On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel and Thomas La ACM CCS 2009
.... We have background knowledge !
Background Knowledge Core Network in GSM Reference:
Background Knowledge (cont.) Glossary ▫MSC: Mobile Switching Center Act as telephony switch and deliver circuit-switched traffic in a GSM network Handoff (handover) / Roaming Update information with HLR
Background Knowledge (cont.) ▫HLR: Home Location Register Users are assigned to specific HLR’s based on their phone number The central repository of user profile data ▫VLR: Visitor Location Register Each MSC has a VLR VLRs save all information of the cellphones in this Location Area
Outline Introduction Overview of Cellular Systems Attack Overview Charactering HLR Performance Profiling Network Behavior Attack Characterization Avoiding Wireless Bottlenecks Attack Mitigation Conclusion
Introduction Denial of Service attacks on HLR Botnets as small as phones can cause a reduction of throughput of more than 90% Contributions: ▫Attack Characterization and Quantification ▫Reduce Adversary’s Workload ▫Provide Intelligent Control Mechanisms
Overview of Cellular Systems Mobile Phone Architecture ▫Application Processor Support normal OS functionality ▫Baseband Processor Establish telephony and data links Invoke network supported services When a process needs to use the network, the Application Processor passes an AT command to the Baseband Processor
Overview of Cellular Systems(cont.) Mobile OS ▫Windows Mobile, Android, Mobile OS X… ▫Just begin to implement basic security mechanisms Memory protection and separation of privilege 10% of cellular users downloaded games at least once a month in 2007
Attack Overview Attacker Legitimate User
Attack Overview (cont.) Different from DoS on the Internet ▫Mobile devices cannot transmit entirely arbitrary requests to HLR ▫Such requests must be made in a manner such that unnecessary traffic or side effects are not generated
Characterizing HLR Performance Telecom One (TM1) Benchmarking Suite ▫MQTh: Maximum Qualified Throughput Setting: ▫HLR: Xeon 2.3 GHz * GB RAM Linux MySQL or SolidDB v6.0
Characterizing HLR Performance Normal HLR Behavior ▫The number of subscribers per HLR Reality: ~ five million ▫The rate and type of service requests
Characterizing HLR Performance MQTh vs Numbers of subscribers
Characterizing HLR Performance MySQL ▫Only caching data and indexes are stored in memory SolidDB ▫All in memory
Characterizing HLR Performance Different commands on MySQL
Characterizing HLR Performance Different commands vs Number of subscribers
Profiling Network Behavior Setting: ▫Nokia 9500 with Symbian S80 ▫Motorola A1200 with Linux kernel ▫Live cellular network ▫AT command + 2 sec delay Repeat 200 times during low traffic hours Some phones caused extended delays as immediate execution
Profiling Network Behavior (cont.) GPRS Attach: update_location
Profiling Network Behavior (cont.) Avg: 2.5 sec // Peak: 3 sec
Profiling Network Behavior (cont.) Comparsion: GPRS Detach
Profiling Network Behavior (cont.) GPRS Attach ▫Turnaround time: 3 sec response time + 2 sec command delay 0.2 commands per second But.. Only one in five commands reach the HLR 0.2/5 = 0.04 commands per second
Profiling Network Behavior (cont.) Call Waiting: update_subscriber_data
Profiling Network Behavior (cont.) Avg: 2.5 sec
Profiling Network Behavior (cont.) Call Waiting ▫Turnaround time: 2.5 sec + 2 sec 0.22 commands per second Better than update_location
Profiling Network Behavior (cont.) Insert/Delete Call Forwarding ▫ insert_call_forwarding / delete_call_forwarding
Profiling Network Behavior (cont.) Avg: 2.7 sec (insert) / 2.5 sec (delete)
Profiling Network Behavior (cont.) Insert Call Forwarding ▫0.21 commands per second ▫Extra database read Delete Call Forwarding ▫0.19 commands per second ▫Only can be sent if call forwarding is enabled Choose insert_call_forwarding
Attack Characterization The effect of an attack on HLR with 1 million users (MySQL)
Attack Characterization With SolidDB
Attack Characterization MySQL: ▫Normal condition: infected mobile phones 1.2% ▫High traffic: infected mobile phones 2.4% SolidDB: ▫ infected mobile phones 14.1%
Avoiding Wireless Bottlenecks Random Access Channel (RACH) Capacity ▫TDMATDMA Timeslot: ms A frame: 8 timeslots = ms ▫Slotted ALOHA protocolSlotted ALOHA protocol
Avoiding Wireless Bottlenecks Max throughput S ▫S is maximized at 37% when G=1 ▫G is the number of transmission attempts per timeslot
Avoiding Wireless Bottlenecks The offered load, G, also known as ρ, is defined as: ▫λ is the arrival rate in commands per second ▫1/μ is the channel hold time (4.615 ms) ▫ρ = 1/ * 0.37 = 80 transmission per sec
Avoiding Wireless Bottlenecks The attack would need to be distributed over α base stations:
Avoiding Wireless Bottlenecks Standalone Dedicated Control Channels (SDDCH) ▫Sectors in GSM allocate 8 or 12 SDCCHs ▫We hold SDCCH for 2.7 sec ( insert_call_forwarding )
Command and Control Internet Coordination ▫3G Local Wireless Coordination ▫Bluetooth / WiFi Indirect Local Coordination ▫Via RACH
Attack Mitigation HLR Replication? Filtering Call gapping
Conclusion Small botnets composed entirely of mobile phones pose significant threats to the availability of these network C & C channel is more challenging in this environment