Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks
Patrick Traynor, William Enck, Patrick McDaniel, and Thomas La Porta| MobiCom ‘06
CS712 병렬처리특강 | Dependable Software Lab. | Lee Dong Kun
KAIST | Dependable Software Lab | Direito Lee([email protected])
Contents
Introduction Related Work System/Attack Characterization Mitigation Technique
Current Solution Queue Management Resource Provisioning
Simulation Result Conclusion
2 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Introduction
Cellular Network System Traditional cellular(phone) network system provided closed voice
comm. Currently cellular network system provides opened voice and data
comm.
Service Interconnection Phone network service and Internet service are interconnected by
telecommunication provider. Problems
Traditional phone networks had designed for only homogeneous closed system. But current phone networks tightly interconnected with phone network and
Internet. Unexpected security problems occur
Heavy SMS traffics can flood over the phone network through Internet services.
3 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Contents
Introduction Related Work System/Attack Characterization Mitigation Technique
Current Solution Queue Management Resource Provisioning
Result and Discussion Conclusion
4 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Related Work| Vulnerability and Approaches
Traditional Solution Disconnection method
Disconnect from external network – effective way in the past Not effective anymore, because of new access pattern and
service Vulnerability
Telecomm. Networks are not only systems to suffer from vulnerabilities related to expanded connectivity.
Systems less directly connected to the Internet have also been subject to attack.
DoS(Denial of Service) Attack Traditional DoS attack happen on the online web site. Reported DoS accident over the phone networks
5 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Contents
Introduction Related Work System/Attack Characterization Mitigation Technique
Current Solution Queue Management Resource Provisioning
Result and Discussion Conclusion
6 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
System characterization(I)| Message Delivery Overview
7 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
System characterization(I)| Message Delivery Overview – logical channel
TCH(Transfer Channel) Carry voice traffic after call setup
CCH(Control Channel) Transport information about the network Assist in call setup/SMS delivery
8 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Attack characterization(II)| System Vulnerability – Attack Phase Step
9 KAIST | Dependable Software Lab | Direito Lee([email protected])
Recognition(identification of a vulnerability)
Reconnaissance(characterization of the conditions necessary to attack the
vulnerability)
Exploit(attacking the vulnerability)
Recovery(cleanup and forensics)
KAIST | Dependable Software Lab | Direito Lee([email protected])
Attack characterization(II)| System Vulnerability – Attach Phase Step
Recognition Vul. of GSM cellular network in this paper
Problem : Bandwidth allocation in air interface(call blocking)
Shared SDCCHs Problem Voice Communication SMS
Reconnaissance Using tools, an attacker can easily construct a “hit-
list” of potential targets. Exploit
Saturating sectors to their SDCCH capacity for some period of time
10 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Attack Characterization| Experimental Attack Characterization
Events Characterization Deploy a detailed GSM simulator Base scenario
Cellular deployment in the scale of metropolitan. i.e.,) Manhattan
12 SDCCHs / each of 55 sectors No pre-SDCCH queue Assume a Poisson distribution for the arrival of text
message
11 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Contents
Introduction Related Work System/Attack Characterization Mitigation Technique
Current Solution Queue Management Resource Provisioning
Result and Discussion Conclusion
12 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Mitigation Technique(I)| Current Solution
Goal Not only protect voice services from targeted SMS
attacks,But also allow SMS service to continue.
Current Deployed Solution : Edge Solution Rate-Limiting Solution
Restrict the amount of messages on each IP Drawbacks : Spoof IP and Existence of Zombie network
Filter SMS traffic Similar to SPAM filtering methodology Drawback : An adversary can bypass by generating
legitimate looking SMS traffic
13 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Mitigation Technique(II)| Queue Management
Queue Management Technique(Network-based) Weighted Fair Queuing(WFQ)
Fair Queuing(FQ) Separate flows into individual queues and then
apportions bandwidth equally between them(Round Robin)
Drawback : small time for packet to be transferred
Weighted Fair Queue(WFQ) in this paper To solve FQ drawback, set priority to each flow. Voice Call has higher priority compare to SMS Install two queue on SDCCHs for Voice Call and SMS
14 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Mitigation Technique(II)| Queue Management(cont.) Weighted Random Early Detection(WRED) Random Early Detection(RED)
Prevent queue lockout by dropping packets base on Qavg Weighted Random Early Detection(WRED)
Determine the victims to be dropped base on packet’s priority
15 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Mitigation Technique(III)| Resource Provisioning
Resource Provisioning(Air Interface) Strict Resource Provisioning(SRP)
Some subset of SDCCH is only for Voice Call Voice Call and SMS are shared other SDCCHs.
Dynamic Resource Provisioning(DRP) If a small number of unused TCHs could be repurposed as
SDCCHs,additional bandwidth could be provided to mitigate such attack.
Drawback : increase call blocking because of TCH exhaustion
Direct Channel Allocation(DCA) The ideal means of eliminating the competition for resource
- the separation of shared mechanism. Separate SDCCHs to only Call setup and only SMS, strictly
16 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Contents
Introduction Related Work System/Attack Characterization Mitigation Technique
Current Solution Queue Management Resource Provisioning
Result and Discussion Conclusion
17 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Simulation Result(I)| Queue Management Technique
18 KAIST | Dependable Software Lab | Direito Lee([email protected])
WFQ vs. WRED
KAIST | Dependable Software Lab | Direito Lee([email protected])
Simulation Result(II)| Queue Management Technique
19 KAIST | Dependable Software Lab | Direito Lee([email protected])
SRP vs. DRP vs. DCA
KAIST | Dependable Software Lab | Direito Lee([email protected])
Contents
Introduction Related Work System/Attack Characterization Mitigation Technique
Current Solution Queue Management Resource Provisioning
Result and Discussion Conclusion
20 KAIST | Dependable Software Lab | Direito Lee([email protected])
KAIST | Dependable Software Lab | Direito Lee([email protected])
Conclusion
Vulnerability by SMS-based DOS over the phone Network Adversaries with limited resources can cause call
blocking probabilities(70%) – incapacitating a cellular network
This work provides some preliminary solutions and analysis for these vulnerabilities. Queue Management Scheme Resource Provisioning
Future works Seek more general solution that address these
vulnerabilities
21 KAIST | Dependable Software Lab | Direito Lee([email protected])