On Attack Causality in Internet- Connected Cellular Networks Presented by EunYoung Jeong.

Slides:

Advertisements

Similar presentations

CSE 413: Computer Networks

Advertisements

Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 9 Fundamentals.

1 Agenda TMA2 Feedback TMA3 T821 Bock 2. 2 Packet Switching.

CCNA – Network Fundamentals

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Chapter 7: Transport Layer

On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath.

Chapter 1 Introduction. Protocol Protocol (New Oxford American Dictionary): The official procedure or system of rules governing affairs of state or diplomatic.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

Mobile Communication Division

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

Chapter 4 Network Layer slides are modified from J. Kurose & K. Ross CPE 400 / 600 Computer Communication Networks Lecture 14.

10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.

In-Band Flow Establishment for End-to-End QoS in RDRN Saravanan Radhakrishnan.

General Packet Radio System (GPRS) Overview. Introduction General Packet Radio Service (GRPS) today “Packet overlay” network on top of the existing GSM.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Networks Evolving? Justin Champion C208 Ext:3723

1 Version 3.0 Module 10 Routing Fundamentals and Subnetting.

Gursharan Singh Tatla Transport Layer 16-May

Data Communications and Networking

Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a "mobile node" (MN) to change its point.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Comparing modem and other technologies

Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.

정보보호 및 알고리즘 조호성. Contents 정보보호 및 알고리즘 2.

Presentation on Osi & TCP/IP MODEL

S6-C7 – Frame Relay Son of X.25. Frame Relay Facts Replaced X.25 as the packet-switching technology of choice Frame Relay streamlines Layer 2 functions.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.

1 Module 15: Network Structures n Topology n Network Types n Communication.

Lectured By: Vivek Dimri Assistant Professor, CSE Dept. SET, Sharda University, Gr. Noida.

Network Layer4-1 Chapter 4: Network Layer Chapter goals: r understand principles behind network layer services: m network layer service models m forwarding.

Virtual Circuit Network. Network Layer 2 Network layer r transport segment from sending to receiving host r network layer protocols in every host, router.

THE OSI REFERENCE MODEL Open Systems Interconnection (OSI) International Organization for Standardization( ISO)

Presentation by Papua New Guinea Telecommunication & Radiocommunication Technical Authority (PANGTEL) For: PNG COMPUTER SOCIETY ANNUAL SEMINAR, 4th November.

Introduction 1-1 EKT355/4 ADVANCED COMPUTER NETWORK MISS HASNAH AHMAD School of Computer & Communication Engineering.

7-1 Last time □ Wireless link-layer ♦ Introduction Wireless hosts, base stations, wireless links ♦ Characteristics of wireless links Signal strength, interference,

Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Network Layer introduction.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Patrick Traynor, William Enck, Patrick McDaniel, and Thomas La Porta | MobiCom.

Lecture 6 Introduction To Switching Circuit Switching.

Data and Computer Communications Circuit Switching and Packet Switching.

Computer Networks with Internet Technology William Stallings

Internet Protocol ECS 152B Ref: slides by J. Kurose and K. Ross.

ATM Technologies. Asynchronous Transfer Mode (ATM) Designed by phone companies Single technology meant to handle –Voice –Video –Data Intended as LAN or.

IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

WAN Transmission Media

Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.

Ασύρματα Δίκτυα και Κινητές Επικοινωνίες Ενότητα # 8: Σύστημα 2.5 Γενιάς GPRS Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 5 – VoIP and the OSI Model.

Mobile IP 순천향대학교 전산학과 문종식

1 Switching and Forwarding Sections Connecting More Than Two Hosts Multi-access link: Ethernet, wireless –Single physical link, shared by multiple.

© 2002, Cisco Systems, Inc. All rights reserved..

AN EFFICIENT TDMA SCHEME WITH DYNAMIC SLOT ASSIGNMENT IN CLUSTERED WIRELESS SENSOR NETWORKS Shafiq U. Hashmi, Jahangir H. Sarker, Hussein T. Mouftah and.

Understand IPv6 Part 2 LESSON 3.3_B Networking Fundamentals.

INTRODUCTION NETWORKING CONCEPTS AND ADMINISTRATION CSIS 3723

Chapter 2 PHYSICAL LAYER.

Packet Switching Networks & Frame Relay

Introduction Wireless devices offering IP connectivity

CS4470 Computer Networking Protocols

SWITCHING Switched Network Circuit-Switched Network Datagram Networks

Muhammad Taqi Raza, Fatima Muhammad Anwar and Songwu Lu

GPRS GPRS stands for General Packet Radio System. GPRS provides packet radio access for mobile Global System for Mobile Communications (GSM) and time-division.

Chapter 3: Open Systems Interconnection (OSI) Model

Network Layer I have learned from life no matter how far you go

Presentation transcript:

On Attack Causality in Internet- Connected Cellular Networks Presented by EunYoung Jeong

What’s new? 2  2G GSM  Only voice call, SMS service  2.5G GSM  GPRS: General Packet Radio Service  Introduce data service on GSM network.  Enables mobile devices to be connected to the Internet.  Divide CCH (Control Channel) of GSM network to provide data delivery.  Control signal, SMS, and data service over CCH

GPRS/EDGE Architecture 3

Authentication/Registration  After PDP context setup, mobile device can exchange packets. GPRS attach Home Location Register: User location, availability, services Packet Data Protocol (PDP) context: IP address, billing, … 4

