Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Ashvin Bodhale CS 388

Authors Patrick Traynor William Enck Patrick McDaniel Thomas La Porta From Pennsylvania State University. 2-

About the Paper Goal of Paper: Telecommunication networks are exposed to many attacks including text based attacks and needs attention. Authors use combination of modeling and simulation to demonstrate the feasibility of targeted text messaging attacks. They developed 5 techniques which can eliminate most intense targeted text messaging attacks. 3-

text messaging has become the primary means of communication. Current Scenario Five billion text messages are sent each month in the United States alone. text messaging has become the primary means of communication. Interconnectivity with the Internet invalidates many of the assumptions upon which the phone networks were designed. cellular networks are in fact quite vulnerable to SMS-based attacks mounted by adversaries with even limited resources. 4-

Techniques: Part- I developed five techniques from within two broad classes of countermeasures: queue management Resource provisioning Goal is to insulate voice call requests and the delivery of high priority text messages from the attack. Apply well-known queuing techniques including variants of Weighted Fair Queuing (WFQ), and Weighted Random Early Detection (WRED), which are well tested for addressing traffic overload in the Internet. These schemes attempt to provide differentiated service to voice and data, and hence alleviate resource contention. 5-

Strict Resource Provisioning (SRP), Techniques: Part- II Other Solution is- Strict Resource Provisioning (SRP), Dynamic Resource Provisioning (DRP) and Direct Channel Allocation (DCA) algorithms. The effect of the solutions ranged from partial attack mitigation for both flows to total elimination of attack-related voice blocking and the successful delivery of high priority text messages. 6-

Network/Attack Characterization: Contributions: Network/Attack Characterization: creates a realistic characterization of system behavior under targeted SMS attacks. Current Countermeasure Analysis: Authors find that the currently deployed “edge solutions” are largely ineffective against all but the most naïve attack. • Countermeasure Development and Evaluation: These attacks can be effectively mitigated by altering the traffic handling disciplines at the air interface. Hence, countering these attacks need not require a substantive change to internal structure or operation of cellular networks, but can be handled entirely by software changes at the base station. 7-

Network/Attack Characterization: Message Insertion into Telecom Network: Source of Generation: ESME (External Short Messaging Entities) and those are 1. Cell Phones 2. Web Portals 3. Emails 4. Service Provider Websites 5. Voice mail services It is then delivered to SMSC (Short Messaging Service Center) Servers. 8-

Network/Attack Characterization: Message Routing: External Service Messaging Entity Short Messaging Service Center (Content examination, Store and Forward Protocol, Formatting, ) Home Location Register (subscriber availability, billing, current location) Mobile Switching Center (deliver message over wireless) Visitor Location Register (user info) Base Station (works with MSC) Mobile Host (Destination mobile) 9-

Network/Attack Characterization: Wireless Delivery: Paging CHannel (message alert broadcast) Random Access CHannel (Response to accept message) Access Grant CHannel (SDCCH assignment to device) Standalone Dedicated Control CHannel (final channel that delivers message) 10-

Network/Attack Characterization: System Vulnerability: SDCCH is used for both Voice and Message delivery. Contention occurs when SMS traffic is elevated. Exploit involves saturating sectors to their SDCCH capacity for some period of time. In so doing, the majority of attempts to establish voice calls are blocked. To test : Authors developed a detailed GSM simulator. Its similar to Manhattan (each of 55 sectors has 12 SDCCH) 11-

Network/Attack Characterization: Burst Fails: it is unlikely that 12 text messages arriving back-to-back will all find unoccupied SDCCHs. Thus blocking occurs on the attack messages, and legitimate traffic that arrives between bursts has a higher probability of finding an available SDCCH. Poisson Distribution is good for experimentation and attacking. 12-

Network/Attack Characterization: Poisson Distribution is a discrete distribution which takes on the values X = 0, 1, 2, 3, ... . It is often used as a model for the number of events (such as the number of telephone calls at a business or the number of accidents at an intersection) in a specific time period Reference: http://www.math.csusb.edu/faculty/stanton/m262/poisson_distribution/Poisson_old.html 13-

Network/Attack Characterization: during the attack, the SDCCH utilization is near 1.0, and the TCH utilization drops from close to 70% down to 20%. This shows that although TCHs are available for voice calls, they cannot be allocated due to SDCCH congestion. TCH carry voice traffic after call setup has occurred. 13-

