1 / 42

Android Network Stack and Enhancement (3G/ WiFi , IPV4/IPV6, SIP/VoIP)

www.kandroid.org. Android Network Stack and Enhancement (3G/ WiFi , IPV4/IPV6, SIP/VoIP). Mar-11-2011 (Fri). Geunsik Lim ( Nick:인베인 ) leemgs.at.gmail.com blog.naver.com/ invain. 본 문서는 비상업적 용도에 한해서 자 유롭게 수정 및 재배포 가능 하며 , 자료출처를 명시해야만 합니다 . . CONTENTS.

chelsa
Download Presentation

Android Network Stack and Enhancement (3G/ WiFi , IPV4/IPV6, SIP/VoIP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. www.kandroid.org Android NetworkStackandEnhancement (3G/WiFi, IPV4/IPV6, SIP/VoIP) Mar-11-2011 (Fri) Geunsik Lim (Nick:인베인) leemgs.at.gmail.com blog.naver.com/invain • 본 문서는비상업적용도에한해서자유롭게수정 및 재배포가능하며, 자료출처를 명시해야만 합니다.

  2. CONTENTS Android Network Technology Session Computer Network Understanding Linux Network Internals Network Terminology (3G/WiFi, IPV4/IPV6, SIP/VoIP) Differences Between IPv4 and IPv6 Network Information Management on Android Phone Traffic Monitoring using tcpdump/netstat (including DNS Resolver) Android Phone Attack using structural vulnerability Connections between Network Instruments and Android Platform References Conclusion Appendix: Network Scheduler for QoS, Network App for Study

  3. What is Computer Network? A computer network, often simply referred to as a network, is a collection of computers and devices interconnected by communications channels that facilitate communications among users and allows users to share resources. A computer network allows sharing of resources and information among interconnected devices. * Source: wikipedia

  4. Overlay Network An overlay network is a virtual computer network that is built on top of another network. Nodes in the overlay are connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network. For example, many peer-to-peer networks are overlay networks because they are organized as nodes of a virtual system of links run on top of the Internet. The Internet was initially built as an overlay on the telephone network . IP Layer SONET/SDH Layer Optical Layer Site Layer

  5. Overview of Network Stack The OSI model remains an important reference point for networking discussions even though it never took off for a variety of reasons. The TCP/IP model covers most of the protocols used by computers today. OSI Model (7Layer) TCP/IP Models (4Layer) Data unit Layers Data unit Layers 4 3 2 1 Host Layers data Application Network Process to Application Message Application (SIP, HTTP, FTP, DNS, DHCP, IMAP, SMTP, SSH, XMPP, RTP, RTSP, H323) 7 6 5 4 3 2 1 data Presentation Data Representation & Encryption data Session Internet Communication segments Transport End-to-End Connections a& Reliability Segment Transport (TCP/UDP) Media Layers packets Network Path Determination & Logical Addressing(IP) Datagram/Packet Internetwork (IPv4,IPv6, ICMP, IGMP, ARP) frames Data link Physical Addressing (MAC & LLC) Frame Link Layer or Host-to-network (Ethernet,Token Ring) bits Physical Media, Signal and Binary Transmission

  6. Understanding Linux Network Internals  Combination of each layer by kernel functions As we have seen, each layer provides a variety of protocols. Each protocol is handled by a different set of kernel functions. Thus, as the packet travels back up the stack, each protocol must figure out which protocol is being used by the next-higher layer, and invoke the proper kernel function to handle the packet. Message A B C D Transport Header /web/site1.html Transport Layer Payload Network Header Src port=5000Dst port=80 /web/site1.html Network Layer Payload Link Layer Header Src IP=100.100.100.100 Dst IP=101.101.101.011 Transport Protocol=TCP Src port=5000Dst port=80 /web/site1.html Link Layer Payload Src IP=00:20:e1:77:00:02 Dst IP=00:21:e6:32:00:01 Internet Protocol Src IP=100.100.100.100 Dst IP=101.101.101.011 Transport Protocol=TCP Src port=5000Dst port=80 /web/site1.html Headers compiled by layers: (a...d) on Host X as we travel down the stack; on Router RT X .

