A Dial-Up Session
Now that you have an understanding of some Internetworking basics, let's take a look at how a typical Internet dial-up session works (see Figure 2-3). When you dial to an ISP with a modem, you might use a layer 3 protocol called Point to Point Protocol (PPP). Referring back to Figure 2-1, layer 3 is the network layer, and in the case of a dial-up connection, PPP replaces IP. Connectivity is not automatic, though. A dial-up session must first be authenticated, and then an IP address is assigned. The modem at the ISP's Point of Presence (POP) is directly connected toor even a component withina router that is designed to accommodate PPP connections. When a connection attempt occurs, the dial-up router first prompts the user for a login name and password. A single ISP may have hundreds of POPs spread over an entire continent it is certainly not practical for each dial-up router to maintain a list of all users and their encrypted passwords. A centralized directory contains this list, and the RADIUS protocol is used to support the authentication request between the dial-up routers and the centralized user directory.
Figure 2-3 Connecting to the Internet through an ISP's dial-up service
After a user is authenticated to the ISP, an IP address is dynamically assigned to that user with DHCP. Although it is possible for individual subscribers to have their own permanently assigned IP addresses, such an inefficient use of valuable IP address space is virtually unheard of. The IP address is almost always associated with a DNS name, allowing reverse lookups. The name will be something generic, such as ppp589.city.isp.com.
RADIUS is used not just for authentication; it is also used for accounting. The RADIUS server is normally the only ISP device that maintains records that can be used to track an offender, so it is very important to your investigation. The server normally maintains records of every login attempt, both successful and unsuccessful, and also every logoff or session end. This information is necessary so the ISP can keep track of subscriber connection time. The information associated with a RADIUS session also includes the IP address assigned to a specific login during a session, and ISPs often use caller ID to keep track of the telephone number used to originate the session. This allows the ISP to determine which login name was using a specific IP address at a specific time, but the association of this login with a specific individual is only as good as the authentication mechanism. Most dial-up accounts authenticate with reusable passwords, and it is common for cyber criminals to guess or otherwise steal passwords (most subscribers have no way of knowing that their accounts are sometimes being abused by someone else). America Online (AOL) users have been especially prone to ID theft, and AOL is just one of many ISPs that provide free trial accounts that are frequently associated with phony names.
Because the RADIUS logs are used for accounting purposes, an ISP has to maintain them for at least a one-month billing cycle. In practice, ISPs keep them for periods of up to a year in order to respond to customer complaints about billing mistakes. Even relatively small ISPs are used to responding to court orders that require providing the Internet equivalent of a trap and trace record. According to Lucent consultant Aaron Higbee, who has worked with the abuse departments of several large Internet service providers:
ISPs do not like abusers because their mischief affects the bottom line and gives the ISP a black eye within the Internet community. If you want to identify an abuser, these are the necessary steps:
Document the abuse with dates, time, time zone, and logs.
Send the logs as a complaint to email@example.com.
Follow up your email with a phone call. (Do not call a tech support or customer service line.) Ask for the legal department's fax number or ask to speak directly with the abuse/security department.
Fax the same logs to the legal staff and let them know that you will follow up your complaint with a court-ordered subpoena for any and all subscriber information including all captured caller IDs.
You must assume the subscriber information is fraudulent unless the account has a bill payment history and the session in question can be pinpointed as originating in the same calling area as the rest of the subscriber's usage history. If you are lucky, the caller ID will be captured for the session you are interested in. You then subpoena the local phone company for subscriber information for the phone number that was captured in the caller ID. Sometimes reverse telephone lookup sites like http://www.anywho.com/rl.html can give you clues as to who you are tracking, but the definitive answer will come from the subpoenaed subscriber information.
You might think the biggest problem with obtaining information from ISPs would be the result of the terms of service and confidentiality agreements that most service providers have with their customers. But to the contrary, most service providers are willing to assist you because they do not want anyone misusing their system. In a prominent privacy case several years ago, AOL was sued by a subscriber who accused the company of illegally providing sensitive personal information to a law enforcement agency, so ISPs are now very sensitive to the correct legal procedures.
When you obtain the information from the service provider, keep in mind that the subscriber information can be completely bogus. There is little to no authentication for any of the information associated with the subscriber. The value of the information is in determining the telephone number that was used to connect to the ISP. If you can obtain the phone number and the date and time that a session was set up, you are yet another step closer to finding your suspect. You can then start the subpoena process again and try to find other connections originating from that same phone number. This still might not lead directly to your suspect, but you're getting closer and closer to a suspect who thought he or she was well hidden by the free service.