390 likes | 542 Views
On Cellular Botnets : Measuring the Impact of Malicious D evices on a Cellular Network Core. Patrick Traynor @ Gatech Michael Lin, Machigar Ongtang , Vikhyath Rao , Trent Jaeger, Patrick McDaniel and Thomas La Porta @ P su ACM CCS 2009. Before Introduction….
E N D
On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Traynor @Gatech Michael Lin, MachigarOngtang, VikhyathRao, Trent Jaeger, Patrick McDaniel and Thomas La Porta @Psu ACM CCS 2009
Before Introduction… .... We have background knowledge !
Background Knowledge • Core Network in GSM • Reference: http://www.mobile01.com/topicdetail.php?f=18&t=1753
Background Knowledge (cont.) • Glossary • MSC: Mobile Switching Center • Act as telephony switch and deliver circuit-switched traffic in a GSM network • Handoff (handover) / Roaming • Update information with HLR
Background Knowledge (cont.) • HLR: Home Location Register • Users are assigned to specific HLR’s based on their phone number • The central repository of user profile data • VLR: Visitor Location Register • Each MSC has a VLR • VLRs save all information of the cellphones in this Location Area
Outline • Introduction • Overview of Cellular Systems • Attack Overview • Charactering HLR Performance • Profiling Network Behavior • Attack Characterization • Avoiding Wireless Bottlenecks • Attack Mitigation • Conclusion
Introduction • Denial of Service attacks on HLR • Botnets as small as 11750 phones can cause a reduction of throughput of more than 90% • Contributions: • Attack Characterization and Quantification • Reduce Adversary’s Workload • Provide Intelligent Control Mechanisms
Overview of Cellular Systems • Mobile Phone Architecture • Application Processor • Support normal OS functionality • Baseband Processor • Establish telephony and data links • Invoke network supported services • When a process needs to use the network, the Application Processor passes an AT command to the Baseband Processor
Overview of Cellular Systems(cont.) • Mobile OS • Windows Mobile, Android, Mobile OS X… • Just begin to implement basic security mechanisms • Memory protection and separation of privilege • 10% of cellular users downloaded games at least once a month in 2007
Attack Overview Attacker Legitimate User
Attack Overview (cont.) • Different from DoS on the Internet • Mobile devices cannot transmit entirely arbitrary requests to HLR • Such requests must be made in a manner such that unnecessary traffic or side effects are not generated
Characterizing HLR Performance • Telecom One (TM1) Benchmarking Suite • MQTh: Maximum Qualified Throughput • Setting: • HLR: • Xeon 2.3 GHz * 2 + 8 GB RAM • Linux 2.6.22 • MySQL 5.0.45 or SolidDB v6.0
Characterizing HLR Performance • Normal HLR Behavior • The number of subscribers per HLR • Reality: 100000 ~ five million • The rate and type of service requests
Characterizing HLR Performance • MQThvs Numbers of subscribers
Characterizing HLR Performance • MySQL • Only caching data and indexes are stored in memory • SolidDB • All in memory
Characterizing HLR Performance • Different commands on MySQL
Characterizing HLR Performance • Different commands vs Number of subscribers
Profiling Network Behavior • Setting: • Nokia 9500 with Symbian S80 • Motorola A1200 with Linux kernel 2.4.20 • Live cellular network • AT command + 2 sec delay • Repeat 200 times during low traffic hours • Some phones caused extended delays as immediate execution
Profiling Network Behavior (cont.) • GPRS Attach: update_location
Profiling Network Behavior (cont.) • Avg: 2.5 sec // Peak: 3 sec
Profiling Network Behavior (cont.) • Comparsion: GPRS Detach
Profiling Network Behavior (cont.) • GPRS Attach • Turnaround time: • 3 sec response time + 2 sec command delay • 0.2 commands per second • But.. Only one in five commands reach the HLR • 0.2/5 = 0.04 commands per second
Profiling Network Behavior (cont.) • Call Waiting: update_subscriber_data
Profiling Network Behavior (cont.) • Avg: 2.5 sec
Profiling Network Behavior (cont.) • Call Waiting • Turnaround time: • 2.5 sec + 2 sec • 0.22 commands per second • Better than update_location
Profiling Network Behavior (cont.) • Insert/Delete Call Forwarding • insert_call_forwarding / delete_call_forwarding
Profiling Network Behavior (cont.) • Avg: 2.7 sec (insert) / 2.5 sec (delete)
Profiling Network Behavior (cont.) • Insert Call Forwarding • 0.21 commands per second • Extra database read • Delete Call Forwarding • 0.19 commands per second • Only can be sent if call forwarding is enabled • Chooseinsert_call_forwarding
Attack Characterization • The effect of an attack on HLR with 1 million users (MySQL)
Attack Characterization • With SolidDB
Attack Characterization • MySQL: • Normal condition: 11750 infected mobile phones • 1.2% • High traffic: 23500 infected mobile phones • 2.4% • SolidDB: • 141000 infected mobile phones • 14.1%
Avoiding Wireless Bottlenecks • Random Access Channel (RACH) Capacity • TDMA • Timeslot: 0.577 ms • A frame: 8 timeslots = 4.615 ms • Slotted ALOHA protocol
Avoiding Wireless Bottlenecks • Max throughput S • S is maximized at 37% when G=1 • G is the number of transmission attempts per timeslot
Avoiding Wireless Bottlenecks • The offered load, G, also known as ρ, is defined as: • λ is the arrival rate in commands per second • 1/μ is the channel hold time (4.615 ms) • ρ = 1/0.004615 * 0.37 = 80 transmission per sec
Avoiding Wireless Bottlenecks • The attack would need to be distributed over α base stations:
Avoiding Wireless Bottlenecks • Standalone Dedicated Control Channels (SDDCH) • Sectors in GSM allocate 8 or 12 SDCCHs • We hold SDCCH for 2.7 sec (insert_call_forwarding)
Command and Control • Internet Coordination • 3G • Local Wireless Coordination • Bluetooth / WiFi • Indirect Local Coordination • Via RACH
Attack Mitigation • HLR Replication? • Filtering • Call gapping
Conclusion • Small botnets composed entirely of mobile phones pose significant threats to the availability of these network • C & C channel is more challenging in this environment