  7. Understanding Linux Network Internals  Android Linux Networking Architecture tcpdump tftp TELNET PING Application Layer(INET) Application User space Kernel space BSD Socket Interface User space Kernel space PF_INET PF_INET PF_PACKET PF_INET Berkeley Socket Interface UDP TCP . . . . . Transport L4 Protocol Layer IPV4 ARP … Network Device Driver Interface/ queuing Discipline Network L3(ptype_base) Physical Device Driver Neighboring dev_queue_xmit Physical Device and Media Device Drivers Link

  8. Understanding Linux Network Internals /proc files used by the IPv4 routing subsystem / proc net sys route rt_acct rt_cache ip_mr_cache ip_mr_vif stat inet_init ip_rt_initip_mr_initfib_proc_init rt_cache net Ipv4/v6 ip_forward icmp_echo_ignore_boradcasts route conf error_burst error_cost flush gc_elasticity gc_interval gc_min_interval_ms gc_thresh gc_timeout min_delay max_delay max_size min_adv_mss min_pmtu mtu_expires redirect_load redirect_number redirect_silence secret_interval default all wlan0 lo rmnet0 accept_redirects accept_source_route forwarding mc_forwarding rp_filter secure_redirects send_redirects log_martians devinet_init inetdev_init

  9. Understanding Linux Network Internals CPU's ingress queues • The device driver stores in the net_device structure the time its most recent frame was received, and netif_rx stores the time the frame was received in the buffer itself. The local CPU ID is needed to retrieve the data structure associated with that CPU in a per-CPU vector, such as the following code in netif_rx:queue = &_ _get_cpu_var(softnet_data); rmnet0 rmnet1 Rmnet n . . . . . . RxComplete DMADone CPU 0 CPU 1 net_dev_max_backlog (300) completion_queue input_pkt_queue input_pkt_queue completion_queue . . . . . . . . . . . . softnet_data softnet_data

  10. 3G/WiFi, IPV4/IPV6, SIP/VoIP • 3G: 3 세대이동통신기술 (아날로그셀룰러폰이 1세대, 디지털PCS가 2세대이다.)을 위한 ITU 규격이다. 3G는 장치가정지해있거나또는걷는정도의속도로움직일때에는최고 384 Kbps까지, 그리고차에서는 128 Kbps, 그리고고정장착되어있는경우에는2Mbps까지 전송속도를높일 수 있다. • Wi-Fi: 무선이더넷호환성협회 즉, WECA에서 802.11b 무선이더넷표준에대해제공하고있는로고이다. 호환성을가진 PC 카드 및 컴퓨터는 Wi-Fi 로고를사용할 수 있다. WECA의임무는 Wi-Fi 제품의상호운용성을보증하고, Wi-Fi가 전 세계의무선랜표준이되도록추진하는데있다. (/system/etc/apns-conf.xml ) • IPv4(Internet Protocol version 4): Internet Protocol 4번째 판이며, 전 세계적으로사용된 첫 번째인터넷프로토콜이다. IETF RFC 791(1981년 9월)에 기술되어있다. IPv4는 패킷교환네트워크상에서데이터를교환하기위한프로토콜이다. • IPv6(Internet Protocol version 6): Internet Protocol 스택중 네트워크계층의프로토콜로써version 6 Internet Protocol로제정된차세대인터넷프로토콜을 말한다. IPv6와 기존 IPv4 사이의가장 큰 차이점은바로 IP 주소의길이가 128비트로 늘어났다는점이다. • VoIP (Voice over IP): IP를 사용하여 음성정보를 전달하는 일련의 설비들을 위한 IP 전화기술이다. 기존 IP 네트웍을 그대로 활용해 전화서비스를 통합 구현함으로써 전화 사용자들이 시내전화 요금만으로 인터넷, 인트라넷 환경에서 시외 및 국제전화 서비스를 받을 수 있음. (H.323, SIP, RTP, SDP, IMS, MGCP) • SIP(Session Initiation Protocol): IETF에서 정의한 시그널링 프로토콜로 음성과 화상 통화 같은 멀티미디어 세션을 제어하기 위해 널리 사용되며, 하나 이상의 참가자들이 함께 세션을 만들고, 수정하고 종료할 수 있게 한다. (2002년 7월 RFC 3261 표준)

