Telecommunications service providers and their customers are constantly facing attacks on their network infrastructures. Attackers, referred to as hackers and phreakers, routinely use software applications and modems to war dial within a service provider's network. War dialing refers to the process of dialing multiple directory numbers with the purpose of locating a modem or voice mail port for later attack. Once a modem or voice mail port has been found, attackers document and store the number for later attacks.
FIG. 1 illustrates an exemplary signaling system 7 (SS7) signaling network 100, which is used to facilitate the setup and tear down of calls between a war dialing calling party 102 and called parties 104, 106, and 108. In this example, calling party 102 is served by an originating end office 110, which is connected via one or more signaling links to STP 112. STP 112 is in turn connected to STP 114 via one or more signaling links. STP 114 is connected to terminating end office 116 via one or more signaling links. In this example of war dialing, calling party 102 first dials the directory number of called party 104 at 3:31:30 pm. Originating end office 110 facilitates the setup of a call between the calling and called parties by generating a transmitting an ISDN user part (ISUP) initial address message (IAM). The IAM message is transmitted to STP 112 and routed to STP 114 and terminating end office 116. A voice trunk is established between the originating and terminating end offices, thereby creating a voice path between the war dialing calling party and the first called party 104.
In this example, called party 104 is a data modem associated with a computer, and, as such, calling party 102 will detect the characteristic tonal response of the answering modem and may subsequently record this finding, along with the directory number of called party 104 for later exploitation. The amount of time required for calling party 102 to make such a determination is typically very short (e.g., less than one minute). Once calling party 102 has completed an initial assessment of the first called party 104, calling party 102 terminates the call. When calling party 102 goes on-hook, originating end office 110 generates an ISUP release (REL) message, which is transmitted to terminating end office 116 in a manner similar to that described previously with respect to the IAM message. Once war dialing calling party 102 terminates the first call by going on-hook, war dialing calling party 102 dials the directory number associated with called party 106 at 3:32:00 pm. A similar signaling process is repeated for this call and any calls that the war dialer may attempt. As described above, once the initial survey of called parties has been completed, the war dialer may target selected called parties for further study or exploitation. As such, some or possibly all of the originally called parties may be later called by the war dialer, where the war dialer may use the same or a different line to make the second round of calls.
Voice mail ports are highly susceptible to unauthorized access by attackers looking for ways to place long distance calls without being detected via traditional call trap and trace monitoring systems. These ports may, for example, be used by groups that wish to establish untraceable communications within a country or between different countries. The voice mail port can be traced using call tracing techniques, but identifying the number of the party who has hijacked the voice mail port will not show up in a call trace. Call traces only identify calling and called parties (the voice mail port and the party called from the voice mail port) point-to-point.
Modems can also be used to gain unauthorized access to computer systems. For example, once a war dialer locates a modem, the war dialer may be able to gain unrestricted access to a computer system. Even if the computer system is password protected, the war dialer can try different passwords until access is gained.
If telecommunications service providers had a tool or utility that could monitor and detect war dialing events, they would be better equipped to identify potential threats in real time or near real time and protect their customer bases from potential attacks. Consequently, there exists a long felt need for a methods and systems for identifying and mitigating war dialing events in a communications network.