The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

As I noted in yesterday’s post on the arrest of Pyotr Levashov, the government used a Rule 41 warrant (“in an abundance of caution,” they explained in the application) to authorize the redirection of infected computers to the FBI sinkhole. As that was the first public use of the newly expanded authority, I expect there to be a lot of commentary about its use.

I’m just as interested in the Pen Register/Trap and Trace application accompanying the warrant, however. It authorizes the sinkhole to obtain the IP and routing address for infected computers, so the government can inform ISPs of the infection. I’m interested in it for the way it transcribes phone technology onto packet headers.

9. In the traditional telephone context, pen registers captured the destination phone numbers of outgoing calls, while trap and trace devices captured the phone numbers of incoming calls. Similar principles apply to electronic communications, as described below.

10. The Internet is a global network of computers and other devices. Devices directly connected to the Internet are identified by a unique Internet Protocol (*IP’)address. This number is used to route information between devices. Generally, when one device requests information from a second device, the requesting device specifies its own IP address so that the responding device knows where to send its response.

11. On the Internet, data transferred between devices is not sent as a continuous stream, but rather it is split into discrete packets. Generally, a single communication is sent as a series of data packets. When the packets reach their destination, the receiving device reassembles them into the complete communication. Each packet has two parts: a header with routing and control information, and a payload, which generally contains the content of the transmitted communication.

12. The packet header contains non-content dialing, routing, addressing and signaling information, including IP addresses and port numbers. Both the IP address of the requesting device (the source IP address) and the IP address of the receiving device (the destination IP address) are included in specific fields within the packet header, as are source and destination port numbers. On the Internet, IP addresses and port numbers function much like telephone numbers and area codes often both are necessary to route a communication. Sometimes these port numbers identify the type of service that is connected with a communication, such as email or web-browsing, but often they identify a specific device on a private network. In either case, port numbers are used to route data packets either to a specific device or a specific process running on a device. Thus, in both cases, port numbers are used by computers to route data packets to their final destinations.

13. The headers of data packets also contain other dialing, routing, addressing and signaling information. This information includes the transport protocol used (there are several different protocols that govern how data is transferred over networks); the flow label (for the most recent version of the Internet Protocol suite, called IPv6, the flow label helps control the path and order of transmission of packets); and the packet size. [my emphasis]

I’m sure the FBI has used similar PRTTs hundreds of times, including (perhaps especially) in the FISA context. But I’m not aware of one that has been made public. Moreover, the application of the PRTT is different here than in many contexts, because the sinkhole, not an ISP, will be obtaining the data requested.

I raise that because the PRTT asks for information — such as the use of a port number to ID a device running on a private network — that might be considered content to an ISP. If such an order were presented to an ISP, then, the request would arguably go beyond what a user had voluntarily shared with a third party, and therefore what should be available using a PRTT. (This paper from Matt Blaze and others from last year explains this in detail, though the paper notes that port numbers are specifically permitted by DOJ’s Electronic Surveillance Manual.) The data is necessary to the intent here, because FBI is trying to ID which devices have been infected. But it’s not clear the legal case is sound.

Yet the application describes it as dialing, routing, addressing, and signaling information (the DRAS definition at the base of PRTT law) without an explanation of this technical distinction, and without a discussion of what it means that the FBI sinkhole, and not an ISP, is collecting the data.

I suspect one reason the government has made all the materials associated with Levashov public is to codify their use. And that’s true as much for this use of the PRTT as it is for the Rule 41 warrant.

11 replies
  1. marksb says:

    Signalling or content? This is an interesting question. Good call on this.
    It’s been a decade since I was involved in this industry so I might be off, but the protocols are the same, so:

    The identifying data in a VoIP session uses Session Initiation Protocol (SIP), used specifically to set up the call on both ends. Wiki: “SIP is only involved in the signaling portion of a media communication session, primarily used to set up and terminate voice or video calls.”

    Thus, one could make the argument that the call set-up data in a session is the equivalent to IP header information, and the SIP data is not content data. IMHO, if SIP data were to be considered content, then one could make the same argument that IP header data (source, origin addr, etc) is content—and that ain’t gonna’ happen.

    • SpaceLifeForm says:

      This is bigger than VOIP and SIP.
      (neither are secure. All can be routed overseas and back allowing 702 and 12333 to be applied)

      This is about abusing PRTT (historically telco) to make it apply to ip packets.

      This is also about abusing Rule 41.
      (which has some loopholes)

      • marksb says:

        The question was is the signalling ‘content’ or ‘header’? My point is it looks like header from a protocol point of view.

