Introduction | Phrack Staff |
Phrack Loopback | Phrack Staff |
Line Noise | various |
Phrack Prophile on Swamp Ratte | Phrack Staff |
File Descriptor Hijacking | orabidoo |
LOKI2 (the implementation) | route |
Juggernaut 1.0 - 1.2 patchfile | route |
Shared Library Redirection | halflife |
Bypassing Integrity Checking Systems | halflife |
Stealth RPC scanning | halflife |
The Art of Scanning | Fyodor |
The Eternity Service | Adam Back |
Monoalphabetic cipher cryptanalysis | mythrandir |
Phrack Magazine Article Index Guide | guyver |
A Brief introduction to CCS7 | Narbo |
Phrack World News | disorder |
extract.c | Phrack Staff |
---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 15 of 17 -------------------------[ A Brief Introduction to CCS7 --------[ Narbo[SLF] <[email protected]> 0o0o0o0o0o0o0o0o0o0o0o0o0 o Introduction o 0o0o0o0o0o0o0o0o0o0o0o0o0 Every day it seems that the telcos introduce some funky new calling feature to make your life easier. I'm sure at one point or another you've probably wondered exactly how all of these calling features work. The answer? Common Channel Interoffice Signaling or CCS7. CCS7 is somewhat analogous to TCP/IP in that it is a protocol that allows networked computers (in this case telephone switches) to talk to each other. It maps onto the OSI 7 Layer Reference Model model as such: --------------- ------------------------------ Application 7 OMAP | ASE | --------------- ------------- Presentation 6 TCAP | --------------- ------------- Session 5 | --------------- | ISDN-UP Transport 4 | --------------- -------------- SCCP | Network 3 ------------------------------ MTP Level 3 --------------- ------------------------------ Data Link 2 MTP Level 2 --------------- ------------------------------ Physical 1 MTP Level 1 --------------- ------------------------------ Legend: OMAP: Operations, Maintenance and Administration Part ASE : Application Service Layer TCAP: Transaction Capabilities Application Part SCCP: Signaling Connection Control Part ISDN-UP: Integrated Systems Digital Network User Part MTP : Message Transfer Part This article will provide an introduction to how the network is set up, how messaging is done, and a brief example of a call setup/takedown. 0o0o0o0o0o0o0o0o0o0o0o0o0 o History o 0o0o0o0o0o0o0o0o0o0o0o0o0 AT&Ts introduction of CCIS (Common Channel Interoffice Signaling) in 1976 brought a radical change to the way signaling was handled. Before the advent of CCIS all signaling was done in band using the same trunks that would be used for customer conversations. Instead of sending all information over the voice circuits (trunks) a new network was created specifically for signaling. AT&T began immediate deployment of CCIS technology and the CCITT (Consultative Committee for International Telephone and Telegraph) adopted it as an international standard called SS6 (Signaling System 6). The current version of the protocol is CCS7 (Common Channel Signaling System 7) and is prevalent throughout North America. 0o0o0o0o0o0o0o0o0o0o0o0o0 o Switches o 0o0o0o0o0o0o0o0o0o0o0o0o0 CCS7 networks are based on a mesh of links connecting switches like the following: ###(SP) {SCP}---A---[STP] -B-- [STP] # | / | \ / | \ # F / | \ / | \ # | / C BB C \ ########### ###(SSP) D | / \ | \ # # # | \ / [STP] -B-- [STP] D (SSP)---F # # A A / / / \ \ A | # # | \ / / A \ \ | | # # [STP] --B- [STP] / / \ [STP] --B- [STP]-A-(SSP)## # | \ / | D {SCP} D | \ / | | # # | \ / | / \ | \ / | | # # C BB C / \ C BB C | # # | / \ | / \ | / \ | | # # [STP] --B- [STP] [STP] --B- [STP] | # # | | | # # |--(SSP) |--------E---------| # # # # ########################################################################### # = Trunks - = CCS7 links Explanation: STP (Signal Transfer Point): STPs are tandem switches which act as the routers of the CCS7 network. They transfer messages between incoming and outgoing signaling links but do not originate messages other then those used for network management. Since their sole function is to act as routers, STPs have NO trunks attached to them. STPs are grouped into mated pairs. These pairs are grouped into the quads