Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.

Similar presentations

Presentation on theme: "On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath."— Presentation transcript:

1 On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Traynor @Gatech Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel and Thomas La Porta @Psu ACM CCS 2009

2 .... We have background knowledge !

3 Background Knowledge Core Network in GSM Reference:

4 Background Knowledge (cont.) Glossary ▫MSC: Mobile Switching Center  Act as telephony switch and deliver circuit-switched traffic in a GSM network  Handoff (handover) / Roaming  Update information with HLR

5 Background Knowledge (cont.) ▫HLR: Home Location Register  Users are assigned to specific HLR’s based on their phone number  The central repository of user profile data ▫VLR: Visitor Location Register  Each MSC has a VLR  VLRs save all information of the cellphones in this Location Area

6 Outline Introduction Overview of Cellular Systems Attack Overview Charactering HLR Performance Profiling Network Behavior Attack Characterization Avoiding Wireless Bottlenecks Attack Mitigation Conclusion

7 Introduction Denial of Service attacks on HLR Botnets as small as 11750 phones can cause a reduction of throughput of more than 90% Contributions: ▫Attack Characterization and Quantification ▫Reduce Adversary’s Workload ▫Provide Intelligent Control Mechanisms

8 Overview of Cellular Systems Mobile Phone Architecture ▫Application Processor  Support normal OS functionality ▫Baseband Processor  Establish telephony and data links  Invoke network supported services When a process needs to use the network, the Application Processor passes an AT command to the Baseband Processor

9 Overview of Cellular Systems(cont.) Mobile OS ▫Windows Mobile, Android, Mobile OS X… ▫Just begin to implement basic security mechanisms  Memory protection and separation of privilege 10% of cellular users downloaded games at least once a month in 2007

10 Attack Overview Attacker Legitimate User

11 Attack Overview (cont.) Different from DoS on the Internet ▫Mobile devices cannot transmit entirely arbitrary requests to HLR ▫Such requests must be made in a manner such that unnecessary traffic or side effects are not generated

12 Characterizing HLR Performance Telecom One (TM1) Benchmarking Suite ▫MQTh: Maximum Qualified Throughput Setting: ▫HLR:  Xeon 2.3 GHz * 2 + 8 GB RAM  Linux 2.6.22  MySQL 5.0.45 or SolidDB v6.0

13 Characterizing HLR Performance Normal HLR Behavior ▫The number of subscribers per HLR  Reality: 100000 ~ five million ▫The rate and type of service requests

14 Characterizing HLR Performance MQTh vs Numbers of subscribers

15 Characterizing HLR Performance MySQL ▫Only caching data and indexes are stored in memory SolidDB ▫All in memory

16 Characterizing HLR Performance Different commands on MySQL

17 Characterizing HLR Performance Different commands vs Number of subscribers

18 Profiling Network Behavior Setting: ▫Nokia 9500 with Symbian S80 ▫Motorola A1200 with Linux kernel 2.4.20 ▫Live cellular network ▫AT command + 2 sec delay  Repeat 200 times during low traffic hours  Some phones caused extended delays as immediate execution

19 Profiling Network Behavior (cont.) GPRS Attach: update_location

20 Profiling Network Behavior (cont.) Avg: 2.5 sec // Peak: 3 sec

21 Profiling Network Behavior (cont.) Comparsion: GPRS Detach

22 Profiling Network Behavior (cont.) GPRS Attach ▫Turnaround time:  3 sec response time + 2 sec command delay  0.2 commands per second  But.. Only one in five commands reach the HLR  0.2/5 = 0.04 commands per second

23 Profiling Network Behavior (cont.) Call Waiting: update_subscriber_data

24 Profiling Network Behavior (cont.) Avg: 2.5 sec

25 Profiling Network Behavior (cont.) Call Waiting ▫Turnaround time:  2.5 sec + 2 sec  0.22 commands per second  Better than update_location

26 Profiling Network Behavior (cont.) Insert/Delete Call Forwarding ▫ insert_call_forwarding / delete_call_forwarding

27 Profiling Network Behavior (cont.) Avg: 2.7 sec (insert) / 2.5 sec (delete)

28 Profiling Network Behavior (cont.) Insert Call Forwarding ▫0.21 commands per second ▫Extra database read Delete Call Forwarding ▫0.19 commands per second ▫Only can be sent if call forwarding is enabled Choose insert_call_forwarding

29 Attack Characterization The effect of an attack on HLR with 1 million users (MySQL)

30 Attack Characterization With SolidDB

31 Attack Characterization MySQL: ▫Normal condition: 11750 infected mobile phones  1.2% ▫High traffic: 23500 infected mobile phones  2.4% SolidDB: ▫141000 infected mobile phones  14.1%

32 Avoiding Wireless Bottlenecks Random Access Channel (RACH) Capacity ▫TDMATDMA  Timeslot: 0.577 ms  A frame: 8 timeslots = 4.615 ms ▫Slotted ALOHA protocolSlotted ALOHA protocol

33 Avoiding Wireless Bottlenecks Max throughput S ▫S is maximized at 37% when G=1 ▫G is the number of transmission attempts per timeslot

34 Avoiding Wireless Bottlenecks The offered load, G, also known as ρ, is defined as: ▫λ is the arrival rate in commands per second ▫1/μ is the channel hold time (4.615 ms) ▫ρ = 1/0.004615 * 0.37 = 80 transmission per sec

35 Avoiding Wireless Bottlenecks The attack would need to be distributed over α base stations:

36 Avoiding Wireless Bottlenecks Standalone Dedicated Control Channels (SDDCH) ▫Sectors in GSM allocate 8 or 12 SDCCHs ▫We hold SDCCH for 2.7 sec ( insert_call_forwarding )

37 Command and Control Internet Coordination ▫3G Local Wireless Coordination ▫Bluetooth / WiFi Indirect Local Coordination ▫Via RACH

38 Attack Mitigation HLR Replication? Filtering Call gapping

39 Conclusion Small botnets composed entirely of mobile phones pose significant threats to the availability of these network C & C channel is more challenging in this environment

Download ppt "On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath."

Similar presentations

Ads by Google