Dr. Antonio Nucci

By Kevin McTiernan

At the Blocking Denial of Service Attacks on the Internet conference held earlier this month in London, leading Internet lawyer, Lilian Edwards, argued that ISPs should be held financially responsible for DDoS attacks carried out via their networks. Edwards, a published author and authority on legal issues of the Internet, believes that ISPs should be legally required by their government to prevent DDoS attacks.

Edwards’ argument has merit. In my opinion, it is similar to when parents are held accountable for their children’s actions or a television network is penalized for violating indecency standards. In these cases, it is not the child or the television program’s producers that are penalized; it is the person that should be providing oversight. In fact, many telecommunications regulations exist today that result in penalties or fines if violated. Examples include number portability, E-911, CALEA, etc.

I do have some problems with the argument, however. The first problem with the argument is that the bots or zombie computers that launch the attacks do not only seek out computers on ISPs. They look for any vulnerable system and find them on ISPs as well as enterprises, hosting facilities, cyber cafés and metro WiFi networks. Think back to 2003 and the slammer worm - remember the story about the Ohio nuclear plant and how the worm got in? My point is that if you limit the requirement to the ISPs, you still have many more vulnerabilities that must be addressed. Extending the regulation to enterprises, cyber cafés and metro WiFi networks may cause access to be limited or not offered.

The second problem with the argument is that of governance of the Internet. While phishing scams can be investigated and broken in countries where regulation is present and a judicial system will prosecute such crimes, many parts of the world do not have such standards and the scams go untouched. In those same parts of the world, the bot viruses are written, the DDoS attacks are launched and the damage is done - the double-edged sword of the Internet is that it is available anywhere. Requiring an ISP to spot a local, vulnerable system in the UK or the US, may not prevent the attack if executed from Kenya, for example.

The third problem is that carriers are prohibited from controlling traffic on their network. While the prohibition against such “blocking?” or “rate limiting?” is in the form of public outcry, it is a definite part of the net-neutrality debate and as such may be regulated shortly. A prime example of the issue is with Skype and its roughly 100 Million subscribers (see “What’s the problem with Skype anyway??” below for more information).

I’m not about to say that the only problem that carriers have with Skype is the security threat. Skype (and other providers, such as Vonage) are costing carriers millions of dollars daily in lost revenue for traditional phone services. My point is there are many facets to the net-neutrality debate. By saying carriers cannot control the services that are run in the network - which would end the concept of charging a tariff to quality-sensitive content providers (YouTube, Skype or Vonage) – you in effect limit their ability to prevent such attacks by blocking security threats.

However, the free market is driving change. Enterprises and other consumers of carrier services are embracing the idea of a security service level agreement (Security SLA) whereby the carrier ensures a “clean pipe?” either as part of their service (which keeps existing while luring new customers) or with a fee (which increases revenue). Major carriers in the US and Europe are embracing this shift and managed service providers (such as VeriSign, NeuStar and KSR) are seeing growth and are making acquisitions to keep pace. And, corporate behemoths, such as IBM and Cisco, are making security a major business component.

I do agree fully with Edwards that the Internet is a component of the critical national infrastructure, and governments the world over must treat it as such. But the economics of the situation (competitive advantage or revenue opportunity) are causing carriers to respond to this economic driver much quicker and with more promise than they would to any regulation.

Here’s an article from NewScientist.com news service where Lilian Edwards is interviewed on the argument she made.

Here’s a link to books by Lilian Edwards on the topic of law and the Internet.

By Kevin McTiernan

Those outside the San Francisco Bay Area may or may not be aware of the juggernaut underway in San Francisco over Municipal WiFi (or maybe they are witnessing their own version). After a nearly two-year process, Google/Earthlink were selected to provide inexpensive WiFi to the city. Similar to other locations, the business model would offer free, ad-sponsored and a paid, premium service. While most hoped to be able to access the service by the end of this year, it will most likely be available in late 2007. The delays are mostly political and are evidenced in the criticisms voiced thus far in town-hall meetings sponsored by Google and Earthlink. Requests range from no ads for the free service to Google paying to bus kids to the zoo; and, requests for changes such as not requiring users to log in. While an outsider may characterize it as lunacy, it really demonstrates how many perspectives people can have on the same issue and what makes San Francisco such a great city.

