1 / 39

On Cellular Botnets : Measuring the Impact of Malicious D evices on a Cellular Network Core

On Cellular Botnets : Measuring the Impact of Malicious D evices on a Cellular Network Core. Patrick Traynor @ Gatech Michael Lin, Machigar Ongtang , Vikhyath Rao , Trent Jaeger, Patrick McDaniel and Thomas La Porta @ P su ACM CCS 2009. Before Introduction….

owen
Download Presentation

On Cellular Botnets : Measuring the Impact of Malicious D evices on a Cellular Network Core

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Traynor @Gatech Michael Lin, MachigarOngtang, VikhyathRao, Trent Jaeger, Patrick McDaniel and Thomas La Porta @Psu ACM CCS 2009

  2. Before Introduction… .... We have background knowledge !

  3. Background Knowledge • Core Network in GSM • Reference: http://www.mobile01.com/topicdetail.php?f=18&t=1753

  4. Background Knowledge (cont.) • Glossary • MSC: Mobile Switching Center • Act as telephony switch and deliver circuit-switched traffic in a GSM network • Handoff (handover) / Roaming • Update information with HLR

  5. Background Knowledge (cont.) • HLR: Home Location Register • Users are assigned to specific HLR’s based on their phone number • The central repository of user profile data • VLR: Visitor Location Register • Each MSC has a VLR • VLRs save all information of the cellphones in this Location Area

  6. Outline • Introduction • Overview of Cellular Systems • Attack Overview • Charactering HLR Performance • Profiling Network Behavior • Attack Characterization • Avoiding Wireless Bottlenecks • Attack Mitigation • Conclusion

  7. Introduction • Denial of Service attacks on HLR • Botnets as small as 11750 phones can cause a reduction of throughput of more than 90% • Contributions: • Attack Characterization and Quantification • Reduce Adversary’s Workload • Provide Intelligent Control Mechanisms

  8. Overview of Cellular Systems • Mobile Phone Architecture • Application Processor • Support normal OS functionality • Baseband Processor • Establish telephony and data links • Invoke network supported services • When a process needs to use the network, the Application Processor passes an AT command to the Baseband Processor

  9. Overview of Cellular Systems(cont.) • Mobile OS • Windows Mobile, Android, Mobile OS X… • Just begin to implement basic security mechanisms • Memory protection and separation of privilege • 10% of cellular users downloaded games at least once a month in 2007

  10. Attack Overview Attacker Legitimate User

  11. Attack Overview (cont.) • Different from DoS on the Internet • Mobile devices cannot transmit entirely arbitrary requests to HLR • Such requests must be made in a manner such that unnecessary traffic or side effects are not generated

  12. Characterizing HLR Performance • Telecom One (TM1) Benchmarking Suite • MQTh: Maximum Qualified Throughput • Setting: • HLR: • Xeon 2.3 GHz * 2 + 8 GB RAM • Linux 2.6.22 • MySQL 5.0.45 or SolidDB v6.0

  13. Characterizing HLR Performance • Normal HLR Behavior • The number of subscribers per HLR • Reality: 100000 ~ five million • The rate and type of service requests

  14. Characterizing HLR Performance • MQThvs Numbers of subscribers

  15. Characterizing HLR Performance • MySQL • Only caching data and indexes are stored in memory • SolidDB • All in memory

  16. Characterizing HLR Performance • Different commands on MySQL

  17. Characterizing HLR Performance • Different commands vs Number of subscribers

  18. Profiling Network Behavior • Setting: • Nokia 9500 with Symbian S80 • Motorola A1200 with Linux kernel 2.4.20 • Live cellular network • AT command + 2 sec delay • Repeat 200 times during low traffic hours • Some phones caused extended delays as immediate execution

  19. Profiling Network Behavior (cont.) • GPRS Attach: update_location

  20. Profiling Network Behavior (cont.) • Avg: 2.5 sec // Peak: 3 sec

  21. Profiling Network Behavior (cont.) • Comparsion: GPRS Detach

  22. Profiling Network Behavior (cont.) • GPRS Attach • Turnaround time: • 3 sec response time + 2 sec command delay • 0.2 commands per second • But.. Only one in five commands reach the HLR • 0.2/5 = 0.04 commands per second

  23. Profiling Network Behavior (cont.) • Call Waiting: update_subscriber_data

  24. Profiling Network Behavior (cont.) • Avg: 2.5 sec

  25. Profiling Network Behavior (cont.) • Call Waiting • Turnaround time: • 2.5 sec + 2 sec • 0.22 commands per second • Better than update_location

  26. Profiling Network Behavior (cont.) • Insert/Delete Call Forwarding • insert_call_forwarding / delete_call_forwarding

  27. Profiling Network Behavior (cont.) • Avg: 2.7 sec (insert) / 2.5 sec (delete)

  28. Profiling Network Behavior (cont.) • Insert Call Forwarding • 0.21 commands per second • Extra database read • Delete Call Forwarding • 0.19 commands per second • Only can be sent if call forwarding is enabled • Chooseinsert_call_forwarding

  29. Attack Characterization • The effect of an attack on HLR with 1 million users (MySQL)

  30. Attack Characterization • With SolidDB

  31. Attack Characterization • MySQL: • Normal condition: 11750 infected mobile phones • 1.2% • High traffic: 23500 infected mobile phones • 2.4% • SolidDB: • 141000 infected mobile phones • 14.1%

  32. Avoiding Wireless Bottlenecks • Random Access Channel (RACH) Capacity • TDMA • Timeslot: 0.577 ms • A frame: 8 timeslots = 4.615 ms • Slotted ALOHA protocol

  33. Avoiding Wireless Bottlenecks • Max throughput S • S is maximized at 37% when G=1 • G is the number of transmission attempts per timeslot

  34. Avoiding Wireless Bottlenecks • The offered load, G, also known as ρ, is defined as: • λ is the arrival rate in commands per second • 1/μ is the channel hold time (4.615 ms) • ρ = 1/0.004615 * 0.37 = 80 transmission per sec

  35. Avoiding Wireless Bottlenecks • The attack would need to be distributed over α base stations:

  36. Avoiding Wireless Bottlenecks • Standalone Dedicated Control Channels (SDDCH) • Sectors in GSM allocate 8 or 12 SDCCHs • We hold SDCCH for 2.7 sec (insert_call_forwarding)

  37. Command and Control • Internet Coordination • 3G • Local Wireless Coordination • Bluetooth / WiFi • Indirect Local Coordination • Via RACH

  38. Attack Mitigation • HLR Replication? • Filtering • Call gapping

  39. Conclusion • Small botnets composed entirely of mobile phones pose significant threats to the availability of these network • C & C channel is more challenging in this environment

More Related