  11. Differences Between IPv4 and IPv6 1/2 The IPv4 address space is 2^32, or 4,294,967,296, possible addresses (a little over 4 billion). In contrast, the IPv6 address space is 2^128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 × 10^38) possible addresses. IPv6 Internet Native IPv6 IPv6 host Native IPv6 IPv6 host 6to4 Server/relay 6to4 Server/relay IPv4 Internet 6to4 tunnel 6to4 tunnel 6to4 tunnel 6to4 router 6to4 router Native IPv6 IPv6 island IPv6 island

  12. Differences Between IPv4 and IPv6 2/2 * IHL: internet header length * Details: RFC3697 Flow Label Version Traffic Class Version IHL Type of Service Total Length Fragment Offset Flags Identification Payload Length Next Header HopLimit 20 Octets Time to Live Protocol Header Checksum Source Address Source Address 40 Octets Destination Address Options Padding LEGEND Destination Address Field’s name kept from IPv4 to Ipv6 Field not kept in IPv6 Name and position changed in IPv6 New field in IPv6 CPU Process the Hop-by-Hop EH Network Scheduler IN H/W Engine Out Payload Upper Layer Hop by Hop Main header Router

  13. Android Manifest.{permission | permission_group} for Network Android Manifest.permission_group for Network Android Manifest.permission for Network * Source: http://developer.android.com/reference/android/Manifest.permission.html

  14. How to Get Network Information ( 1/3) http://developer.android.com/reference/android/net/ConnectivityManager.html • Collect network information with Connectiovity Manager (android.net.ConnectivityManager) • Permission - manifest.xml • <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE” /> • <uses-permission android:name=“android.permission.ACCESS_WIFI_STATE” /> • <uses-permission android:name=“android.permission.CHANGE_WIFI_STATE” /> • Method to get Network Info • public intgetNetworkInfo() { • int result = 3; • ConnectivityManagerconnectivityManager; • NetworkInfonetworkInfo; • connectivityManager = (ConnectivityManager) this.getSystemService(Context.CONNECTIVITY_SERVICE); • networkInfo = connectivityManager.getActiveNetworkInfo(); • if (networkInfo == null) { • result = 2; • } else { • if (networkInfo.getType() == 0) result = 0; // 3G MOBILE • else result = 1; // WIFI NETWORK • } • return result; • }

  15. How to Get Network Information ( 2/3) • Method to get WiFi Information • public void getWifiInfo() { • WifiManagerwifimanager; • wifimanager = (WifiManager) getSystemService(Context.WIFI_SERVICE); • WifiInfo info = wifimanager.getConnectionInfo(); • String ssid = info.getSSID(); • tvWifi.setText("SSID : " + ssid ); • currwifi = "SSID : " + ssid; • if (!currwifi.equals(prevwifi)) • { • strwifi = strwifi + "SSID : " + ssid + "\n"; • prevwifi = currwifi; • } • tvWifi.setText(strwifi); • } * SSID: Service Set IDentifier • * WiFiManager wifi = (WifiManager) getSystemService(WIFI_SERVICE); • * DhcpInfo info = wifi.getDhcpInfo();

  16. How to Get Network Information ( 3/3) Permission - manifest.xml <uses-permission android:name=“android.permission.USE_SIP” /> <uses-permission android:name=“android.permission.RECORD_AUDIO” /> <uses-permission android:name=“android.permission.MODIFY_AUDIO_SETTING” /> • Method to get SIP/VoIP Information according to SipManager (on Gingerbread) • public static SipManagernewInstance(Context context) { • return (isApiSupported(context) ? new SipManager(context) : null); • } • private SipManager(Context context) { • mContext = context; • createSipService(); • } • private void createSipService() { • IBinder b = ServiceManager.getService(Context.SIP_SERVICE); • mSipService = ISipService.Stub.asInterface(b); * SipManagerCreation public SipAudioCallmakeAudioCall(SipProfilelocalProfile, SipProfilepeerProfile, SipAudioCall.Listener listener, int timeout) throws SipException { SipAudioCall call = new SipAudioCall(mContext, localProfile); call.setListener(listener); SipSession s = createSipSession(localProfile, null); … call.makeCall(peerProfile, s, timeout); return call; } * SipAudioCall

