IP Fraud: A Glimpse Into the Next Wave

Yahoo!, had a glimpse of its vulnerability for several hours in February 2000. Meaningless little Internet messages began flooding in, from as many as 50 different sites. The site had experienced such attacks before, but nothing like this, as the volume swelled to a billion bytes per second. Soon, its servers were helpless to carry on business. On-line book vendor Amazon.com and other e-commerce sites were hit soon after.

Fighting network abuse is no longer simply a matter of clamping down on billing fraud, but a matter of survival. Yet billing fraud and other breaches of trust are not going away; in fact, the Internet presents an entirely new hunting ground for unauthorized people to mess with networks, attacking not only traditional Internet infrastructure, but managed IP networks as well.

New Tech, Old Tricks

We’re not talking about stealing credit card numbers from e-commerce sites—that’s yesterday’s news. History will tell you that as so-called next-generation network (NGN) services mature, the unscrupulous will find ways to reap a profit from—or wreak havoc on—the new applications, including VoIP, videoconferencing, VPNs and other proprietary or non-public networks.

Nor are these risks limited to the corporate environment. Residential customers, albeit at a slower rate than once expected, have access to enough broadband to run a small company. RHK Inc., a telecom market research firm in South San Francisco, reports that residential DSL use is growing at an annual rate of 71 percent and should count 18.6 million users in North America by 2004. In addition, more than 70 million homes in the United States subscribe to cable TV and could migrate to cable modems for obtaining broadband services. Such ubiquity increases the opportunity for fraud.

“A lot of risk stems from the nature of the Internet itself,” says Michael Allen, senior analyst for OSS and billing support systems with Aberdeen Group. “With packets moving willy-nilly through the network, it is relatively easy for someone with technical ability to snag some of these packets, modify them, use them or misuse them.”

Internet fraud falls into several chief categories, including unaccounted resource usage, harmful network usage, and revenue damage.

Unaccounted resource usage and impersonation
Unaccounted resource usage is accomplished by sidestepping a network’s log-in functions, thus gaining access to services without triggering any billing or tracking systems. The service provider can’t collect and the resource may not be available to legitimate users.

The login process doesn’t have to be sidestepped if someone can impersonate a legitimate user. IP spoofing—stealing another user’s identity—is a popular way of doing that, and there are instructions and tools for doing it available on the Internet. The spoofed user may end up with the bill for the service. Impersonators can guess, steal, or otherwise acquire the password of another user.

Harmful network usage
Harmful network usage, plus abuse that harms third parties, usually amounts to the denial of service attacks described earlier, or intrusion attacks. It often takes the form of vandalism committed by someone with a grudge against the Web site’s owner, or a competitor seeking to undermine the site. Denial of service attacks employ a barrage of otherwise legal messages that overload the server, and are often carried out with a technique called “smurfing” (see sidebar, “From Cramming to Smurfing: A Fraud Primer,” page XX). Smurfing attacks originate from unsecured servers on the Internet that the hacker has taken partial control over.

Revenue damage
Revenue damage takes advantage of specific use patterns such as callback or re-selling schemes that can’t be recouped by the network operator. These are tough to catch and result in untold millions in lost revenue. Revenue damage does not require any technical sophistication. For instance, someone with a discounted student account could sell his ID to someone who is not eligible for the discount. The abuse occurs entirely off the network. Callback schemes—which avoid higher call charges when a difference exists between the call rates at the two parties’ locations—merely require that someone call a specified phone number.

Such attacks expose network operators to loss of revenue, network downtime, customer dissatisfaction and other liabilities. Estimates of direct damages to network providers—including traditional phone networks—vary from $10 billion to $38 billion for 1999, according to NetEye Corp. The company, based in Woodbury, N.Y., develops IP fraud protection software.

IP Fraud Difficult to Track

The growth of fraud in cyberspace is creating opportunities for developers of IP fraud management tools. Aberdeen research indicates the market will almost triple by 2005, while the market for circuit-switched fraud management tools will decline (see Table 1).

With circuit-switched technology, fraud experts can meet security and billing requirements by satisfying the time and distance parameters inherent in the system’s operations. Switching paths for the call are set up, used for one purpose, and then broken. With packet-switched networks, however, developers of antifraud software have to rely on more than just time and distance measurements to track irregularities and unauthorized use.