But is Muni-WiFi a social program or a utility? Whether free or not, people will expect a certain quality of service. How can Google/Earthlink maintain the integrity (and thus QoS) if anyone is allowed to attach to the network? What’s worse, in the event of a natural or other disaster, such “openness?” could be used against the network to frustrate the efforts of first responders or citizens looking to be informed. An untraceable, open network full of users and the potential for press is the dream scenario for most hackers. When such attacks happen, and they will, law enforcement will be called on to investigate and punish those behind the deed. With no logins, nothing to verify the user, law enforcement’s investigative ability will be severely hampered – unless they infiltrate the bus ride to the zoo.

Which brings me to my angle on the situation – such networks will need to assist law enforcement with investigations. WiFi at 300kbps (the rate for free WiFi in San Francisco) is broadband. If it accesses the public Internet, it is Internet Access. Broadband Internet Access is required to comply with CALEA (The Communications Assistance for Law Enforcement Act) by May of 2007. This means that all of these Muni-WiFi networks will have to enable the ability to assist law enforcement with investigations (including lawful intercept).

I think people might want to stop looking at Muni-WiFi as a social program and start looking at it for what it is, a utility - just like electricity. It is expected to be there when needed and it must be allowed to put in measures such as power meters (to get paid) or the ability to turn off a node (block access) to ensure the grid stays up. The fact that it may be accessed for a cheap price must not change this view.

By Kevin McTiernan

A story appeared on the Time magazine website in October describing a serious problem in India – the city of Delhi is inundated with Rhesus monkeys. With monkeys considered sacred by Hindus, a feast of bananas and peanuts left out for them is commonplace. Encroachment on their habitat, coupled with years of inaction and the “feasts,?” have brought the monkey population in Delhi proper to as much as ten thousand. In search of food, they have attacked people, broken into Parliament, kept people from entering homes and wreaked havoc to offices (in 2002, a pack of monkeys attacked students in a girl’s college in Darjeeling India; and, in 2004, monkeys were blamed for ransacking the offices of the Ministry of Defense). Initial responses to the problem were for offices to glue windows shut. But a new solution has taken hold - langurs (large black-faced apes) are now being deployed by office building managers and city officials to protect buildings and scare away the monkeys.

Primatologists believe that using langurs is a bad idea for several reasons. First, the apes only scare the smaller monkeys, just moving them to another building or part of the city. Second, there is evidence that the apes will eventually coexist with the monkeys and no longer scare them. Third, the apes are scary (and potentially dangerous) to humans. Fourth is the obvious cruelty aspect. The final reason comes from me, hasn’t anyone there ever watched Planet of the Apes?

When I first read the article, I laughed out loud and explained the story to nearby coworkers. I then found myself intrigued about the subject and read more, realizing the business lessons it provided; in particular to network security:

The monkeys are similar to hackers or botnets. The growth of the Internet and a limitless “feast?” of resources consisting of unprotected home computers and only slightly more protected computer networks have resulted in their population and audacity to swell. Some businesses completely lock down networks through firewalls (glue their windows shut), and while seemingly protected, in turn actually keep employees imprisoned and customers disinterested. And, some of what people would assume to be the most secure facilities (Ministry of Defense or Parliament), turn out to be vulnerable to the most basic of attacks or exploits. The quick reaction of deploying a “bigger hammer?” (langurs) to scare away attackers will work only with the smaller threats. But in reality, this approach will simply cause the tactic to change to another location or to come back in a larger group - but you can be assured, they will be back! Finally, a static system, over time, will not be much of a deterrent at all - only by learning and adapting can the threat be eliminated while not affecting service. This agility gained through learning and adaptation will ensure that when the next threat changes shape (from monkey problem to lion problem, for example) your security solution does not become a zoo of deterrents.

Check out the original story in Time Magazine and another one from HTT.

An Aside

The whole saga is oddly reminiscent of an episode of the Simpsons (“Bart the Mother?”) where Bart is forced to care for two eggs after killing a bird. The eggs turn out to be that of a lizard that eats bird eggs. The town decides the lizards must be killed, but change their minds after they learn the lizards kill pigeons. With “feathered rats?” out of the picture and lizards running rampant, the next plan becomes to deploy snakes to wipe out the lizards. To rid the town of snakes the plan is to use gorillas that like snake meat. They hope the task will be completed by winter as the next plan is to let the apes freeze to death.

Radar has a great timeline of how this story is the beginning of our path to the Planet of the Apes.

The Simpson Archive has the “Bart the Mother?” episode.

By Doug Miller, Director-Channel Management

Just when you thought it was over, here come the politicians again trying to revive Net Neutrality legislation. Political pressures have forced the issue to become a potential roadblock to the AT&T–Bell South merger. Without it, pundits say that the FCC may block the merger. It’s definitely something to watch for in this post-election environment.