Mitigation Techniques: Current Solution: These solutions focus on rate limiting the source of the messages and are ineffective against all but the least sophisticated adversary. for example, allow only 50 messages from a single IP address. The ability to spoof IP addresses and the existence of zombie networks render this solution impotent. Filters SMS traffic based on the textual content. Similar to SPAM filtering, this approach is effective in eliminating undesirable traffic only if the content is predictable. However, an adversary can bypass this countermeasure by generating legitimate looking SMS traffic from randomly generated simple texts, e.g. “I will meet you at Trader Joe’s at 5:00pm. -Alice” 14-

Mitigation Techniques: Queue Management Techniques: Weighted Fair Queuing: apply WFQ to the service queues of the SDCCH. Authors create two waiting queues, one for voice requests and one for SMS requests, respectively. WFQ can be approximated as a general processor sharing system (GPS). The average service rate of such systems is the weighted average of the service rates of all classes (here voice and SMS requests) of service requests. It sufficiently protect voice calls from targeted SMS attacks. 15-

Mitigation Techniques: Queue Management Techniques: Weighted Random Early Detection: (WRED) RED drops packets arriving to a queue with a probability that is a function of the weighted queue occupancy average, Qavg. Packets arriving to a queue capacity below a threshold, tmin, are never dropped. Packets arriving to a queue capacity above some value tmax are always dropped. Between tmin and tmax, packets are dropped with a linearly increasing probability up to Pdrop,max. This probability, Pdrop, is calculated as follows: Pdrop = Pdrop,max · (Qavg − tmin)/(tmax − tmin) 16-

Mitigation Techniques: Queue Management Techniques: Weighted Random Early Detection: (WRED) Contd… WED Does not offer Quality Of Service (QoS) because all traffic entering a queue is dropped with equal probability. Weighted Random Early Detection (WRED) solves this problem by basing the probability a given incoming message is dropped on an attribute such as its contents, source or destination. Priorities or Weights are assigned to traffic data. dropping probability for each class of message is tuned by setting tpriority,min and tpriority,max for each class. 17-

Mitigation Techniques: Resource Provisioning: Queue management techniques does not deal with System Bottleneck. An alternative strategy of addressing targeted SMS attacks. Focuses on the reallocation of the available messaging bandwidth. Techniques: 1. Strict Resource Provisioning 2. Dynamic Resource Provisioning 3. Direct Channel Allocation 18-

Mitigation Techniques: Resource Provisioning: Strict Resource Provisioning: A subset of the total SDCCHs can be used only by voice calls, blocking due to targeted SMS attacks can be significantly mitigated. Air interface provisioning technique, Strict Resource Provisoning (SRP), attempts to address this contention by allowing text messages to occupy only a subset of the total number of SDCCHs in a sector. Requests for incoming voice calls can compete for the entire set of SDCCHs, including the subset used for SMS. 19-

Mitigation Techniques: Resource Provisioning: Dynamic Resource Provisioning: attempts to mitigate targeted text messaging attacks by temporarily reclaiming a number of TCHs for use as SDCCHs. increasing the bandwidth of individual SDCCHs is difficult because major changes to the network are extremely expensive and typically occur over the course of many years. dynamically reclaiming channels allows the network to adjust itself to current conditions. Drawback: by subtracting TCHs from the system, it is possible to increase call blocking because of TCH exhaustion. 20-

Mitigation Techniques: Resource Provisioning: Direct Channel Allocation: ideal means of eliminating the competition for resources between call setup and SMS delivery would be through the separation of shared mechanisms. the use of a TCH is the eventual goal of incoming voice calls, it is therefore possible to shortcut the use of SDCCHs for call setup. Incoming calls could therefore be directed to a TCH, leaving SDCCHs exclusively for the delivery of SMS messages. 21-

Simulation Results: Weighted Fair Queuing: 23-

Weighted Random Early Detection: Simulation Results: Weighted Random Early Detection: Priority 1- Emergency, 2- Network Customer, 3- Internet Originated Text 24-

Simulation Results: Strict Resource Provisioning: 25-

Simulation Results: Dynamic Resource Provisioning: TCH are converted to use as SDCCH 26-

Simulation Results: Direct Channel Allocation: Incoming voice calls skips from RACH to TCH 27-

Simulation Results: WRED and DRP Combined : 28-

Conclusion: 1. Analysis shows that adversaries with limited resources can cause call blocking probabilities to rise to as much as 70%, effectively incapacitating a cellular network. 2. proposed countermeasures can mitigate or eliminate these attacks, simply by changing the way in which call and SMS requests are handled. 3. work provides some preliminary solutions and analysis for these vulnerabilities. 29-

Thank you. Questions..? 30-