Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Network Stack and Enhancement (3G/WiFi, IPV4/IPV6, SIP/VoIP)

Similar presentations


Presentation on theme: "Android Network Stack and Enhancement (3G/WiFi, IPV4/IPV6, SIP/VoIP)"— Presentation transcript:

1 Android Network Stack and Enhancement (3G/WiFi, IPV4/IPV6, SIP/VoIP)
1 1 Android Network Stack and Enhancement (3G/WiFi, IPV4/IPV6, SIP/VoIP) Mar (Fri) Geunsik Lim (Nick:인베인) leemgs.at.gmail.com blog.naver.com/invain 본 문서는 비상업적 용도에 한해서 자유롭게 수정 및 재배포 가능하며, 자료출처를 명시해야만 합니다.

2 2 2 CONTENTS Android Network Technology Session Computer Network Understanding Linux Network Internals Network Terminology (3G/WiFi, IPV4/IPV6, SIP/VoIP) Differences Between IPv4 and IPv6 Network Information Management on Android Phone Traffic Monitoring using tcpdump/netstat (including DNS Resolver) Android Phone Attack using structural vulnerability Connections between Network Instruments and Android Platform References Conclusion Appendix: Network Scheduler for QoS, Network App for Study Shih-wei Liao. 료세위 , Shih-wei Liao, a tech leader in google android team for toolchain, in COSCUP 본문서의 내용을 무단으로 복제하는 것은 저작 물 보호를 위해 금지 되어 있으므로, 복제가 필요한 경우 사전에 저자와의 허가를 득해야 하며, 이를 위반시에 법적 조치를 받으 실 수 있습니다.

3 What is Computer Network?
A computer network, often simply referred to as a network, is a collection of computers and devices interconnected by communications channels that facilitate communications among users and allows users to share resources. A computer network allows sharing of resources and information among interconnected devices. * Source: wikipedia

4 Overlay Network IP Layer SONET/SDH Layer Optical Layer Site Layer An overlay network is a virtual computer network that is built on top of another network. Nodes in the overlay are connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network. For example, many peer-to-peer networks are overlay networks because they are organized as nodes of a virtual system of links run on top of the Internet. The Internet was initially built as an overlay on the telephone network . OSI Model The Open Systems Interconnection Reference Model (OSI Model or OSI Reference Model for short) is a layered abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection initiative. It is also called the OSI seven layer model

5 Overview of Network Stack
The OSI model remains an important reference point for networking discussions even though it never took off for a variety of reasons. The TCP/IP model covers most of the protocols used by computers today. OSI Model (7Layer) TCP/IP Models (4Layer) Data unit Layers Data unit Layers 4 3 2 1 Host Layers data Application Network Process to Application Message Application (SIP, HTTP, FTP, DNS, DHCP, IMAP, SMTP, SSH, XMPP, RTP, RTSP, H323) 7 6 5 4 3 2 1 data Presentation Data Representation & Encryption data Session Internet Communication segments Transport End-to-End Connections a& Reliability Segment Transport (TCP/UDP) Media Layers packets Network Path Determination & Logical Addressing(IP) Datagram/Packet Internetwork (IPv4,IPv6, ICMP, IGMP, ARP) OSI Model(Open System Interface) Model The Open Systems Interconnection Reference Model (OSI Model or OSI Reference Model for short) is a layered abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection initiative. It is also called the OSI seven layer model frames Data link Physical Addressing (MAC & LLC) Frame Link Layer or Host-to-network (Ethernet,Token Ring) bits Physical Media, Signal and Binary Transmission

6 Understanding Linux Network Internals
 Combination of each layer by kernel functions As we have seen, each layer provides a variety of protocols. Each protocol is handled by a different set of kernel functions. Thus, as the packet travels back up the stack, each protocol must figure out which protocol is being used by the next-higher layer, and invoke the proper kernel function to handle the packet. Message A B C D Transport Header /web/site1.html Transport Layer Payload Network Header Src port=5000 Dst port=80 /web/site1.html Link Layer Header Network Layer Payload Src IP= Dst IP= Transport Protocol=TCP Src port=5000 Dst port=80 /web/site1.html Link Layer Payload Src IP=00:20:e1:77:00:02 Dst IP=00:21:e6:32:00:01 Internet Protocol Src IP= Dst IP= Transport Protocol=TCP Src port=5000 Dst port=80 /web/site1.html Headers compiled by layers: (a...d) on Host X as we travel down the stack; on Router RT X .