With traditional telephone service, for instance, telcos can scan call records to spot unexplained increases in long-distance charges for a customer who rarely makes long-distance calls, a rather linear network view. This is not necessarily true with IP networks, where the complexities of packet routing and quality of service parameters add to the mix. Multiple fraud scenarios originate from multiple points on and off the network, which severely complicate investigations.

Data Travels Uncertain Path

Not only that, but data may not be attributable to a particular owner, especially if the content is encrypted or hopping across multiple networks owned by disparate ISPs. Interruptions in service or other intrusion may occur on one network and not show up when the data hits other networks. Yet, to determine whether fraud has occurred, network owners must be able to identify the content in the packets and match it with the right customer’s network privileges and other service level agreement aspects. What really matters is the content of the packets, and the network privileges assigned to the user.

Other factors make tracking fraud on the Internet difficult:
· IP network protocols have few or no embedded security features.
· On the public Internet, multiple services share the same network.
· The Internet comprises a vast number of access points and servers, but any given service provider has control over only a handful.
· The commercial environment is highly competitive, with little customer loyalty.
· Different parts of the network and different aspects of the same service can be supplied by different vendors.
· Detailed hacking instructions, and even sophisticated software tools, are freely accessible on the Internet. With the right research gumption, even non-experts can learn to perform sophisticated fraud and hacking attacks.
· It’s tougher to track usage-based and content-based billing for non-voice services.

Though businesses often use firewalls to protect their private networks from the Internet jungle, firewalls are just another tool, and without constant adjustment may not be able to distinguish legitimate traffic, says Allen at the Aberdeen Group.

The Threat From Within

Meanwhile, there is the problem of internal fraud, which can be far more severe or pervasive than anything an outsider could accomplish. A typical example is a cable installer who, in return for cash, allows a subscriber to have a level of access for which he has not paid. This kind of fraud can go unnoticed for a long time unless there is a central location where usage information from the network is correlated with application and billing information.
The fight against IP fraud must be a fundamental consideration in all network operations and based on a central, cost-efficient fraud management system (FMS.) A central system requires fewer personnel lessoning the chances that undetectable fraud cannot be committed at their level. The FMS also needs to be adaptable as new frauds and new defenses pop up.

Shopping for an IP Fraud System

Experts suggest the following functions and features to look for when choosing an IP fraud system.
The ability to collect information from multiple sources on the network, including what’s happening with the authentication server, the basic application, various parts of the network including those serving wireless users, other servers used by the service provider regardless of their operating system, and probes of packet content.
A user-friendly interface, where the operator defines rules and examines results, drilling down to investigate suspicious data.
·Real-time traffic analysis, so that attacks can be spotted and countered immediately.
·Interfaces to other applications, such as maintenance trouble ticketing and workflow management.
The ability to monitor existing antifraud systems, including firewalls, LDAP servers, VPN gateways, and RADIUS servers.
· Even in the face of off-network abuse, where less information will be available, the operators need enough information to take effective action.
The system should not impair the capacity of the network.
There must be ways to refine monitoring parameters to continually reduce the number of “false positives.”
Fraud vendors must be able to provide expert consulting, because the level of expertise needed for effective fraud management may exceed that of the system operators.
The antifraud software must be reliable but also scalable, maintaining reliability as the network grows.
The FMS must be able to protect its self from attack. If all else fails, it must be able to indicate that an attack has taken place.
It must be adaptable enough to support whatever next-generation network services come down the pike.
It must support dynamic IP addressing and address translation; identifying users is not a matter of simply mapping an IP address to a user.

Adoption Has Been Slow

Stand-alone FMS packages for the IP environment that meet these requirements are rare and adoption has been slow, Allen says. “But the situation should change as [next-generation] services enter wider circulation,” he says. “There are a number of billing systems for the packet-switched environment with some antifraud features.”

Fraud, however, will grow in sophistication. Abusers will use new techniques and a continuous series of ever-advancing hacking tools. Once discovered, a fraud technique will remain permanently available on the Internet, and service providers must mount a permanent answer to it. Of course, new network services will involve new billing mechanisms, which will require new forms of defense. The appearance of each will trigger an “arms race” between hackers and service providers. Service providers will face a constant struggle just finding (and continually retraining) qualified security personnel.

In the meantime, Allen can think of only one low-tech way of protecting against network fraud. “Turn the computer off,” he suggests.

Alas, that’s probably not an option.
Lamont Wood is a technology writer based in San Antonio, Texas.