SS7 Over IP: Signaling Interworking Vulnerabilities
Total Page:16
File Type:pdf, Size:1020Kb
DANTU LAYOUT 11/2/06 12:03 PM Page 32 SS7 Over IP: Signaling Interworking Vulnerabilities Hemant Sengar, George Mason University Ram Dantu, University of North Texas Duminda Wijesekera and Sushil Jajodia, George Mason University Abstract Public telephony — the preferred choice for two-way voice communication over a long time — has enjoyed remarkable popularity for providing acceptable voice quali- ty with negligible connection delays, perhaps due to its circuit-switched heritage. Recently, IP telephony, a packet-based telephone service that runs as an application over the IP protocol, has been gaining popularity. To provide seamless interconnec- tivity between these two competing services, the Internet Engineering Task Force (IETF) has designed a signaling interface commonly referred to as SIGTRAN. This seamless intersignaling provided by SIGTRAN facilitates any subscriber in one net- work to reach any other subscriber in the other network, passing through any hetero- geneous maze of networks consisting of either of these. Unfortunately, the same intersignaling potentially can be exploited from either side to disrupt the services provided on the other side. We show how this can be done and propose a solution based on access control, signal screening, and detecting anomalous signaling. We argue that to be effective, the latter two should consider syntactic correctness, semantic validity of the signal content, and the appropriateness of a particular signal in the context of earlier exchanged messages. ntil recently, public telephones — the overwhelm- a packet switched network. Being born in an era where a few ing choice for two-way voice communication — large enterprises owned and controlled the public telephony has provided acceptable voice quality with negligi- infrastructure, the SS7 network has been engineered with per- ble connection delays. However, Voice over IP formance and failure tolerance in mind, but not security as a UU(VoIP) telephony is emerging as an alternative to public tele- design objective. Telecommunication deregulation in 1996 [2] phones, due to its convenience, cost effectiveness, and the and liberalized economies have introduced many new players, ease of designing new services. Consequently, there has been known as competitive local exchange carriers (CLECs), thus a need to interoperate signaling and media between these two increasing the number of access points to SS7, and thereby competing services. The signaling interoperation, made possi- exposing new points for attacks. As we show herein, one such ble by using the signaling transport (SIGTRAN) [1] protocol interface to both networks, SIGTRAN, can be exploited as suite proposed by the Internet Engineering Task Force well unless care is taken. We summarize the PSTN and VoIP (IETF), allows any subscriber in either network to transpar- infrastructures before describing how their interoperation can ently call another subscriber in either network. The malusabil- be exploited. ity of the signaling interoperation and mechanisms, and possible prevention mechanisms, comprise the subject matter of our article. Preliminaries Designed in two different eras, the infrastructure of public Public Switched Telephone Network — Current public tele- and VoIP telephones have different networking architectures. phone systems use separate networks for signaling and voice Public telephony uses a signaling network known as Signaling streams, where the former controls (itself and) the latter, System 7 (SS7) to set up and tear down connections for cir- referred to as common channel signaling. The combination of cuit-switched voice trunks, whereas VoIP telephony is an these two networks are commonly referred to as the public application running over the popular Internet Protocol (IP) — switched telephone network (PSTN), in which the control part is commonly known as Signaling System 7 (SS7). SS7 is the out-of-band signaling standard used by PSTN to control cir- This material is based upon work supported by the National Science cuit-switched voice and data transmission, Integrated Services Foundation under grants CT-0627493, IIS-0242237, IIS-0430402, Digital Network (ISDN) services, and optionally for, cellular CNS-0516807, and CNS-0551694. Any opinions, findings, and conclu- mobile telephony and network management. SS7 provides sions or recommendations expressed in this material are those of the both circuit-related and non-circuit-related signaling. As author(s) and do not necessarily reflect the views of the National Science shown in Fig. 1a, the PSTN network is connected to the wire- Foundation. less network through the mobile switching center (MSC) and 32 0890-8044/06/$20.00 © 2006 IEEE IEEE Network • November/December 