7 Understanding Linux Network Internals
 Android Linux Networking Architecture tcpdump tftp TELNET PING Application Layer(INET) Berkeley Socket Interface Protocol Layer Network Device Driver Interface/ queuing Discipline Physical Device Driver Physical Device and Media User space Kernel space PF_INET User space Kernel space Application BSD Socket Interface PF_PACKET PF_INET UDP TCP Transport L4 IPV4 ARP Network L3(ptype_base) Neighboring OSI Model The Open Systems Interconnection Reference Model (OSI Model or OSI Reference Model for short) is a layered abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection initiative. It is also called the OSI seven layer model dev_queue_xmit Device Drivers Link

8 Understanding Linux Network Internals
 /proc files used by the IPv4 routing subsystem / proc sys net route rt_acct rt_cache ip_mr_cache ip_mr_vif stat inet_init net rt_cache ip_rt_init ip_mr_init fib_proc_init Ipv4/v6 ip_forward icmp_echo_ignore_boradcasts route conf error_burst error_cost flush gc_elasticity gc_interval gc_min_interval_ms gc_thresh gc_timeout min_delay max_delay max_size min_adv_mss min_pmtu mtu_expires redirect_load redirect_number redirect_silence secret_interval all default wlan0 lo rmnet0 accept_redirects accept_source_route forwarding mc_forwarding rp_filter secure_redirects send_redirects log_martians devinet_init inetdev_init

9 Understanding Linux Network Internals
 CPU's ingress queues The device driver stores in the net_device structure the time its most recent frame was received, and netif_rx stores the time the frame was received in the buffer itself. The local CPU ID is needed to retrieve the data structure associated with that CPU in a per-CPU vector, such as the following code in netif_rx: queue = &_ _get_cpu_var(softnet_data); rmnet0 rmnet1 Rmnet n RxComplete DMADone CPU 0 CPU 1 net_dev_max_backlog (300) completion_queue The device driver stores in the net_device structure the time its most recent frame was received, and netif_rx stores the time the frame was received in the buffer itself. Thus, one timestamp is associated with a device and the other one is associated with a frame. Note, moreover, that the two timestamps use two different precisions. The device driver stores the timestamp of the most recent frame in jiffies, which in kernel 2.6 comes with a precision of 10 or 1 ms, depending on the architecture (for instance, before 2.6, the i386 used the value 10, but starting with 2.6 the value is 1). netif_rx, however, gets its timestamp by calling get_fast_time, which returns a far more precise value. The ID of the local CPU is retrieved with smp_processor_id( ) and is stored in the local variable this_cpu: this_cpu = smp_processor_id( ); The local CPU ID is needed to retrieve the data structure associated with that CPU in a per-CPU vector, such as the following code in netif_rx: queue = &_ _get_cpu_var(softnet_data); input_pkt_queue input_pkt_queue completion_queue softnet_data softnet_data

10 3G/WiFi, IPV4/IPV6, SIP/VoIP
3G: 3 세대 이동통신 기술 (아날로그 셀룰러폰이 1세대, 디지털 PCS가 2세대이다.)을 위한 ITU 규격이다. 3G는 장치가 정지해 있거나 또는 걷는 정도의 속도로 움직일 때에는 최고 384 Kbps까지, 그리고 차에서는 Kbps, 그리고 고정 장착되어 있는 경우에는 2Mbps까지 전송 속도를 높일 수 있다. Wi-Fi: 무선 이더넷 호환성 협회 즉, WECA에서 b 무선 이더넷 표준에 대해 제공하고 있는 로고이 다. 호환성을 가진 PC 카드 및 컴퓨터는 Wi-Fi 로고를 사용할 수 있다. WECA의 임무는 Wi-Fi 제품의 상호 운용성을 보증하고, Wi-Fi가 전 세계의 무선랜 표준이 되도록 추진하는데 있다. (/system/etc/apns-conf.xml ) IPv4(Internet Protocol version 4): Internet Protocol 4번째 판이며, 전 세계적으로 사용된 첫 번째 인터 넷 프로토콜이다. IETF RFC 791(1981년 9월)에 기술되어 있다. IPv4는 패킷 교환 네트워크 상에서 데이터 를 교환하기 위한 프로토콜이다. IPv6(Internet Protocol version 6): Internet Protocol 스택 중 네트워크 계층의 프로토콜로써 version 6 Internet Protocol로 제정된 차세대 인터넷 프로토콜 을 말한다. IPv6와 기존 IPv4 사이의 가장 큰 차이점은 바로 IP 주소의 길이가 128비트로 늘어 났다는 점이다. VoIP (Voice over IP): IP를 사용하여 음성정보를 전달하는 일련의 설비들을 위한 IP 전화기술이다. 기존 IP 네트웍을 그대로 활용해 전화서비스를 통합 구현함으로써 전화 사용자들이 시내전화 요금만으로 인터넷, 인트라넷 환경에서 시외 및 국제전화 서비스를 받을 수 있음. (H.323, SIP, RTP, SDP, IMS, MGCP) SIP(Session Initiation Protocol): IETF에서 정의한 시그널링 프로토콜로 음성과 화상 통화 같은 멀티미디어 세션을 제어하기 위해 널리 사용되며, 하나 이상의 참가자들이 함께 세션을 만들고, 수정하고 종료할 수 있게 한다. (2002년 7월 RFC 3261 표준) H.323 IP Multimedia Subsystem (IMS) Media Gateway Control Protocol (MGCP) Session Initiation Protocol (SIP) Real-time Transport Protocol (RTP) Session Description Protocol (SDP)