Packet Arrival 5

Receiving device status  To save power, mobile devices are not constantly listening for incoming packets.  States of devices 6 IDLE READY STANDBY GPRS attach READY expire Paging Request GPRS detach STANDBY expire

Packet Arrival 7

Paging request 8

Paging Procedure 9 Packet Paging Request Packet Paging Channel (PPCH) Packet Channel Response Packet Random Access Channel (PRACH) Packet Resource Assignment Packet Access Grant Channel (PAGCH) Packet Paging Response Packet Associated Control Channel (PACCH) Packet Data Transfer Packet Data Traffic Channels (PDTCHs)

Packet Multiplexing 10  GPRS multiplex multiple traffic flows to serve large number of users on a single physical channel concurrently.  8 time slots -> a frame  52 frames -> multiframe

GPRS Channel Structure 11 PPCHPDTCH

Optimizations 12  As paging is expensive, paging for every packet is impossible.  Paging a device takes over 5 seconds.  End devices continue listening to PDTCH for a number of seconds before returning to STANDBY.  Typically 5 seconds (same as paging overhead)  For this, GPRS differentiates packets at the MAC layer by Temporary Block flows (TBFs) and they are identified by 5-bit Temporary Flow IDs (TFIs).

Exploiting Connection Teardown 13  TFIs are implemented as 5-bit fields.  There can be maximum 32 concurrent flows for each sector.  If an adversary send a message to a phone once every 5 seconds before returning to STANDBY, the targeted device maintains its TFI.  An adversary can block legitimate flows by sending 32 messages to each sector every 5 seconds.

Exploiting Connection Teardown (Cont.) 14  55 sectors on Manhattan  32 messages for each sector  41 bytes for each packet (TCP/IP header + 1 byte)  Every 5 second  An adversary can deny service with only 110 Kbps traffic.

Exploiting Connection Setup 15  PRACH (or RACH) channel is shared by all hosts attempting to establish connection.  Slotted-ALOHA protocol is used to minimize contention.  The maximum theoretical utilization is  Potential system bottleneck.  Given a large number of paging requests,  RACH becomes very busy.  Many of connection requests may fail.  It blocks voice connection as well as data connection.

Teardown Attack Simulation 16  Target  Manhattan cellular data service  Exhaust TFIs of data service with malicious traffic  Legitimate traffic  Modeled as Poisson random process  Voice calls: 50,000 per hour (120 seconds duration)  Data calls: 20,000 per hour (10 seconds duration)  Attack flows  Modeled by Poisson random process  Kbps

Teardown Attack 17  At rate > 160 Kbps, the cellular data service within Manhattan is virtually nonexistent.  Voice channel is not affected. (separate use of channel) At 200 Kbps

Setup Attack Simulation 18  Target  Manhattan cellular voice and data service  Exhaust RACH channel that is shared by voice and data  Legitimate traffic  Modeled as Poisson random process  Voice calls: 50,000 per hour (120 seconds duration)  Data calls: 20,000 per hour (10 seconds duration)  Attack flows  Modeled by Poisson random process  2200 – 4950 Kbps

Teardown Attack 19  Both voice and data flows experience blocking on the RACH.  The dual use of control channel allows interference. At 4950 Kbps

Possible Mitigation 20  Adding more range of TFI values  32 concurrent flow/sector is requisite concession.  Increasing it will degrade individual connectivity.  Adding more bandwidth  High cost of connection establishment is same.  Effect of adding bandwidth is limited.

Failure of Bandwidth 21  Channel throughput is saturated!

Possible Mitigation (Cont.) 22  Adding more channels  Decrease individual throughput.  Increase contention to RACH.

Connecting the Dots 23  The concept of connection  Data networks  Connection unaware  Simply forward packet for connection  Cellular networks  Lack of power and computation in end devices  Page, wake and negotiate for connection  Amplifying a single incoming packet to expensive connection mechanism is the source of the attacks.

Clash of Design Philosophies 24  Data network  Built on the end-to-end principle.  Applications do not expect nothing other than best effort delivery.  Cellular data network  Still fundamentally circuit-switched systems  Specialized to mobile devices and ensures a device is ready to receive.  Rigidity from specialized network  Unable to adapt to meet changing requirements and conditions  When conditions change, the rigidity causes break.

For Robust Cellular Data Network 25  The move to larger flow pool or shorter paging  Mitigation possible for this work  Eventual security?  As long as there is difference in delivering packet, exploitable mechanisms will exist.  Can we just forward packet?  Eliminating needs for paging  Smarter end devices  Location-awareness  Power problem  Shorter sleep cycle  More computation

Conclusion 26  They find two new vulnerabilities to demonstrate that low bandwidth DoS attacks can block legitimate cellular traffic.  These attacks are from not mismatch of bandwidth rather from different network topology “smart” and “dumb”.  Rigidity fails to adapt changing conditions.  Without fundamental change in cellular data network design, the low-bandwidth exploits are not easy to be solved.

Questions 27

Garbage 28

Introduction  The interconnection of cellular networks and the Internet  Significant expand of the services on telecommunications subscribers  New vulnerabilities from conflicting design philosophies  Cellular networks  Smart, controlled  The Internet  Dumb, best effort service  None have examined the inherent security issues caused by the connection of two systems built on opposing design tenets. 29

Vulnerabilities  To new vulnerabilities that can deny cellular data services and voice services.  Exploiting Connection Teardown  Exploiting Connection Setup  These attacks target connection teardown and setup procedures in networks implementing General Packet Radio Service (GPRS). 30