  17. Hidden Secret Code *#*#4636#*#* for general settings like GSM/CDMA - IMEI (International Mobile Equipment Identity) - Phone number (if known) - Current network - Ping test - Signal strength - Location (signal latency & Cell ID) - Neighboring Cell IDs - Roaming state - GSM service status - GPRS service status - Current network type - Message waiting status - Call redirect status - Call status *#*#8255#*#* for Gtalk service monitor - Google Talk host address & port - Your Google JID (presumably Jabber ID, as GTalk is based on Jabber IRC) - Your Device ID (presumably hashed from something) - GTalk connection status - GTalk heartbeat status IMEI

  18. Network Protocols for Android * RAW protocol: This protocol is one of the common computer languages that documents are translated  into and then sent to a networked printer. The printer interprets the protocol and prints the document.

  19. Traffic Monitoring using tcpdump 1/2 Cross Compiling tcpdump source on Linux Distribution Get the latest source for libpcap and tcpdump from http://www.tcpdump.org 1. Compile libpcap source rhel6$> tar zxvf libpcap-1.1.1.tar.gz rhel6$> cd libpcap-1.1.1/ rhel6$> CC=arm-kandroid-gccac_cv_linux_vers=2 ./configure --host=arm-linux --with-pcap=linux rhel6$> make 2. Compile tcpdump source rhel6$> cd .. rhel6$> tar zxvf tcpdump-4.1.1.tar.gz rhel6$> cd tcpdump-4.1.1/ rhel6$> CC=arm-kandroid-gccac_cv_linux_vers=2 ./configure --host=arm-linux --with-pcap=linux rhel6$> vi ./Makefile a. remove the -O2 flag and add the -static flag to the linker (LD_FLAGS += -static) b. If you get the following error: undefined reference to `__isoc99_sscanf‘ , add #define _GNU_SOURCE in the faulty .c files. rhel6$> make

  20. Traffic Monitoring using tcpdump 2/2 3. Copy to the android-rootfs based on NFS rhel6$> sudo cp tcpdump /opt/android-rootfs/ 4. Run tcpdump rhel6#us> sudo ./adb devices ???????????? no permissions rhel6#us> sudo ./adb kill-server rhel6#us> sudo ./adb shell android#> cd /data/local android#> chmod 777 tcpdump-arm android#> ./tcpdump-arm -i rmnet0 not port 23 (ignoring telnet traffic on port 23)

  21. Tcpdump source in Android Official Repository Git Repository http://android.git.kernel.org/platform/external/tcpdump.git manifest #> vi ./mydroid-froyo/.repo/manifest.xml <project path="external/tcpdump" name="android/platform/external/tcpdump" /> Binary Files ./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/tcpdump ./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/LINKED/tcpdump ./out/target/product/harmony/symbols/system/bin/tcpdump ./out/target/product/harmony/system/xbin/tcpdump Android App Android market - Search – Download “Shark for Root (native)” software

  22. Network Monitoring with wireshark on Host PC 1/3 rhel6$> adb shell tcpdump -i any -p -s 0 -w /sdcard/data.pcap ... do whatever you want to capture, then “Ctrl+C” to stop it ... rhel6$> adb pull /sdcard/data.pcap . rhel6$> sudo yum install wireshark # or ethereal, if you're still old version rhel6$> wireshark ./capture.pcap# or ethereal ... look at your packets and be wise ...

  23. Network Monitoring with wireshark on Host PC 2/3

  24. Network Monitoring with wireshark on Host PC 3/3 Utilize Shark for Root / Shark Reader software locally on Android Phone.

