Pipeline Publishing, Volume 3, Issue 11
This Month's Issue:
The Long Arm of Telecommunications Law
download article in pdf format
last page next page

Are Lawful Intercept Standards and Solutions in Denial about Denial-of-Service attacks?

back to cover
By Dr. Supranamaya “Soups” Ranjan

With the May 2007 deadline for CALEA compliance getting closer, debates surrounding the social and moral ramifications of Lawful Intercept (LI) have begun raging once again. However, an issue that has neither been initiated nor discussed at length is whether the LI solutions are sophisticated enough to handle a clever adversary. Are LI solutions and standards in denial about denial-of-service attacks? The short and scary answer is yes, since a clever adversary can either launch attacks that thwart successful interception or exploit vulnerabilities in an LI system to launch other attacks. In the first case, an adversary can prevent Law Enforcement Agencies (LEAs) and ISPs from successfully intercepting targeted events and traffic data by simply launching a denial-of-service attack on the ISP's infrastructure. Secondly, a poorly architected LI solution may introduce new points of vulnerability within an ISP's network, leading to much larger attacks against the ISP’s infrastructure post-compliance. The picture may appear gloomy, but ISPs can proactively address the challenge either by deploying LI solutions with built-in security capabilities, or by complementing LI deployments with proven network security solutions.

LI Solutions

All LI solutions can be characterized either as active, passive or hybrid. Active LI solutions consist of an intercept device interacting directly with network equipment such as media gateway control servers to obtain all the flows that match the user/service targeted by an LEA. In contrast, passive LI solutions sniff traffic off the wire, and the traffic is then analyzed offline by the intercept device and matched against the target. A hybrid LI solution is one that performs the initial target match passively against sniffed traffic, and on successful match, it configures the network equipment actively to intercept the media streams corresponding to the target.

Attacker Model

Irrespective of whether the intention is to deny successful interception or to exploit LI infrastructure to launch other attacks, attackers have access to an extensive and bewildering set of techniques that they can use to achieve their goal.

To illustrate the ease with which an attacker may thwart successful interception, consider an attacker who learns of an impending warrant against his VoIP phone number. His first reaction would probably be to stop all VoIP communication. Next, however, he could begin a “spam flood” attack targeted at the ISP(s) most likely to execute the warrant. In order to bring down the LI infrastructure, the attacker could launch a layer-7 SIP flood

The picture may appear gloomy, but ISPs can proactively address the challenge.

photo here
with his VoIP phone number as the originating number. In order to execute the warrant, the ISP would begin intercepting all the packets in the flood, and depending on which portion of the LI infrastructure is the least provisioned in terms of resources, one or all of the following components could be affected:

  • Access link between the routers and intercept device can be congested since the routers start forwarding the entire packet storm.
  • System resources of the intercept device may be exhausted during a SIP flood for constructing in-memory the association of SIP control channels with the corresponding RTP sessions.

Moreover, the agility and flexibility with which Internet identities can be obtained allows an attacker to launch a “smoke gas” attack. Consider an attacker who has learned of a warrant issued against him. Owing to the prevalence of dial-up VoIP solutions such as those offered by AOL and Netzero, and soft-phone software such as Skype, the attacker could quite easily obtain several new accounts, and initiate phone calls from each of these new accounts to himself. Alternatively, the attacker could lease out botnets, install soft-phone software on the zombie machines and commandeer them to dial his phone number simultaneously. In contrast to the aforementioned attack, each phone call would originate from a unique phone number and the LI systems would parse these calls to build the detailed call graph. Some botnets have been known to consist of as many as 200,000 machines. Even if, under a conservative assumption, each of these machines were behind dial-up access (64 Kbps), the attacker would be able to create a flood of 1.28 Gbps — enough to congest an OC-12 or GigE link in an ISP. In addition, building a call graph with

article page | 1 | 2 |
last page back to top of page next page

© 2006, All information contained herein is the sole property of Pipeline Publishing, LLC. Pipeline Publishing LLC reserves all rights and privileges regarding
the use of this information. Any unauthorized use, such as copying, modifying, or reprinting, will be prosecuted under the fullest extent under the governing law.