2006 DANTU LAYOUT 11/2/06 12:03 PM Page 33 SCP SS7 SS7 protocol model STP STP levels SSP SSP Telephone STP STP Telephone ASE OMAP SS7 signaling network TCAP Level 4 ISDN user part Telephone PBX Public switched telephone network (PSTN) Signaling connection Fax Modem control part (SCCP) Level 3 Message transfer part level 3 (signaling network) Workstation Mobile switching NSP Level 2 Message transfer part level 2 MTP Comm. center Internet (signaling link) tower IP gateway PC Message transfer part level 1 Level 1 (signaling data link) Cell Pager phone (a) (b) I Figure 1. SS7 network architecture: a) SS7 signaling network; b) SS7 protocol stack. the Internet through IP gateways. Individual users and organi- MTP3 functions are divided into two areas, signaling message zations access the PSTN network using dial-up, telephone, handling, ensuring proper delivery of messages, and signaling PBX, and ISDN connections. network management, managing the signaling network. The The interior of SS7 consists of three main network ele- signaling connection control part (SCCP) complements MTP ments, referred to as signaling points (SPs). SPs are identified with the network service part (NSP) that is a functional equiv- by a numeric address known as point codes, like the IP alent of the Open Systems Interconnection Reference Model’s addresses of the Internet. SPs are classified as service switch- network layer. SCCP supports both connectionless and con- ing points (SSPs), signaling transfer points (STPs), and service nection-oriented services while enhancing the addressing control points (SCPs), depending upon their functions in the scheme. The transaction capabilities application part (TCAP) SS7 network, as shown in the top half of Fig. 1a. In SS7 termi- is a non-circuit-related remote procedure call mechanism nology, the addresses of senders and receivers are known offering four types of transactional services: request-response, respectively as originating point codes (OPC) and destination response only upon success, response only upon failure, and point codes (DPC), and are carried in a part of the SS7 mes- responseless service. Its most common use is in 800-number sage’s header referred to as a routing label (RL). calling. TCAP uses SCCP as a transport layer to exchange SSPs are (end offices or tandem) telephone switches that non-circuit-related data between applications. ISDN User Part originate, terminate, or switch calls. An SSP may also send a (ISUP) provides functions to support basic bearer services query message to an STP for logical to physical address trans- and supplementary services for voice and non-voice applica- lation, referred to as global title translation. SCPs contain cen- tions in an ISDN. ISUP defines messages and protocols for tralized databases that store information pertinent to the controlling interexchange calls (i.e., setting up and releas- call-processing capabilities such as calling cards, subscriber’s ing of voice trunks) between two subscribers. Further details profiles, and mobile-station profiles. Similar to an IP-based of the SS7 protocol stack can be found in [3]. router, based upon their DPC, STPs route incoming messages to outgoing links. STPs can also be used to screen signals and Functional Components of PSTN, VoIP and Softswitch — PSTN perform global title translations — mapping global mnemonic consists of two network planes (a plane represents a logical addresses to point codes. grouping of communication procedures), one for signaling and the other for voice transportation, that has lead to a high- The SS7 Protocol Stack — The SS7 protocol stack consists of level system architecture consisting of call control and media four functional levels, as shown in Fig. 1b. Levels 1 through 3 transport, which are being used to implement other applica- together form the message transfer part (MTP) and are used tions, as shown in Fig. 2. Although legacy systems have imple- for reliable point-to-point signal transfers. In addition, Level 3 mented all these functional units (as shown in the left side of provides network management functions. Level 4 represents Fig. 2) in one physical location, the International Packet Com- various services (known as user parts) of MTP Level-3 munications Consortium [4] and the IETF [1] have redesigned (MTP3), such as telephone user parts, ISDN user parts, and a distributed architecture referred to as the softswitch architec- signaling connection control parts. MTP is implemented at ture, as shown in the right side of Fig. 2. each signaling point, but the user part’s implementation The softswitch architecture has three main components: depends upon the services supported at that particular signal- media gateway (MG), media gateway controller (MGC), and ing point. STPs provide routing functions and therefore