Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Patrick Traynor, William...

Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks

Patrick Traynor, William Enck, Patrick McDaniel, and Thomas La Porta| MobiCom ‘06

CS712 병렬처리특강 | Dependable Software Lab. | Lee Dong Kun

KAIST | Dependable Software Lab | Direito Lee([email protected])

Contents

Introduction Related Work System/Attack Characterization Mitigation Technique

Current Solution Queue Management Resource Provisioning

Simulation Result Conclusion

2 KAIST | Dependable Software Lab | Direito Lee([email protected])


Introduction

Cellular Network System Traditional cellular(phone) network system provided closed voice

comm. Currently cellular network system provides opened voice and data

comm.

Service Interconnection Phone network service and Internet service are interconnected by

telecommunication provider. Problems

Traditional phone networks had designed for only homogeneous closed system. But current phone networks tightly interconnected with phone network and

Internet. Unexpected security problems occur

Heavy SMS traffics can flood over the phone network through Internet services.



Contents



Result and Discussion Conclusion



Related Work| Vulnerability and Approaches

Traditional Solution Disconnection method

Disconnect from external network – effective way in the past Not effective anymore, because of new access pattern and

service Vulnerability

Telecomm. Networks are not only systems to suffer from vulnerabilities related to expanded connectivity.

Systems less directly connected to the Internet have also been subject to attack.

DoS(Denial of Service) Attack Traditional DoS attack happen on the online web site. Reported DoS accident over the phone networks



Contents






System characterization(I)| Message Delivery Overview



System characterization(I)| Message Delivery Overview – logical channel

TCH(Transfer Channel) Carry voice traffic after call setup

CCH(Control Channel) Transport information about the network Assist in call setup/SMS delivery



Attack characterization(II)| System Vulnerability – Attack Phase Step


Recognition(identification of a vulnerability)

Reconnaissance(characterization of the conditions necessary to attack the

vulnerability)

Exploit(attacking the vulnerability)

Recovery(cleanup and forensics)


Attack characterization(II)| System Vulnerability – Attach Phase Step

Recognition Vul. of GSM cellular network in this paper

Problem : Bandwidth allocation in air interface(call blocking)

Shared SDCCHs Problem Voice Communication SMS

Reconnaissance Using tools, an attacker can easily construct a “hit-

list” of potential targets. Exploit

Saturating sectors to their SDCCH capacity for some period of time



Attack Characterization| Experimental Attack Characterization

Events Characterization Deploy a detailed GSM simulator Base scenario

Cellular deployment in the scale of metropolitan. i.e.,) Manhattan

12 SDCCHs / each of 55 sectors No pre-SDCCH queue Assume a Poisson distribution for the arrival of text

message



Contents






Mitigation Technique(I)| Current Solution

Goal Not only protect voice services from targeted SMS

attacks,But also allow SMS service to continue.

Current Deployed Solution : Edge Solution Rate-Limiting Solution

Restrict the amount of messages on each IP Drawbacks : Spoof IP and Existence of Zombie network

Filter SMS traffic Similar to SPAM filtering methodology Drawback : An adversary can bypass by generating

legitimate looking SMS traffic



Mitigation Technique(II)| Queue Management

Queue Management Technique(Network-based) Weighted Fair Queuing(WFQ)

Fair Queuing(FQ) Separate flows into individual queues and then

apportions bandwidth equally between them(Round Robin)

Drawback : small time for packet to be transferred

Weighted Fair Queue(WFQ) in this paper To solve FQ drawback, set priority to each flow. Voice Call has higher priority compare to SMS Install two queue on SDCCHs for Voice Call and SMS



Mitigation Technique(II)| Queue Management(cont.) Weighted Random Early Detection(WRED) Random Early Detection(RED)

Prevent queue lockout by dropping packets base on Qavg Weighted Random Early Detection(WRED)

Determine the victims to be dropped base on packet’s priority



Mitigation Technique(III)| Resource Provisioning

Resource Provisioning(Air Interface) Strict Resource Provisioning(SRP)

Some subset of SDCCH is only for Voice Call Voice Call and SMS are shared other SDCCHs.

Dynamic Resource Provisioning(DRP) If a small number of unused TCHs could be repurposed as

SDCCHs,additional bandwidth could be provided to mitigate such attack.

Drawback : increase call blocking because of TCH exhaustion

Direct Channel Allocation(DCA) The ideal means of eliminating the competition for resource

- the separation of shared mechanism. Separate SDCCHs to only Call setup and only SMS, strictly



Contents






Simulation Result(I)| Queue Management Technique


WFQ vs. WRED


Simulation Result(II)| Queue Management Technique


SRP vs. DRP vs. DCA


Contents






Conclusion

Vulnerability by SMS-based DOS over the phone Network Adversaries with limited resources can cause call

blocking probabilities(70%) – incapacitating a cellular network

This work provides some preliminary solutions and analysis for these vulnerabilities. Queue Management Scheme Resource Provisioning

Future works Seek more general solution that address these

vulnerabilities


Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Patrick Traynor, William...

Documents

Transcript of Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Patrick Traynor, William...