While there are very real and valid arguments both for and against this type of open structure, for me it should come down to a free market. The Internet should be no different than the rest of our society in that consumers get to choose with their purchasing decisions. With carriers, service providers and content owners openly competing for purchasing dollars, it would seem that they will make the best choices for the consumers and ultimately for themselves. Competition, reinforced by anti-trust laws, is thus a far better protector of the interest of consumers, carriers and content providers than government ownership or regulation.

Let’s take an example of an environment without Net Neutrality regulation (today’s status quo). Say that DSL Provider A decides to charge content providers to ride its network. Google and Yahoo! pay the fee, but Ebay and Amazon do not. In this case, it stands to reason that many consumers would rather go to Cable Operator X for their service where they have equal access to everything (a conscious choice made by Operator X). Provider A then changes its structure to keep up with the dreaded churn and innovates to launch new services that will bring customers back. Operator X sees this and launches its own new services like managed VoIP or P2P services, and sets QoS higher for those services to ensure that customers get the best possible experience. There’s competition, new services are conceived and launched, billing plans are changed. Everybody, including the consumer, wins.

Now, let’s take a similar example with Net Neutrality regulation. All of a sudden, Provider A and Operator X are relegated to nothing more than bit pipes that can only compete on aggregate speed and price. Sounds a lot like a commodity, right? Sure, they can bundle data services with home phone service and maybe TV, but they have lost any incentive to launch new branded services since they really can’t legally guarantee QoS or QoE. In essence, Net Neutrality, with all of the good intentions that go along with it, would have effectively stifled new service delivery, innovation, desire for growth, etc. Why would carriers continue to pour literally billions of dollars into their networks if their only payback is to sell bits? Sure, it would be a big win for content providers, but that’s not going to get carriers to increase the network performance and security to the point that the services would be valuable and worth paying for.

The “access?” honeymoon is over. The market is demanding more than just fast service to check e-mail, stock quotes and weather reports. Where will the money be made? If it’s not going to be made by the carriers, why will they continue to spend the money so that content providers can reap the rewards? Basic economics says that just won’t happen. It’s time for carriers to get broadband in every home and to give them free reign to manage their networks based on consumer demand. And let’s all get real here. Will any carrier in their right mind block or otherwise limit access to Google, Yahoo!, Ebay, Amazon, etc.?

So, do we let the politicians decide for us? Do they have the networking knowledge and insight to make these decisions? Or, do we let carriers and service providers with advanced DPI tools, monitoring systems, security solutions, and other key network management applications and skills go head-to-head with each other and let them fight for our monthly Internet budget? I, for one, am up for a good fight and one that is conducted not in the courtroom or on Capitol Hill, but on my computer and in my monthly bill.

By Dr. Antonio Nucci

My article on IMS and Security was just published by the IMS Magazine in its October 2006 issue.

As I discussed in the article, it used to be easy to secure a telephony connection. Traditional phone companies owned their networks and controlled every inch of the connection between their central offices and the simple telephone instrument at the other end. Today’s complex, ever-changing carrier environment has become fertile ground for a host of new, sophisticated threats, vulnerabilities and malicious attacks.

Forward-looking carrier architectures such as IMS require a next-generation systems approach to security, one that is designed for use on large, complex, high-speed networks and can adapt to rapidly-changing environments and new service offerings. Such a system must provide full visibility into all the elements in the network, and the ability to manage and correlate all the information from those elements at extremely high speeds. It must also employ advanced algorithms, based on advanced mathematical principles such as information entropy and signal processing, which see well beyond traditional volume- or signature-based appliances and point solutions.

At the end of the day, carriers must have a security paradigm shift and evolve to holistic network security systems, if we are to keep the Internet safe in the new world of SoIP (Services over IP).

By Kevin McTiernan

In a speech at the International Association of Police Chiefs conference in Boston, FBI Director, Robert Mueller, made the case for Data Retention. This echoes a request just over a month ago from Attorney General Alberto Gonzalez. Of concern is the ability for terrorists and criminals to cloak themselves “in the anonymity of the Internet.?” Data Retention is the requirement for an ISP or Service Provider to keep records of communications and store them for a period of time. The purpose of this is to allow Law Enforcement (under court approval and judicial oversight) to request the records from the carrier to conduct investigations.

What they are asking for is not new. The European Union passed Data Retention legislation in December 2005 (Directive 2006/24/EC). It requires retention for a period of 6 to 24 months. It also requires all service providers to comply by September 15, 2007 (for traditional telephony service) and by March 15, 2009 (for Internet access service). Member states can legislate the retention period and the deadline for Internet access (September 2007 or March 2009).