11 Differences Between IPv4 and IPv6 1/2
The IPv4 address space is 2^32, or 4,294,967,296, possible addresses (a little over 4 billion). In contrast, the IPv6 address space is 2^128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 × 10^38) possible addresses. IPv6 Internet Native IPv6 IPv6 host Native IPv6 IPv6 host 6to4 Server/relay 6to4 Server/relay IPv Internet 6to4 tunnel 6to4 tunnel 6to4 tunnel 6to4 router 6to4 router Native IPv6 IPv6 island IPv6 island

12 Differences Between IPv4 and IPv6 2/2
* IHL: internet header length * Details: RFC3697 Version IHL Type of Service Total Length Version Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit 20 Octets Time to Live Protocol Header Checksum Source Address Source Address 40 Octets Destination Address Options Padding LEGEND Destination Address Field’s name kept from IPv4 to Ipv6 Field not kept in IPv6 Name and position changed in IPv6 New field in IPv6 CPU Process the Hop-by-Hop EH Network Scheduler IN H/W Engine Out Payload Upper Layer Hop by Hop Main header Router

13 Android Manifest.{permission | permission_group} for Network
Android Manifest.permission_group for Network Type Name Description String NETWORK Used for permissions that provide access to networking services. Android Manifest.permission for Network Type Name Description String ACCESS_NETWORK_STATE Allows applications to access information about networks ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks CHANGE_NETWORK_STATE Allows applications to change network connectivity state CHANGE_WIFI_MULTICAST_STATE Allows applications to enter Wi-Fi Multicast mode CHANGE_WIFI_STATE Allows applications to change Wi-Fi connectivity state INTERNET Allows applications to open network sockets. USE_SIP Allows an application to use SIP service RECORD_AUDIO Allows an application to record audio * Source:

14 How to Get Network Information ( 1/3)
Collect network information with Connectiovity Manager (android.net.ConnectivityManager) Permission - manifest.xml <uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE” /> <uses-permission android:name=“android.permission.ACCESS_WIFI_STATE” /> <uses-permission android:name=“android.permission.CHANGE_WIFI_STATE” /> Method to get Network Info public int getNetworkInfo() { int result = 3; ConnectivityManager connectivityManager; NetworkInfo networkInfo; connectivityManager = (ConnectivityManager) this.getSystemService(Context.CONNECTIVITY_SERVICE); networkInfo = connectivityManager.getActiveNetworkInfo(); if (networkInfo == null) { result = 2; } else { if (networkInfo.getType() == 0) result = 0; // 3G MOBILE else result = 1; // WIFI NETWORK } return result;

15 How to Get Network Information ( 2/3)
Method to get WiFi Information public void getWifiInfo() { WifiManager wifimanager; wifimanager = (WifiManager) getSystemService(Context.WIFI_SERVICE); WifiInfo info = wifimanager.getConnectionInfo(); String ssid = info.getSSID(); tvWifi.setText("SSID : " + ssid ); currwifi = "SSID : " + ssid; if (!currwifi.equals(prevwifi)) { strwifi = strwifi + "SSID : " + ssid + "\n"; prevwifi = currwifi; } tvWifi.setText(strwifi); * SSID: Service Set IDentifier * WiFiManager wifi = (WifiManager) getSystemService(WIFI_SERVICE); * DhcpInfo info = wifi.getDhcpInfo();

