
probably be to stop all VoIP communication.
Next, however, he could begin a “spam
flood” attack targeted at the
ISP(s) most likely to execute the warrant.
In order to bring down the LI infrastructure,
the attacker could launch a layer-7
SIP flood
|
|
The
picture may appear gloomy, but ISPs
can proactively address the challenge.
|
|
with his VoIP phone number
as the originating number. In order
to execute the warrant, the ISP
would begin intercepting all the
packets in the flood, and depending
on which portion of the LI infrastructure
is the least provisioned in terms
of resources, one or all of the
following components could be affected:
- Access link between the
routers and intercept device
can be congested since the
routers start forwarding
the entire packet storm.
- System resources of the
intercept device may be exhausted
during a SIP flood for constructing
in-memory the association
of SIP control channels with
the corresponding RTP sessions.
Moreover, the agility and flexibility
with which Internet identities
can be obtained allows an attacker
to launch a “smoke gas” attack.
Consider an attacker who has
learned of a warrant issued against
him. Owing to the prevalence
of dial-up VoIP solutions such
as those offered by AOL and Netzero,
and soft-phone software such
as Skype, the attacker could
quite easily obtain several new
accounts, and initiate phone
calls from each of these new
accounts to himself. Alternatively,
the attacker could lease out
botnets, install soft-phone software
on the zombie machines and commandeer
them to dial his phone number
simultaneously. In contrast to
the aforementioned attack, each
phone call would originate from
a unique phone number and the
LI systems would parse these
calls to build the detailed call
graph. Some botnets have been
known to consist of as many as
200,000 machines. Even if, under
a conservative assumption, each
of these machines were behind
dial-up access (64 Kbps), the
attacker would be able to create
a flood of 1.28 Gbps — enough
to congest an OC-12 or GigE link
in an ISP. In addition, building
a call graph with
|
|
|