  25. Unix Socket Connection Information * Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 966 1328/qmuxd /data/radio/qmux_connect_socket unix 2 [ ACC ] STREAM LISTENING 194631 26528/com.kt.iwlan /data/data/com.kt.iwlan/sock_kaf unix 2 [ ] DGRAM 1194 1341/lgospd /data/misc/lgosp/ipc_diag unix 2 [ ] DGRAM 446966 19994/com.kt.wifisv /data/misc/wifi/kaf/kafif_svr unix 2 [ ] DGRAM 427196 19052/com.lge.osp /data/misc/lgosp/ipc_usbctrl unix 2 [ ] DGRAM 427197 19052/com.lge.osp /data/misc/lgosp/ipc_usbdata unix 2 [ ] DGRAM 1199 1341/lgospd /data/misc/lgosp/ipc_fs_access unix 2 [ ] DGRAM 427199 19052/com.lge.osp /data/misc/lgosp/ipc_gr * * * * * Middle Omission * * * * * unix 2 [ ] STREAM 194614 23815/app_process unix 3 [ ] STREAM CONNECTED 13410 5792/adbd unix 3 [ ] STREAM CONNECTED 13409 5792/adbd unix 3 [ ] STREAM CONNECTED 2300 1330/rild /dev/socket/rild unix 3 [ ] STREAM CONNECTED 2299 1536/com.android.ph unix 3 [ ] STREAM CONNECTED 2014 1331/zygote /dev/socket/zygote unix 3 [ ] STREAM CONNECTED 2013 1435/system_server unix 3 [ ] STREAM CONNECTED 1227 1329/lgesystemd /dev/socket/lgesystemd unix 3 [ ] STREAM CONNECTED 1994 1435/system_server unix 3 [ ] STREAM CONNECTED 1926 1325/vold /dev/socket/vold unix 3 [ ] STREAM CONNECTED 1925 1435/system_server unix 3 [ ] STREAM CONNECTED 1915 1326/netd /dev/socket/netd unix 3 [ ] STREAM CONNECTED 1914 1435/system_server unix 3 [ ] STREAM CONNECTED 1900 1336/dbus-daemon /dev/socket/dbus unix 3 [ ] STREAM CONNECTED 1899 1435/system_server unix 3 [ ] STREAM CONNECTED 1165 1338/installd /dev/socket/installd unix 3 [ ] STREAM CONNECTED 1400 1435/system_server unix 2 [ ] DGRAM 1367 1435/system_server unix 3 [ ] STREAM CONNECTED 1261 1328/qmuxd /data/radio/qmux_connect_socket unix 3 [ ] STREAM CONNECTED 1229 1336/dbus-daemon unix 3 [ ] STREAM CONNECTED 1228 1336/dbus-daemon unix 2 [ ] DGRAM 1200 1341/lgospd unix 2 [ ] DGRAM 1196 1341/lgospd unix 2 [ ] DGRAM 1195 1341/lgospd unix 3 [ ] STREAM CONNECTED 924 1/init unix 3 [ ] STREAM CONNECTED 923 1/init

  26. Network Monitoring with netstat command 1/2 RMNET(Mobile network interface in Linux kernel-speak) is what Google use for Android to connect to the internet to transmit the message to the MMSC server . The interface names "rmnet0”correspond respectively to EDGE/3G and Wi-Fi. http://freshmeat.net/projects/net-tools/ http://code.google.com/p/android-group-korea/downloads/list /proc/net/dev /sys/class/net/<rmnet0>/address/sys/class/net/<rmnet0>/statistics/{rx|tx}_packets

  27. Network Monitoring with netstat command 2/2 Under the Hood of App Inventor for Android http://aschillings.co.uk/html/under_the_hood.html cat /proc/devicescat /proc/meminfocat /proc/mountscat /proc/net/arpcat /proc/net/if_inet6cat /proc/net/ipv6_routecat /proc/net/routecat /proc/net/wirelesscat /proc/versiondf -ahgetpropdalvik.vm.execution-modegetpropdalvik.vm.heapsizegetpropgsm.version.basebandgetpropro.build.fingerprintgetpropro.product.versiongetpropro.sf.lcd_densityifconfig -aip -f inet6 addrip -f inet6 route showipaddrip route showlsmodnetcfgnetstat -apnWnetstat -rpnWpsroute -A inet6 -nroute -nuname -a