16 How to Get Network Information ( 3/3)
Permission - manifest.xml <uses-permission android:name=“android.permission.USE_SIP” /> <uses-permission android:name=“android.permission.RECORD_AUDIO” /> <uses-permission android:name=“android.permission.MODIFY_AUDIO_SETTING” /> Method to get SIP/VoIP Information according to SipManager (on Gingerbread) public static SipManager newInstance(Context context) { return (isApiSupported(context) ? new SipManager(context) : null); } private SipManager(Context context) { mContext = context; createSipService(); private void createSipService() { IBinder b = ServiceManager.getService(Context.SIP_SERVICE); mSipService = ISipService.Stub.asInterface(b); * SipManagerCreation public SipAudioCall makeAudioCall (SipProfile localProfile, SipProfile peerProfile, SipAudioCall.Listener listener, int timeout) throws SipException { SipAudioCall call = new SipAudioCall(mContext, localProfile); call.setListener(listener); SipSession s = createSipSession(localProfile, null); call.makeCall(peerProfile, s, timeout); return call; } * SipAudioCall

17 Hidden Secret Code *#*#4636#*#* for general settings like GSM/CDMA
- IMEI (International Mobile Equipment Identity) - Phone number (if known) - Current network - Ping test - Signal strength - Location (signal latency & Cell ID) - Neighboring Cell IDs - Roaming state - GSM service status - GPRS service status - Current network type - Message waiting status - Call redirect status - Call status *#*#8255#*#* for Gtalk service monitor - Google Talk host address & port - Your Google JID (presumably Jabber ID, as GTalk is based on Jabber IRC) - Your Device ID (presumably hashed from something) - GTalk connection status - GTalk heartbeat status IMEI

18 Network Protocols for Android
size sockets memory press maxhdr slab module cl co di ac HIDP 344 -1 NI no kernel n BNEP RFCOMM 352 SCO L2CAP 560 KEY 360 PACKET 392 RAWv6 616 yes y UDPLITEv6 600 UDPv6 TCPv6 1,184 4 5 292 PPPOPNS 416 PPPOLAC PPPOL2TP PPPOE UNIX 368 59 UDP-Lite 472 RAW 456 UDP 2 TCP 1,056 HCI NETLINK 384 8 /proc/net/protocols , ./net/core/sock.c 2094 static int proto_seq_show(struct seq_file *seq, void *v) 2095 { if (v == &proto_list) seq_printf(seq, "%-9s %-4s %-8s %-6s %-5s %-7s %-4s %-10s %s", "protocol", "size", "sockets", "memory", "press", "maxhdr", "slab", "module", "cl co di ac io in de sh ss gs se re sp bi br ha uh gp em\n"); else proto_seq_printf(seq, list_entry(v, struct proto, node)); return 0; 2110 } * RAW protocol: This protocol is one of the common computer languages that documents are translated  into and then sent to a networked printer. The printer interprets the protocol and prints the document.

19 Traffic Monitoring using tcpdump 1/2
Cross Compiling tcpdump source on Linux Distribution Get the latest source for libpcap and tcpdump from 1. Compile libpcap source rhel6$> tar zxvf libpcap tar.gz rhel6$> cd libpcap-1.1.1/ rhel6$> CC=arm-kandroid-gcc ac_cv_linux_vers=2 ./configure --host=arm-linux --with-pcap=linux rhel6$> make 2. Compile tcpdump source rhel6$> cd .. rhel6$> tar zxvf tcpdump tar.gz rhel6$> cd tcpdump-4.1.1/ rhel6$> vi ./Makefile a. remove the -O2 flag and add the -static flag to the linker (LD_FLAGS += -static) b. If you get the following error: undefined reference to `__isoc99_sscanf‘ , add #define _GNU_SOURCE in the faulty .c files.

