PDF of this tutorialThe infrastructure of next-generation/IP networks is packet based and multilayered, with open, distributed architecture and no ingrained security mechanisms. Mission-critical applications, used for the transmission of high-profit services such as voice, e-commerce, and financial transactions, are run over these exposed networks. With user identification based on the IP layer and the IP layer easily tampered with, packets sent over these networks can easily be marked with a 'borrowed' IP address, enabling unauthorized users to impersonate legitimate ones. These intruders abuse services and benefits at the expense of legitimate users, who are often completely unsuspecting until the bill arrives—long after the abuser has departed. This type of fraud is commonly referred to as IP spoofing. The possibility that an IP address may have been altered causes data issued by the IP layer to become both insufficient and unreliable.
As said, firewalls also employ IP addresses to classify traffic and therefore cannot be viewed as an ultimate means of network security. Popular operation systems with known vulnerabilities, such as Linux, Windows, and Unix, are run on critical servers (including firewalls, radius, and authentications servers). In addition, protocols such as routing, voice-over–IP (VoIP) signaling, domain name service (DNS) resolution and e-mail (POP, SMTP) are common knowledge, enabling illegal manipulation of their transmission.
Shared mediums of communication such as cable modems, wireless transmission, local multipoint distribution system (LMDS), and others enable several indiscretions, including violation of privacy caused by eavesdropping and/or unlawful access to another user's service; password sniffing (the illegal obtainment of user passwords to be used in various scams); clip-on fraud, requiring use of a simple, inexpensive connection device that enables "free" usage of calls and a large variety of services at the expense of the operator; illegal connection to the Internet through use of an authorized user's account or ID; and impersonation of authorized, subscribing users to access the services allotted to them.
An inherent lack of embedded control mechanisms in the network infrastructure, IP– and Web-based applications contributes to low network survivability. Lack of traffic management control mechanisms enables "bandwidth theft," i.e., one user will transmit a larger amount of traffic than allocated to him, leaving other users with less bandwidth for their own use. Unmanaged congestion and lack of overload control enable sabotage in the form of denial-of-service attacks on various services (most notoriously performed on popular Web sites). One way to do this is to flood the server with repeated, legal service requests in an attempt to overload it, causing severe degradation or complete unavailability of the service to legitimate, paying users.
New billing schemes are being introduced based on content and quality, creating yet another point of weakness for criminal abuse. The better the service, the higher the profit—not to mention the availability of the scheme procedures themselves; such potential inevitably accelerates the creation of new and sophisticated fraud methodologies.