  28. DNS Resolver (RFC 3484 ) 2/2 * RFC 3484 - http://tools.ietf.org/html/rfc3484 * ANDROID-RFC3484 - "RFC 3484 support for Android", 2010, Bionic uses a NetBSD-derived resolver library which has been modified in the following ways: 1. don't implement the name-server-switch feature (a.k.a. <nsswitch.h>) 2. read /system/etc/resolv.confinstead of /etc/resolv.conf ( ./bionic/libc/netbsd/net/getaddrinfo.c) 3. read the list of servers from system properties(getprop/setprop). the code looks for 'net.dns1', 'net.dns2', etc.. Each property should contain the IP address of a DNS server. These properties are set/modified by other parts of the Android system (e.g. the dhcpd daemon). The implementation also supports per-process DNS server list, using the properties 'net.dns1.<pid>', 'net.dns2.<pid>', etc... Where <pid> stands for the numerical ID of the current process. 4. when performing a query, use a properly randomized Query ID (instead of a incremented one), for increased security. 5. when performing a query, bind the local client socket to a random port for increased security. 6. get rid of *many* unfortunate thread-safety issues in the original code * Sources: Android Official Repository

  29. DNS Resolver (RFC 3484 ) 2/2 # getprop [ro.secure]: [1] [ro.allow.mock.location]: [0] [ro.debuggable]: [0] [persist.service.adb.enable]: [1] [ro.factorytest]: [0] . . . . . Middle Omission . . . . . . [net.dns1]: [8.8.8.8] [net.dns2]: [8.8.4.4] [gsm.current.phone-type]: [1] [gsm.operator.numeric]: [22110] [gsm.operator.alpha]: [Kandroid Broadband IT] [gsm.operator.iso-country]: [it] [gsm.operator.isroaming]: [false] [gsm.version.baseband]: [11.23.35.13H_3.35.03.20] [EXTERNAL_STORAGE_STATE]: [mounted] [gsm.network.type]: [UMTS] [gsm.data.network.type]: [UMTS] [gsm.sim.change]: [false] [gsm.cb.max.channel]: [15]

  30. Case Study: Android Phone Attack with DDoS 1/2 # for CPU Load 100% 49.56.XXX.XXX (rmnet0) PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 79/tcp filtered finger 80/tcp filtered http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 707/tcp filtered unknown 903/tcp filtered iss-console-mgr 1025/tcp filtered NFS-or-IIS 1433/tcp filtered ms-sql-s 1521/tcp filtered oracle 3306/tcp filtered mysql 3389/tcp filtered ms-term-serv 4444/tcp filtered krb524 5000/tcp filtered UPnP 5900/tcp filtered vnc 6101/tcp filtered VeritasBackupExec 6667/tcp filtered irc 8080/tcp filtered http-proxy 17300/tcp filtered kuang2 KRNIC /APNIC. [ ISP Organization Information ] Org Name : Korea Android Freetel Corp. Service Name 7THWING Org Address : seoul-city kandroid-dong Org Detail Address: 306 [ ISP IPv4 Admin Contact Information ] Name : HONG, GILDONG Phone : +82-2-7127-1473 E-Mail : superuser@kandroid.com [ ISP IPv4 Tech Contact Information ] Name : HONG, GILDONG Phone : +82-2-7127-147 E-mail : network@kandroid.com [ ISP Network Abuse Contact Information ] Name : YANG, DEOLPOOL Phone : +82-2-210-9765 E-mail : admin@kandroid.com rcvbuf is not enough to hold preload  OOM PING-based Distributed Denial of Service (DDoS) attacks while true; do ping -l 100000 -s 10 -f 49.56.xx.xx & ; sleep 2; done & 05:26:14.396126 IP 211.100.100.100 > 49.56.20.158: ICMP echo request, id 51001, seq 45, length 64 05:26:14.396281 IP 49.56.20.158 > 211.100.100.100: ICMP echo reply, id 51001, seq 45, length 64 05:26:15.406084 IP 211.100.100.100 > 49.56.20.158: ICMP echo request, id 51001, seq 46, length 64 05:26:15.406349 IP 49.56.20.158 > 211.100.100.100: ICMP echo reply, id 51001, seq 46, length 64 05:26:16.396119 IP 211.100.100.100 > 49.56.20.158: ICMP echo request, id 51001, seq 47, length 64 . . . . . . . . . . . . . . . http://www.youtube.com/watch?v=kQwXJfQmoSk Demo:

  31. Case Study: Android Phone Attack with DDoS 2/2  DDoS Attacks (Distributed Denial-of-Service Attack): 분산되어 있는 다수의 시스템들이 하나의 표적 시스템을 공격하여 DoS [e.g :crash, halt, freeze]를 발생시키는 공격기법 1. Buffer OverFlow(BOF)Attack:컴퓨터의 한정된 메모리 공간과 처리속도 문제를 이용한 OverFlow 공격 기법 2. SYN Flooding: Three-Way Hand Shaking 연결에서 표적시스템의 응답에 침묵을 하는 방법 3. UDP Flooding: 공격자가 서비스를 수신할 IP주소를 표적 시스템의 IP주소로 변경하여 Traffic 과부하 방법 4. Smurf Attack: 공격자가 Src IP주소를 표적시스템의 IP주소로 바꾸어 ICMP Echo broadcast하여 Traffic 과부하 발생시키는 방법 5. Teardrop Attack: 눈물방울공격으로 불리며, 대량의 패킷을 아주 작은 조각으로 분리하여 전송하여 수신측에서패킷을 재조립하는 과정에서 패킷 순서정보에 대한 결합 로드를 주어 시스템 다운 공격 방법 (http://www.ietf.org/rfc/rfc3128.txt)

  32. Connections between Network and Android Network Instruments-based Android Diagram /com/android/settings/ /com/android/phone/sip Application Setting (WiFi/VPN) Phone APK Dialer SIP(Setting/Receiver/Caller) Phone App Application Framework Telephony.SIP Package(com.android.internal.telephony.sip) (framework/base/voip/java/android/net) Network Audio/Video WiFipackage (android.net.wifi) VPN Package (android.net.vpn) SIP Package(android.net.sip) RTP Package (android.net.rtp) SIP Stack(NIST-SIP) external/nist-sip/* JNI System/Functional Libraries bionic RTP(C++) (arpa/inet)

  33. Connections between Network and Android SIP Architecture PBX(private branch exchange) PSTN IPBX SIP proxy/registrar Directory(OpenLDAP) kandroid’s network Phone SIP-PSTN Gateway RADIUS Server (FreeRADIUS) Phone SIP Phone Access router internet SoftPhone User

  34. Connections between Network and Android SIP Connection Flow IP Phone SIP Phone A SIP Phone B IP Phone SIP Proxy SIP/SDP INVITE SIP/SDP INVITE Status: 100 Trying Status: 183 Session Progress Status: 183 Session Progress Status: 200OK LAN Status: 200OK SIP ACK IP Phone SIP ACK RTP/RTSP Stream IP PBX SignalingVoice Stream SIP: BYE SIP: BYE Status: 200OK Status: 200OK IP Phone IP Phone

  35. Connections between Network and Android Session and Audio Control SipBroadCaseReceiver action_sip_add_profile Service SIP Manager Registering with a SIP Server PhoneFactory SIP Object Creation & Call API SipService SIP AUDIO Call Creating a SIP Manager SipPhoneFactory SIP Session Management SIP Manager SDP SipSessionGroup Audio control SipPhone Simple Session Description SIP Session SipCall SipHelper SipConnection Classes and Interfaces SipStack Audio Stream (RTP Stream Inheritance) Making an Audio Call SipAudioCall SipSession Audio Group Receiving Calls SipAudioCallListener RTP Audio Codec •Initiating SIP sessions. •Initiating and receiving calls. •Registering and unregistering with a SIP provider. •Verifying session connectivity. android.net.sip android.net.rtp SimpleSessionDescriptioin • http://developer.android.com/resources/samples/SipDemo/index.html

  36. Conclusion Many peer-to-peer networks are overlay networks because they are organized as nodes of a virtual system of links run on top of the Internet. The device driver stores in the ‘net_device’ structure the time its most recent frame was received, and ‘netif_rx’ stores the time the frame was received in the buffer itself. We can manipulate to understand a lot of packets among the android mobile phone with tcpdump / wireshark. Utilize Shark for Root / Shark Reader software locally on Android Phone. RMNET is what Google use for Android to connect to the internet to transmit the message. Bionic uses a NetBSD-derived resolver(RFC3484) library which has been modified for mobile platform. Android 2.3(API level 9) Provides access to Session Initiation Protocol (SIP) functionality, such as making and answering VOIP calls using SIP. To control how Android Market filters your application from devices that do not support SIP, remember to add the following to the application's manifest. <uses-feature android:name="android.hardware.sip.voip" />