20 Traffic Monitoring using tcpdump 2/2
3. Copy to the android-rootfs based on NFS rhel6$> sudo cp tcpdump /opt/android-rootfs/ 4. Run tcpdump rhel6#us> sudo ./adb devices ???????????? no permissions rhel6#us> sudo ./adb kill-server rhel6#us> sudo ./adb shell android#> cd /data/local android#> chmod 777 tcpdump-arm android#> ./tcpdump-arm -i rmnet0 not port 23 (ignoring telnet traffic on port 23)

21 Tcpdump source in Android Official Repository
Git Repository manifest #> vi ./mydroid-froyo/.repo/manifest.xml <project path="external/tcpdump" name="android/platform/external/tcpdump" /> Binary Files ./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/tcpdump ./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/LINKED/tcpdump ./out/target/product/harmony/symbols/system/bin/tcpdump ./out/target/product/harmony/system/xbin/tcpdump * Tcpdump related Ref Android App Android market - Search – Download “Shark for Root (native)” software

22 Network Monitoring with wireshark on Host PC 1/3
rhel6$> adb shell tcpdump -i any -p -s 0 -w /sdcard/data.pcap ... do whatever you want to capture, then “Ctrl+C” to stop it ... rhel6$> adb pull /sdcard/data.pcap . rhel6$> sudo yum install wireshark # or ethereal, if you're still old version rhel6$> wireshark ./capture.pcap # or ethereal ... look at your packets and be wise ... Option Description -i any listen on any network interface -p disable promiscuous mode (doesn't work anyway) -s 0 capture the entire packet -w write packets to a file (rather than printing to stdout)

23 Network Monitoring with wireshark on Host PC 2/3

24 Network Monitoring with wireshark on Host PC 3/3
Utilize Shark for Root / Shark Reader software locally on Android Phone.

25 Unix Socket Connection Information
* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix [ ACC ] STREAM LISTENING /qmuxd /data/radio/qmux_connect_socket unix [ ACC ] STREAM LISTENING /com.kt.iwlan /data/data/com.kt.iwlan/sock_kaf unix [ ] DGRAM /lgospd /data/misc/lgosp/ipc_diag unix [ ] DGRAM /com.kt.wifisv /data/misc/wifi/kaf/kafif_svr unix [ ] DGRAM /com.lge.osp /data/misc/lgosp/ipc_usbctrl unix [ ] DGRAM /com.lge.osp /data/misc/lgosp/ipc_usbdata unix [ ] DGRAM /lgospd /data/misc/lgosp/ipc_fs_access unix [ ] DGRAM /com.lge.osp /data/misc/lgosp/ipc_gr * * * * * Middle Omission * * * * * unix [ ] STREAM /app_process unix [ ] STREAM CONNECTED /adbd unix [ ] STREAM CONNECTED /adbd unix [ ] STREAM CONNECTED /rild /dev/socket/rild unix [ ] STREAM CONNECTED /com.android.ph unix [ ] STREAM CONNECTED /zygote /dev/socket/zygote unix [ ] STREAM CONNECTED /system_server unix [ ] STREAM CONNECTED /lgesystemd /dev/socket/lgesystemd unix [ ] STREAM CONNECTED /system_server unix [ ] STREAM CONNECTED /vold /dev/socket/vold unix [ ] STREAM CONNECTED /system_server unix [ ] STREAM CONNECTED /netd /dev/socket/netd unix [ ] STREAM CONNECTED /system_server unix [ ] STREAM CONNECTED /dbus-daemon /dev/socket/dbus unix [ ] STREAM CONNECTED /system_server unix [ ] STREAM CONNECTED /installd /dev/socket/installd unix [ ] STREAM CONNECTED /system_server unix [ ] DGRAM /system_server unix [ ] STREAM CONNECTED /qmuxd /data/radio/qmux_connect_socket unix [ ] STREAM CONNECTED /dbus-daemon unix [ ] STREAM CONNECTED /dbus-daemon unix [ ] DGRAM /lgospd unix [ ] DGRAM /lgospd unix [ ] DGRAM /lgospd unix [ ] STREAM CONNECTED /init unix [ ] STREAM CONNECTED /init

26 Network Monitoring with netstat command 1/2
RMNET(Mobile network interface in Linux kernel-speak) is what Google use for Android to connect to the internet to transmit the message to the MMSC server . The interface names "rmnet0”correspond respectively to EDGE/3G and Wi-Fi. RMNet slow, broken data but reliable connection PPP(point-to-point protocol) fast, high speed data but somewhat unstable connection /proc/net/dev /sys/class/net/rmnet0/statistics/tx_packets 1. net-tools-1.60-armv5tel.tar.bz kandroid glibc.alz /sys/class/net/<rmnet0>/address /sys/class/net/<rmnet0>/statistics/{rx|tx}_packets

