Yavuz Selim ÖZZENGİN

Hacettepe Üniversitesi

Bilgisayar Mühendisliği Bölümü

Outline� Introduction

� Overview of Cellular Systems

� Attack Overview

Charactering HLR Performance� Charactering HLR Performance

� Profiling Network Behavior

� Attack Characterization

� Avoiding Wireless Bottlenecks

� Conclusion

Introduction� Denial of Service attacks on HLR

� Botnets as small as 11750 phones can cause a reduction of throughput of more than 90%of throughput of more than 90%

Overview of Cellular Systems� Network Architecture and Components

� Home Location Register (HLR)

� Mobile Switching Centers (MSCs)

� Visiting Location Register (VLR)� Visiting Location Register (VLR)

� Serving GPRS Support Node (SGSN)

Overview of Cellular Systems (cont.)� Mobile Phone Architecture

� Application Processor

� Baseband Processor

Overview of Cellular Systems(cont.)� Mobile OS

� Windows Mobile, Android, Mobile OS X…

� 10% of cellular users downloaded games at least once a � 10% of cellular users downloaded games at least once a month in 2007

Attack Overview

Attacker

Legitimate UserLegitimate User

Attack Overview (cont.)� Different from DoS on the Internet

� Mobile devices cannot transmit entirely arbitrary requests to HLRrequests to HLR

� Such requests must be made in a manner such that unnecessary traffic or side effects are not generated

Characterizing HLR Performance� Types of HLR service requests

Characterizing HLR Performance� Different commands on MySQL

Characterizing HLR Performance� Different commands vs Number of subscribers

Profiling Network Behavior (cont.)� GPRS Attach: update_location

Profiling Network Behavior (cont.)� Avg: 2.5 sec // Peak: 3 sec

Profiling Network Behavior (cont.)� Call Waiting: update_subscriber_data

Profiling Network Behavior (cont.)� Avg: 2.5 sec

Profiling Network Behavior (cont.)� Avg: 2.7 sec (insert) / 2.5 sec (delete)

Attack Characterization� The effect of an attack on HLR with 1 million users

(MySQL)

Attack Characterization� With SolidDB

Attack Characterization� MySQL:

� Normal condition: 11750 infected mobile phones

� High traffic: 23500 infected mobile phones� High traffic: 23500 infected mobile phones

� SolidDB:� 141000 infected mobile phones

Avoiding Wireless Bottlenecks� Random Access Channel (RACH) Capacity

� TDMA� Timeslot: 0.577 ms

� A frame: 8 timeslots = 4.615 ms� A frame: 8 timeslots = 4.615 ms

� Slotted ALOHA protocol

Avoiding Wireless Bottlenecks� Max throughput S

S is maximized at 37% when G=1

GGeS

−=� S is maximized at 37% when G=1

� G is the number of transmission attempts per timeslot

GeS =

Avoiding Wireless Bottlenecks� The offered load, G, also known as ρ, is defined as:

λρ =

� λ is the arrival rate in commands per second

� 1/μ is the channel hold time (4.615 ms)

� ρ = 1/0.004615 * 0.37 = 80 transmission per sec

µρ =

Avoiding Wireless Bottlenecks� The attack would need to be distributed over α base

stations:

ecmessages/s 5000=α

stations base 21

.ions/sec transmissRACH 80 * llsectors/ce 3

ecmessages/s 5000

=

=

α

α

Avoiding Wireless Bottlenecks� Standalone Dedicated Control Channels (SDDCH)

� Sectors in GSM allocate 8 or 12 SDCCHs

� We hold SDCCH for 2.7 sec (insert_call_forwarding)

stations base 37537.0*12*3

5000

* SDCCHs * sectors

msgs/sec

37.07.2

1

SDCCH

SDCCH

==

=

==

α

ρα

ρ

Conclusion� Small botnets composed entirely of mobile phones

pose significant threats to the availability of these network

� C & C channel is more challenging in this environment

QUESTIONS?QUESTIONS?