  37. Think Time for Healthy Network Traffic • How to reduce Google mail content ? • Actually Google mail client of android phone read too many network packet ( e.g: imap header, imap body, images, linked contents) • To reduce the contents of packet ASAP for good network traffic, We have to consider lighet-weight mail client directly with only imap header ). • Whenever we find new wireless network address(APN) because of movement of the users, Why do we always repeat load/unload sequence of wireless kernel module for WiFi? • Think best behavior of kernel functions for effective battery saving and performance improvement. • Our phone acquired too many network protocols, For example, We don't need unnecessary network protocol like RAW. • Do we always wait for the connection completion of WiFi over 5seconds at New street? We have to find improved approach for the fast connection with tiny DNS resolver and Weighted based APN sorting

  38. References TCP/IP Illustrated Book - Volume 1: The Protocols, Addison-Wesley, 1994.- Volume 2: The Implementation, Addison-Wesley, 1995.- Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols, Addison-Wesley, 1996. UNIX Network Programming Book- Volume 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall, 1998.- Volume 2, Second Edition: Interprocess Communications, Prentice Hall, 1999 Android Developers Google Groups , http://groups.google.com/group/android-developers D. Andersen, H. Balakrishnan, M. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proc. ACM SOSP, Oct. 2001. "Basic Components of a Local Area Network (LAN)". NetworkBits.net. Retrieved 2008-04-08. Android Developer Document , http://developer.android.com- android.net http://developer.android.com/reference/android/net/package-summary.html- android.net.sip http://developer.android.com/reference/android/net/sip/package-summary.html- android.net.wifi http://developer.android.com/reference/android/net/wifi/package-summary.html- SIP Demo http://developer.android.com/resources/samples/SipDemo/index.html Understanding Linux Network Internals. Author: Christian Benvenuti. Publisher: O'Reilly. XDA Forums, http://forum.xda-developers.com/

  39. Any Questions? THANKS

  40. Appendix: The WRR network scheduler for Linux  WRR(Weighted Round Robin) is a network scheduling module for Linux written by Christian Worm Mortensen. It has the ability to shape an internet connection without buying some expensive QoS solution from the ISP. It can even run on the firewall; thus making more efficient use of the firewall machine. WRR worked on 2.4 kernels from 2.4.17 and newer and on most (if not all) 2.6 kernels until 2.6.28. If you need similar traffic shaping for 2.6.29 or later, consider using DRR (Deficit Round Robin) which has similar (but not identical) functionality. I have not yet myself switched to DRR so I will not (currently) provide any guidelines. ☞ 080820 release This release is for 2.6.27 (tested). It will not work for older kernels. If you need support for older kernels, please use an older release below. It contains no new features but contains a one-line fix for an API change in 2.6.27. Please do not try 2.6.28 unless you are brave as it seems to have compatibility issues. Jabber: moffe@zz9.dkIRC: M0ffe at freenode, Undernet and Slashnet.

  41. Appendix: Open Source based Applications 1/2 http://code.google.com/p/android-labs/wiki/NetMeter NetMeter allows to trouble-shoot performance problems by letting the user see network and CPU usage over time. http://www.jaqpot.net/netcounter/ NetCounter is a network traffic counter for the Android platform. GPLv3 license # for Proxy-based network users invain$sl6> vi ~/.subversion/servers [global] http-proxy-host = 200.200.200.200 http-proxy-port = 8080

  42. Appendix: Open Source based Applications 2/2 Android network tester http://code.google.com/p/androidnetworktester/ Fast Network Tester for Android Free SIP/VoIP client for Android (GPLV3) http://code.google.com/p/sipdroid/ http://serweb.iptel.org/user/reg/ • Autorization Username : your-iptel-ID • Password : your-iptel-pass • Server of Proxy : sip.iptel.org • Domain : iptel.org • Port : 5060(default) • Protocol : UDP(default) • sip: 162595@iptel.org • sip: leemgs@iptel.org

More Related