27 Network Monitoring with netstat command 2/2
Under the Hood of App Inventor for Android cat /proc/devices cat /proc/meminfo cat /proc/mounts cat /proc/net/arp cat /proc/net/if_inet6 cat /proc/net/ipv6_route cat /proc/net/route cat /proc/net/wireless cat /proc/version df -ah getprop dalvik.vm.execution-mode getprop dalvik.vm.heapsize getprop gsm.version.baseband getprop ro.build.fingerprint getprop ro.product.version getprop ro.sf.lcd_density ifconfig -a ip -f inet6 addr ip -f inet6 route show ip addr ip route show lsmod netcfg netstat -apnW netstat -rpnW ps route -A inet6 -n route -n uname -a

28 DNS Resolver (RFC 3484 ) 2/2 * RFC * ANDROID-RFC "RFC 3484 support for Android", 2010, Bionic uses a NetBSD-derived resolver library which has been modified in the following ways: 1. don't implement the name-server-switch feature (a.k.a. <nsswitch.h>) 2. read /system/etc/resolv.conf instead of /etc/resolv.conf ( ./bionic/libc/netbsd/net/getaddrinfo.c) 3. read the list of servers from system properties(getprop/setprop). the code looks for 'net.dns1', 'net.dns2', etc.. Each property should contain the IP address of a DNS server. These properties are set/modified by other parts of the Android system (e.g. the dhcpd daemon). The implementation also supports per-process DNS server list, using the properties 'net.dns1.<pid>', 'net.dns2.<pid>', etc... Where <pid> stands for the numerical ID of the current process. 4. when performing a query, use a properly randomized Query ID (instead of a incremented one), for increased security. 5. when performing a query, bind the local client socket to a random port for increased security. 6. get rid of *many* unfortunate thread-safety issues in the original code RFC 3484 /mhydroid/android/libc/netbsd/net/getaddrinfo.c Getprop and setprop without shysctl command 참고) Bionic does *not* expose implementation details of its DNS resolver; the content of <arpa/nameser.h> is intentionally blank. The resolver implementation might change completely in the future. * Sources: Android Official Repository

29 DNS Resolver (RFC 3484 ) 2/2 # getprop [ro.secure]: [1]
[ro.allow.mock.location]: [0] [ro.debuggable]: [0] [persist.service.adb.enable]: [1] [ro.factorytest]: [0] Middle Omission [net.dns1]: [ ] [net.dns2]: [ ] [gsm.current.phone-type]: [1] [gsm.operator.numeric]: [22110] [gsm.operator.alpha]: [Kandroid Broadband IT] [gsm.operator.iso-country]: [it] [gsm.operator.isroaming]: [false] [gsm.version.baseband]: [ H_ ] [EXTERNAL_STORAGE_STATE]: [mounted] [gsm.network.type]: [UMTS] [gsm.data.network.type]: [UMTS] [gsm.sim.change]: [false] [gsm.cb.max.channel]: [15]

30 Case Study: Android Phone Attack with DDoS 1/2
# for CPU Load 100% 49.56.XXX.XXX (rmnet0) PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 79/tcp filtered finger 80/tcp filtered http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 707/tcp filtered unknown 903/tcp filtered iss-console-mgr 1025/tcp filtered NFS-or-IIS 1433/tcp filtered ms-sql-s 1521/tcp filtered oracle 3306/tcp filtered mysql 3389/tcp filtered ms-term-serv 4444/tcp filtered krb524 5000/tcp filtered UPnP 5900/tcp filtered vnc 6101/tcp filtered VeritasBackupExec 6667/tcp filtered irc 8080/tcp filtered http-proxy 17300/tcp filtered kuang2 KRNIC /APNIC. [ ISP Organization Information ] Org Name : Korea Android Freetel Corp. Service Name 7THWING Org Address : seoul-city kandroid-dong Org Detail Address: 306 [ ISP IPv4 Admin Contact Information ] Name : HONG, GILDONG Phone : [ ISP IPv4 Tech Contact Information ] Phone : [ ISP Network Abuse Contact Information ] Name : YANG, DEOLPOOL Phone : PING-based Distributed Denial of Service (DDoS) attacks rcvbuf is not enough to hold preload  OOM while true; do ping -l s 10 -f xx.xx & ; sleep 2; done & 05:26: IP > : ICMP echo request, id 51001, seq 45, length 64 05:26: IP > : ICMP echo reply, id 51001, seq 45, length 64 05:26: IP > : ICMP echo request, id 51001, seq 46, length 64 05:26: IP > : ICMP echo reply, id 51001, seq 46, length 64 05:26: IP > : ICMP echo request, id 51001, seq 47, length 64 Youtube: Linux centos el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux 1. 버퍼 오버플로우 공격 2. SYN 공격 3. UDP Flooding 4. 스머프(Smurf)공격 5. 눈뭉방울 공격 Demo:

31 Case Study: Android Phone Attack with DDoS 2/2
 DDoS Attacks (Distributed Denial-of-Service Attack): 분산되어 있는 다수의 시스템들이 하나의 표적 시스템을 공격하여 DoS [e.g :crash, halt, freeze]를 발생시키는 공격기법 1. Buffer OverFlow(BOF) Attack:컴퓨터의 한정된 메모리 공간과 처리속도 문제를 이용한 OverFlow 공격 기법 2. SYN Flooding: Three-Way Hand Shaking 연결에서 표적시스템의 응답에 침묵을 하는 방법 3. UDP Flooding: 공격자가 서비스를 수신할 IP주소를 표적 시스템의 IP주소로 변경하여 Traffic 과부하 방법 4. Smurf Attack : 공격자가 Src IP주소를 표적시스템의 IP주소로 바꾸어 ICMP Echo broadcast하여 Traffic 과부하 발생시키는 방법 5. Teardrop Attack: 눈물방울공격으로 불리며, 대량의 패킷을 아주 작은 조각으로 분리하여 전송하여 수신측에서 패킷을 재조립하는 과정에서 패킷 순서정보에 대한 결합 로드를 주어 시스템 다운 공격 방법 (http://www.ietf.org/rfc/rfc3128.txt) Linux centos el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux

32 Connections between Network and Android
Network Instruments-based Android Diagram /com/android/settings/ /com/android/phone/sip Application Setting (WiFi/VPN) Phone APK Dialer SIP (Setting/Receiver/Caller) Phone App Application Framework Telephony.SIP Package (com.android.internal.telephony.sip) (framework/base/voip/java/android/net) Network Audio/Video WiFi package (android.net.wifi) VPN Package (android.net.vpn) SIP Package (android.net.sip) RTP Package (android.net.rtp) SIP Stack (NIST-SIP) external/nist-sip/* JNI System/Functional Libraries bionic RTP(C++) (arpa/inet)

33 PBX (private branch exchange)
Connections between Network and Android SIP Architecture PBX (private branch exchange) PSTN IPBX SIP proxy/registrar Directory (OpenLDAP) kandroid’s network Phone SIP-PSTN Gateway RADIUS Server (FreeRADIUS) Phone SIP Phone Access router internet SoftPhone User

34 Connections between Network and Android
SIP Connection Flow IP Phone SIP Phone A SIP Phone B IP Phone SIP Proxy SIP/SDP INVITE SIP/SDP INVITE Status: 100 Trying Status: 183 Session Progress Status: 183 Session Progress Status: 200OK LAN Status: 200OK SIP ACK IP Phone SIP ACK RTP/RTSP Stream IP PBX Signaling Voice Stream SIP: BYE SIP: BYE Status: 200OK Status: 200OK IP Phone IP Phone

35 Connections between Network and Android
Session and Audio Control SIP Manager SIP AUDIO Call Session Simple Session Description Audio Stream (RTP Stream Inheritance) Audio Group Audio Codec android.net.sip android.net.rtp Audio control SDP SIP Session Management SIP Object Creation & Call API Service SipService SipSessionGroup SipHelper SipStack SipSession SipAudioCall SimpleSessionDescriptioin SipBroadCaseReceiver SipPhoneFactory SipPhone SipCall SipConnection SipAudioCallListener action_sip_add_profile SIP Manager PhoneFactory Registering with a SIP Server Creating a SIP Manager Classes and Interfaces Making an Audio Call Receiving Calls RTP •Initiating SIP sessions. •Initiating and receiving calls. •Registering and unregistering with a SIP provider. •Verifying session connectivity.