        But since you brought it up, access to ALL traffic–PRTT or IP (or ATM back then)–was authorized to be collected by everyone in 2001, Lawful Intercept:

        The principal global treaty-based legal instrument relating to LI (including retained data) is the Convention on Cybercrime (Budapest, 23 Nov 2001). The secretariat for the Convention is the Council of Europe. However, the treaty itself has signatories worldwide and provides a global scope.(WIKI)

        I was working for a major international teleco equipment mfgr at the time, making the transition from circuit switching to IP for voice traffic, and I remember the meeting where this treaty was presented to the people who set corporate strategic and technical plans, with the presenter saying “That’s it. Privacy is over.”


        • SpaceLifeForm says:

          If that was the case here, and LI (CALEA in US) was totally applicable, then why the need for Rule 41?

          I agree with you, it appears to be ‘header’ type data, not content. But, in SIP, techically what are called headers are actually content (payload) from the ip packet point of view.

          And do we have any info yet that this botnet even is related to VOIP and SIP?

          There is something else going on.

          It may be related to hacking/misuse of SS7.
          (which could definitely be happening by TLA folks)

          It may just be about setting precedent for DPI by TLAs. It may not be the intent, but you always have the danger of unintended consequences. Recall the various complaints about the ‘going dark’ problem.

          It may actually be an investigation into a group that most people would immediately dismiss because it contradicts with their worldview.

          It may also be about eliminating the ‘venue shopping’ problem, so LE can avoid judges that actually think and do their job.

          It might even be all of the above.

        • SpaceLifeForm says:

          Or, it may be simple.
          It may all be part of a plan to replace 702 which has an expiration date of 2017-12-31.

          Leads to eliminating FISC too.

          Not that eliminating FISC is a big deal. The fascists want no court oversight, and FISC is basically rubber-stamp.

          Freedom act (to keep Patriot act going), allegedly killed bulk collection, but the TLAs can continue to do that anyway under 702 or 12333.

          And now that Gorsuch in SCOTUS, only SCOTUS has to ‘approve’ lower court precedent (that they like), so in 2020, Freedom act can expire also, and Congress will have no say anyway.

          So, with a corrupt SCOTUS and Whitehouse, the Congress becomes a dog and pony show (not to say that is not already the situation),
          and lower courts only will be used for precedent.

          Net result: the people have zero representation, and the takeover is complete.

          FBI maybe is making a huge mistake here.
          Unintended consequences. Maybe Comey is being overloaded internally via internal misinfo. Maybe Comey is not even aware. Maybe misinfo due to moles. Spy vs Spy.

  2. LeMoyne says:

    It isn’t clear that the port numbers would specifically ID a particular infected computer, except perhaps in real time.  I believe that the bridge router’s translation of internal LAN IP addresses to port numbers appended to the bridge router’s single external IP address would not be constant under dynamic methods of assigning LAN addresses (which I think are the norm).  The port-computer assignment could easily change and would only be near constant because of ‘lazy’ methods that reduce the juggling of those assignments to reduce router overhead workload.

    In fact, the bridge router’s IP address would be enough to try to reach the IT network folk who might be able to do something about the bot infection… and if it’s not sufficient they aren’t getting to the specific computer that way anyway.  I agree with your assessment that the FBI isn’t trying to aid the victims here – they are acting prescedential. (no sp – pun intended).  They aren’t lying about trying to ID the specific computers: they are trying to maintain and extend what they can get with a PRTT order.

    • SpaceLifeForm says:

      Yep, the port number (ip packet perspective) does not really id a specific computer. Potentially it could, but wow, you are talking about a major effort. You would need to know the port randomization algorithm of the NAT router to start with, and somehow id the other machines behind the router. The easy way would be to go to the network admin and tell them that you suspect an infected machine behind their internet facing routers. Then you wireshark the traffic at the routers.

      But I suspect there are multiple reasons that they do not want to do that approach. Some legal, some technical.

      As to the argument that it is p2p, suspect that is misdirection. True p2p is fraught with problems, in particular if any NAT is involved.
      See STUN or TURN and hole punching.

      If you are the attacker, instead of true p2p, you set up a server somewhere, and have the malware on the target computer ‘call home’.
      Getting the malware on the target computer is the problem from the attackers perspective (unless preloaded).

      But once the malware can ‘call home’ (contact the server), the server (C2 – command and control) is basically logically in a p2p mode with the infected target machine. But it is not true p2p.

  3. SpaceLifeForm says:

    Geeze.  Another leak.  Oh wait,  not IC.  Not  really a ‘leak’, more like passing inside info.

    (see NSC and Nunes for comparison: )

    But in the fascist world, where money is everything, maybe this ‘leak’ and all of IC spying is really all just about money.

    I.E,  Economic Espionage.

    This is NOT to imply that Economic Espionage is always actually foreign based.

    google(“wells fargo kpmg leak”)

Comments are closed.