Pipeline Publishing, Volume 3, Issue 11
This Month's Issue:
The Long Arm of Telecommunications Law 
download article in pdf format
last page next page

Are Lawful Intercept Standards and Solutions in Denial about Denial-of-Service attacks?

back to cover

article page | 1 | 2 |

that many identities may stress the CPU and memory resources of the intercept device itself. Lastly, the call quality of legitimate callers would certainly suffer, since the media gateway controllers within the ISP would be expected to stop admitting new calls during the call storm.

The publicly addressable components of an LI system such as the reporting portals also introduce new vulnerabilities into an ISP’s infrastructure. An attacker could initiate a buffer overflow exploit against the Web portal

Once ISPs become compliant with CALEA and ETSI in 2007, “cyber mafias” could gain yet another customer.

LI Security Solution

Fortunately, solutions and techniques that have been developed to solve the general problem of Internet security can be applied to securing LI infrastructure as well. The pertinent requirements of such a security solution would call for visibility across all the layers of the OSI stack as well as scalability to the high-speed links found in carrier-class

in order to gain backdoor entry into the ISP’s infrastructure. Exacerbating this is the fact that the tools and resources for achieving such exploits are quite easily available. The attacker could begin with ICMP pings to determine publicly accessible machines and continue with port scans and OS fingerprinting techniques to determine open services on a machine, and then install malware known to exploit those services. Once the attacker has gained backdoor entry into the ISP’s infrastructure, he could eavesdrop on all communications and parse all of the traffic. He could determine if a subpoena has been initiated against him, and thereby stay a step ahead of LEAs in the intercept battle.

Why exactly would this be important for carrier networks and ISPs? Well, a lot of the DoS, DDoS, scan and worm attacks seen to date on the Internet have been launched by thrill-seeking script kiddies, cyber extortionists looking to make a quick buck, or by spammers looking for un-patched, vulnerable machines so that they could add them to their bot armies. However, once ISPs become compliant with CALEA and ETSI in 2007, the scenario will very likely change as “cyber mafias” could gain yet another customer. In fact, criminals or terrorists who, upon learning of impending intercept warrants against them, could be expected to approach cyber mafias to prevent successful interception. The results could be disastrous, with cyber attacks launched as fast as warrants are issued.

Unfortunately, ISPs and carriers will bear the brunt of such a mafia nexus. Imagine being an ISP that suddenly starts fielding a huge number of phone calls from disgruntled customers who couldn’t check their e-mails, couldn’t access their banking accounts and couldn’t order lifesaving drugs online, all because they were being DDoSed for opening up a cyber warrant against a particular target.

networks. It is imperative to point out that, since every network has different traffic characteristics, an effective carrier-class security solution must adapt on the fly to subtleties in traffic patterns to provide a high detection rate while minimizing the false-positive rate (defined as the instances where legitimate traffic is classified as malicious).

Once an attack is discovered, it can be mitigated before it affects the LI infrastructure or even the ISP’s network, thereby protecting the integrity of the intercept. Common mitigation methodologies such as Access Control Lists and Blackholing or null-routing can be used to drop all attack traffic at the edge routers of the ISP, before it affects the rest of the network. However, in some cases, it may be desirable to further investigate the attack traffic, which can be achieved via mitigation solutions such as Sinkholing or re-routing attack traffic to a different part of the network where it can be scrubbed and further analyzed. This can serve as an important tool for LEAs, who can then inspect the attacks to look for circumstantial evidence that can further implicate a target for interfering with investigation.

In summary, the deployment of a Lawful Intercept solution without a corresponding carrier-class security solution can not only compromise an ISP’s ability to comply with a warrant from an LEA, it can also increase the risk of attack on core service and routing infrastructure.

article page | 1 | 2 |

last page back to top of page next page

© 2006, All information contained herein is the sole property of Pipeline Publishing, LLC. Pipeline Publishing LLC reserves all rights and privileges regarding
the use of this information. Any unauthorized use, such as copying, modifying, or reprinting, will be prosecuted under the fullest extent under the governing law.