36 Conclusion Many peer-to-peer networks are overlay networks because they are organized as nodes of a virtual system of links run on top of the Internet. The device driver stores in the ‘net_device’ structure the time its most recent frame was received, and ‘netif_rx’ stores the time the frame was received in the buffer itself. We can manipulate to understand a lot of packets among the android mobile phone with tcpdump / wireshark. Utilize Shark for Root / Shark Reader software locally on Android Phone. RMNET is what Google use for Android to connect to the internet to transmit the message. Bionic uses a NetBSD-derived resolver(RFC3484) library which has been modified for mobile platform. Android 2.3(API level 9) Provides access to Session Initiation Protocol (SIP) functionality, such as making and answering VOIP calls using SIP. To control how Android Market filters your application from devices that do not support SIP, remember to add the following to the application's manifest. <uses-feature android:name="android.hardware.sip.voip" /> RMNet slow, broken data but reliable connection PPP(point-to-point protocol) fast , high speed data but somewhat unstable connection RMNET(Mobile network interface in Linux kernel-speak) is what Google use for Android to connect to the internet to transmit the message to the MMSC server . The interface names "rmnet0”correspond respectively to EDGE/3G and Wi-Fi.

37 Think Time for Healthy Network Traffic
How to reduce Google mail content ? Actually Google mail client of android phone read too many network packet ( e.g: imap header, imap body, images, linked contents) To reduce the contents of packet ASAP for good network traffic, We have to consider lighet-weight mail client directly with only imap header ). Whenever we find new wireless network address(APN) because of movement of the users, Why do we always repeat load/unload sequence of wireless kernel module for WiFi? Think best behavior of kernel functions for effective battery saving and performance improvement. Our phone acquired too many network protocols, For example, We don't need unnecessary network protocol like RAW. Do we always wait for the connection completion of WiFi over 5seconds at New street? We have to find improved approach for the fast connection with tiny DNS resolver and Weighted based APN sorting

38 References TCP/IP Illustrated Book - Volume 1: The Protocols, Addison-Wesley, Volume 2: The Implementation, Addison-Wesley, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols, Addison-Wesley, 1996. UNIX Network Programming Book - Volume 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall, Volume 2, Second Edition: Interprocess Communications, Prentice Hall, 1999 Android Developers Google Groups , D. Andersen, H. Balakrishnan, M. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proc. ACM SOSP, Oct "Basic Components of a Local Area Network (LAN)". NetworkBits.net. Retrieved Android Developer Document , - android.net - android.net.sip - android.net.wifi - SIP Demo Understanding Linux Network Internals. Author: Christian Benvenuti. Publisher: O'Reilly. XDA Forums,

39 Any Questions? THANKS 사실 OHA와 LiMO와 LiPS는 어찌보면 태생이 상당히 유사함. 같은 리눅스 커널에 비슷한 미 들웨어 컴포넌트를 사용하고 있음 하지만 어플리케이션 개발자 입장에서 보면 차 이가 있음. 결국 “자바”의 내장과 M/W 기술력의 차이에서 오는 그래픽 성능의 차이가 어플리케이션 개발 자에게 차별성으로 느껴지리라 예상 Insert your messages that you think as brain storming… Adb/ddms/ftrace 으로 OptimusOne 퍼포먼스 저하 요인 분석 방법 2.1 firmware for OptimusOne: 39

40 Appendix: The WRR network scheduler for Linux
WRR(Weighted Round Robin) is a network scheduling module for Linux written by Christian Worm Mortensen. It has the ability to shape an internet connection without buying some expensive QoS solution from the ISP. It can even run on the firewall; thus making more efficient use of the firewall machine. WRR worked on 2.4 kernels from and newer and on most (if not all) 2.6 kernels until If you need similar traffic shaping for or later, consider using DRR (Deficit Round Robin) which has similar (but not identical) functionality. I have not yet myself switched to DRR so I will not (currently) provide any guidelines. ☞ release This release is for (tested). It will not work for older kernels. If you need support for older kernels, please use an older release below. It contains no new features but contains a one-line fix for an API change in Please do not try unless you are brave as it seems to have compatibility issues. IRC: M0ffe at freenode, Undernet and Slashnet.

41 Appendix: Open Source based Applications 1/2
NetMeter allows to trouble-shoot performance problems by letting the user see network and CPU usage over time. NetCounter is a network traffic counter for the Android platform. GPLv3 license # for Proxy-based network users invain$sl6> vi ~/.subversion/servers [global] http-proxy-host = http-proxy-port = 8080

42 Appendix: Open Source based Applications 2/2
Android network tester Fast Network Tester for Android Free SIP/VoIP client for Android (GPLV3) Autorization Username : your-iptel-ID Password : your-iptel-pass Server of Proxy : sip.iptel.org Domain : iptel.org Port : 5060(default) Protocol : UDP(default) sip: sip:


Download ppt "Android Network Stack and Enhancement (3G/WiFi, IPV4/IPV6, SIP/VoIP)"

Similar presentations


Ads by Google