you see in the above diagram. This is all done for the sake of redundancy. SCP (Signal Control Point): SCPs act as the application database servers for the CCS7 network. SSPs make database queries through the STPs to the SCPs for such things as 800 number lookups. As they are not used for direct line connections SCPs also do not have trunks attached to them. SCPs are the least common type of switch; for instance, in Canada, there are only two SCPs, one of which is in Calgary, the other in Toronto. SSP (Service Switching Point) and SP (Service Point): SSPs and SPs are the most common switches (despite my diagram :)) and are deployed as EO (End Office) switches and in PBXs (Private Branch Exchanges). On average each SSP can handle about 100,000 - 125,000 lines. Of course the amount of trunks actually available on the switch is considerably smaller then the amount of incoming lines; the telcos have various modeling algorithms that predict the maximum amount of trunks that will actually be used which is why occasionally when, say, a U2 concert hits town a switch can run out of available trunks as people rush the phones for tickets. SSPs and SPs differ only on that the former can enact SCP database queries while the latter cannot. 0o0o0o0o0o0o0o0o0o0o0o0o0 o Links o 0o0o0o0o0o0o0o0o0o0o0o0o0 A CCS7 link is nothing more then a dedicated 56/64K trunk. There are various classifications of link types: (Refer to the previous diagram for examples) A Links: Connect SSP/SPs and SCPs to STPs. B (Bridge) Links: Connect two STP pairs together to form an STP quad. C (Cross) Links: Connect mated STP pairs together. D Links: Interconnect STP quads. E Links: Connect SSP/SPs or SCPs to a STP pair other than their "home" pair. F Links: Connect SSP/SPs and SCPs to each other. Links are joined together to form linksets. A linkset is defined as all the links connecting one node in the network to another node. Directly analogous to linksets are routesets which map out the paths to all the other nodes in the network by associating a cost with each possible linkset the message could go out on. If that sounded confusing (and I know it did) here is a small example. Consider the following subsection from our bigger network: ###(SP1) # | # | # | ###(SSP1) # | \ # L1 L2 # | \ # [STP1] ---- [STP2]-- # | \ / | | # | \ / | | # | \/ | | # | / \ | | # [STP3] ---- [STP4] | # \ / # (SSP2) # # ###################### Say SSP1 wants to send a message to SSP2. The routeset to SSP2 on SSP1 will be datafilled with two possible linksets that could be used; namely the ones going to STP1 and STP2. However, it's obvious that using L2 would be more efficient, taking 2 hops instead of 3, via L1. On the switch this would be noted by L2 having a lower cost than L1. 0o0o0o0o0o0o0o0o0o0o0o0o0 o Call Setup Example o 0o0o0o0o0o0o0o0o0o0o0o0o0 Call setup and takedown using CCS7 is handled by a subset of the protocol called ISDN-UP (Integrated Services Digital Network User Part). There are many messages belonging in this subset but only five are needed to make a phone call. Let's say I want to call Dr. Sardu using the network from the previous example. The good doctor's phone is serviced by SSP2 while mine is serviced by SSP1. When I pick up my phone the switch will detect that it is off the hook and send a dial tone. After dialing, an IAM (Initial Address Message) will go out on the network from SSP1 to SSP2. Assuming all goes well (the phone is not busy, etc...) an ACM (Address Complete Message) will come back from SSP2 to SSP1. It is at this time that I hear the first ring tone in my receiver. The moment the other party picks up and all the trunks are seized an ANM (Answer Message) is sent from SSP2 to SSP1 and upon reception of this message billing starts (A few ms of free phone time. Woo woo!). When the conversation is complete and one party hangs up, its switch will send an REL (Release Message) and upon reception the other party will hear the "click" of the phone being hung up. When he then hangs up the final RCL (Release Complete) message will be sent and the seized trunks will return to idle. ----[ EOF