Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location...
Transcript of Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location...
Yavuz Selim ÖZZENGİN
Hacettepe Üniversitesi
Bilgisayar Mühendisliği Bölümü
Outline� Introduction
� Overview of Cellular Systems
� Attack Overview
Charactering HLR Performance� Charactering HLR Performance
� Profiling Network Behavior
� Attack Characterization
� Avoiding Wireless Bottlenecks
� Conclusion
Introduction� Denial of Service attacks on HLR
� Botnets as small as 11750 phones can cause a reduction of throughput of more than 90%of throughput of more than 90%
Overview of Cellular Systems� Network Architecture and Components
� Home Location Register (HLR)
� Mobile Switching Centers (MSCs)
� Visiting Location Register (VLR)� Visiting Location Register (VLR)
� Serving GPRS Support Node (SGSN)
Overview of Cellular Systems (cont.)� Mobile Phone Architecture
� Application Processor
� Baseband Processor
Overview of Cellular Systems(cont.)� Mobile OS
� Windows Mobile, Android, Mobile OS X…
� 10% of cellular users downloaded games at least once a � 10% of cellular users downloaded games at least once a month in 2007
Attack Overview
Attacker
Legitimate UserLegitimate User
Attack Overview (cont.)� Different from DoS on the Internet
� Mobile devices cannot transmit entirely arbitrary requests to HLRrequests to HLR
� Such requests must be made in a manner such that unnecessary traffic or side effects are not generated
Characterizing HLR Performance� Types of HLR service requests
Characterizing HLR Performance� Different commands on MySQL
Characterizing HLR Performance� Different commands vs Number of subscribers
Profiling Network Behavior (cont.)� GPRS Attach: update_location
Profiling Network Behavior (cont.)� Avg: 2.5 sec // Peak: 3 sec
Profiling Network Behavior (cont.)� Call Waiting: update_subscriber_data
Profiling Network Behavior (cont.)� Avg: 2.5 sec
Profiling Network Behavior (cont.)� Avg: 2.7 sec (insert) / 2.5 sec (delete)
Attack Characterization� The effect of an attack on HLR with 1 million users
(MySQL)
Attack Characterization� With SolidDB
Attack Characterization� MySQL:
� Normal condition: 11750 infected mobile phones
� High traffic: 23500 infected mobile phones� High traffic: 23500 infected mobile phones
� SolidDB:� 141000 infected mobile phones
Avoiding Wireless Bottlenecks� Random Access Channel (RACH) Capacity
� TDMA� Timeslot: 0.577 ms
� A frame: 8 timeslots = 4.615 ms� A frame: 8 timeslots = 4.615 ms
� Slotted ALOHA protocol
Avoiding Wireless Bottlenecks� Max throughput S
S is maximized at 37% when G=1
GGeS
−=� S is maximized at 37% when G=1
� G is the number of transmission attempts per timeslot
GeS =
Avoiding Wireless Bottlenecks� The offered load, G, also known as ρ, is defined as:
λρ =
� λ is the arrival rate in commands per second
� 1/μ is the channel hold time (4.615 ms)
� ρ = 1/0.004615 * 0.37 = 80 transmission per sec
µρ =
Avoiding Wireless Bottlenecks� The attack would need to be distributed over α base
stations:
ecmessages/s 5000=α
stations base 21
.ions/sec transmissRACH 80 * llsectors/ce 3
ecmessages/s 5000
=
=
α
α
Avoiding Wireless Bottlenecks� Standalone Dedicated Control Channels (SDDCH)
� Sectors in GSM allocate 8 or 12 SDCCHs
� We hold SDCCH for 2.7 sec (insert_call_forwarding)
stations base 37537.0*12*3
5000
* SDCCHs * sectors
msgs/sec
37.07.2
1
SDCCH
SDCCH
==
=
==
α
ρα
ρ
Conclusion� Small botnets composed entirely of mobile phones
pose significant threats to the availability of these network
� C & C channel is more challenging in this environment
QUESTIONS?QUESTIONS?