|
|
article page | 1 | 2 |
that many identities may stress
the CPU and memory resources of the
intercept device itself. Lastly,
the call quality of legitimate callers
would certainly suffer, since the
media gateway controllers within
the ISP would be expected to stop
admitting new calls during the call
storm.
The publicly addressable components
of an LI system such as the reporting
portals also introduce new vulnerabilities
into an ISP’s infrastructure.
An attacker could initiate a buffer
overflow exploit against the Web
portal
|
|
Once
ISPs become compliant with CALEA
and ETSI in 2007, “cyber
mafias” could gain yet
another customer.
|
LI
Security Solution
Fortunately, solutions and
techniques that have been
developed to solve the general
problem of Internet security
can be applied to securing
LI infrastructure as well.
The pertinent requirements
of such a security solution
would call for visibility
across all the layers of
the OSI stack as well as
scalability to the high-speed
links found in carrier-class
|
|
|
|
|
in order to gain backdoor entry
into the ISP’s infrastructure. Exacerbating
this is the fact that the tools and resources for
achieving such exploits are quite easily available.
The attacker could begin with ICMP pings to determine
publicly accessible machines and continue with
port scans and OS fingerprinting techniques to
determine open services on a machine, and then
install malware known to exploit those services.
Once the attacker has gained backdoor entry into
the ISP’s infrastructure, he could eavesdrop
on all communications and parse all of the traffic.
He could determine if a subpoena has been initiated
against him, and thereby stay a step ahead of LEAs
in the intercept battle.
Why exactly would this be important
for carrier networks and ISPs? Well,
a lot of the DoS, DDoS, scan and worm
attacks seen to date on the Internet
have been launched by thrill-seeking
script kiddies, cyber extortionists looking
to make a quick buck, or by spammers
looking for un-patched, vulnerable machines
so that they could add them to their
bot armies. However, once ISPs become
compliant with CALEA and ETSI in 2007,
the scenario will very likely change
as “cyber mafias” could gain
yet another customer. In fact, criminals
or terrorists who, upon learning of impending
intercept warrants against them, could
be expected to approach cyber mafias
to prevent successful interception. The
results could be disastrous, with cyber
attacks launched as fast as warrants
are issued.
Unfortunately, ISPs and carriers will
bear the brunt of such a mafia nexus.
Imagine being an ISP that suddenly starts
fielding a huge number of phone calls
from disgruntled customers who couldn’t
check their e-mails, couldn’t access
their banking accounts and couldn’t
order lifesaving drugs online, all because
they were being DDoSed for opening up
a cyber warrant against a particular
target.
|
|
networks. It
is imperative to point out that,
since every network has different
traffic characteristics, an effective
carrier-class security solution must
adapt on the fly to subtleties in
traffic patterns to provide a high
detection rate while minimizing the
false-positive rate (defined as the
instances where legitimate traffic
is classified as malicious).
Once an attack is discovered,
it can be mitigated before it affects
the LI infrastructure or even the
ISP’s network, thereby protecting
the integrity of the intercept.
Common mitigation methodologies
such as Access Control Lists and
Blackholing or null-routing can
be used to drop all attack traffic
at the edge routers of the ISP,
before it affects the rest of the
network. However, in some cases,
it may be desirable to further
investigate the attack traffic,
which can be achieved via mitigation
solutions such as Sinkholing or
re-routing attack traffic to a
different part of the network where
it can be scrubbed and further
analyzed. This can serve as an
important tool for LEAs, who can
then inspect the attacks to look
for circumstantial evidence that
can further implicate a target
for interfering with investigation.
In summary, the deployment of a
Lawful Intercept solution without
a corresponding carrier-class security
solution can not only compromise
an ISP’s ability to comply
with a warrant from an LEA, it can
also increase the risk of attack
on core service and routing infrastructure. |
|
|
|