Ireland, Spain, Malta, Italy, Denmark, Portugal, France, Slovakia and Hungary currently require compliance for traditional telephony and Internet access by September 2007. The United Kingdom, Czech Republic, Germany, Luxembourg, the Netherlands, Slovenia, Sweden, Poland, Lithuania, Austria, Cyprus, Belgium, Estonia, Greece, Finland, and Latvia require compliance for traditional telephony by September 2007 and Internet access by March 2009.

The fact that the legislation in the U.S. is behind Europe on Data Retention should not be a surprise. The “cuffs?” put on U.S. law enforcement (no pun) when compared to European law enforcement is staggering. The mandate for carriers to assist in the interception of Internet Access in the U.S. is only coming around in May 2007; Dutch ISPs have been mandated to provide this since 2002! The intercept order rate in Italy is 1 per 600 persons; it’s about 1 per 170,000 in the U.S. Italy authorizes 300 times more intercepts per person than the U.S.!

Comments of Director Mueller and Attorney General Gonzalez.

Article on wiretaps in Holland.

By Kevin McTiernan

U.S. Department of Homeland Security Chief, Michael Chertoff, described a new and unnerving scenario to the International Association of Police Chiefs in Boston last Monday – Internet resources geared towards radicalism combined with websites teaching terrorist tactics resulting to a new breed of terrorist. “They can train themselves over the Internet. They never have to necessarily go to the training camp or speak with anybody else and that diffusion of a combination of hatred and technical skills in things like bomb-making is a dangerous combination,” Secretary Chertoff said.

Bombing and other plots, both in the U.S. and overseas, have been thwarted by surveillance and infiltration of groups. With ready resources (websites, video, audio, chat rooms) to stoke their hatred and plan attacks, combined with the relative privacy of the Internet, how can this kind of terrorist be discovered, let alone be stopped? This is Chertoff’s concern, “Those are the kind of terrorists that we may not be able to detect with spies and satellites.” While terrorist cells wish to cause major damage to the U.S., one cannot ignore the home-grown terrorists – Columbine, the D.C. sniper, and most recently, the schoolhouse attack in Pennsylvania. Secretary Chertoff definitely has his hands full!

See Secretary Chertoff’s comments.

Pipeline included my article on Skype traffic detection and classification in its September issue. In this article, I discuss the future of traffic detection and classification, new concerns raised by this technology, and issues with privacy and authenticity. I also address the challenges of detecting Skype traffic and how “traffic classification in the dark” is a very effective protocol detection technique to solve this problem. Are you involved with this type of work? I’d really like to hear your thoughts on the topic.

Scammers and spammers are increasingly employing Voice over IP (VoIP) as a new means of launching attacks targeting the infrastructure and services on the Internet. Given the ease of use and availability of VoIP technology, it is easy to foresee a future in which an attacker either legitimately or through ‘number-jacking’ (i.e., compromising software phones), amasses an army of phone numbers, readily available for launching any kind of attack through auto-dialing capability.

But just how serious are the threats posed to VoIP? We’ve already seen a string of attacks against either the VoIP infrastructure or end users. In one such incident, early June of this year, two men were arrested for fraudulently routing approximately 500,000 calls illegally over the VoIP network belonging to Net2Phone, a Newark, N.J., VoIP provider.

How would people’s attitudes toward technologies like VoIP change if they understood the ease with which hackers could either attack their phones, or worse, hijack their phone or number to launch an infrastructure attack? We believe these threats are very real. We also believe that the average user thinks of their VoIP phone in much the same way as their circuit switched phone - as private and secure.

We have recently introduced new security algorithms that have the unique capability of processing several millions of calls per second, from either ISPs or carrier-links, in order to detect a wide variety of attacks:

• Call spam where a spammer places large volume of automated calls through a few harvested phones

• Scanning or “blind?” flooding attacks aimed at “random?” targets, and employed to discover SIP phone devices, proxy servers, registrars, etc.

• Targeted flooding attacks (DoS, DDoS) employing high-intensity or repeated packets

• Call hijacking or “man in the middle?” attacks by intruders attempting to take control of a call

• Exploit attacks (buffer overflow, SIP, etc.) designed to exploit vulnerabilities in VoIP or SIP implementations

Our philosophy is that securing VoIP is more than securing SIP. You must be able to secure protocols at all layers from 3 to 7, and deal with asymmetric traffic from multiple links. In future entries, we will discuss our systems approach in more detail.