On Cellular Botnets : Measuring the Impact of Malicious Devices on a Cellular Network Core
description
Transcript of On Cellular Botnets : Measuring the Impact of Malicious Devices on a Cellular Network Core
On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core
Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta
2/29/2012
Overview
Objectives Cellular Networks Describing the Attack Quantifying the Attack Mitigating the Attack Conclusions
22/29/2012
Objectives
Characterize an attack on cellular network core
Test the attack Optimize it Propose defenses
2/29/2012 3
4
Background
Cellular networks have Home Location Register (HLR) Mobile Switching Centers (MSC) Visiting Location Register (VLR) Serving GPRS Support Node (SGSN) Base Station Subsystem (BSS)
2/29/2012
Attack Characteristics
DDoS using a cellular botnet Target part that will cause most
disruption HLR is necessary for most actions
Authentication Phone calls Text messages Billing Etc.
HLR most effective target2/29/2012 5
Attack Characteristics
Only ‘legitimate’ transactions reach HLR
2/29/2012 6
Attack Characteristics
Write transactions use more HLR resources per transaction than reads
Which one the best? Update Location utilizes caching Update Subscriber Data averages 2.5 seconds Insert Call Forwarding averages 2.7 seconds Delete Call Forwarding averages 2.5 seconds Insert/Delete Call Forwarding must alternate
Best to use combination of Insert and Delete Call Forwarding
2/29/2012 7
Some Graphs
2/29/2012 8
9
Some More Graphs
2/29/2012
Attack Considerations
Why most resource usage per message? Why not just send more messages?
When sending that many messages, will clog up communications channels and never reach HLR Deny service for base station, not whole
network Need to distribute attack across
multiple base stations2/29/2012 10
Attack Numbers
Testbed system dropped 93% of traffic under a simulated call-forwarding attack with 5000 messages/sec
Need to be distributed evenly across 21 base stations to not DDoS the random access channel before getting to HLR
Need 375 base stations to not DDoS control channels
2/29/2012 11
Command and Control
Tried and true (Internet coordination) Easy to identify/snoop Clogs communication channels
Local Wireless Coordination Short range
Indirect Local Coordination Using exponential backoff?
2/29/2012 12
Mitigation
Filtering Can be aggressive because call forwarding
is not critical What if call forwarding is not the transaction
used? Shedding
How to deploy effective rules during an attack?
Make phone security better
2/29/2012 13
Conclusions
Cellular network are vulnerable to DDoS attacks
Single points of failure are bad Botnet must be fairly sophisticated Is there a way to distribute HLR data?
2/29/2012 14