Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Data Charging: New Attacks and Countermeasures

Published byBertina Moore Modified over 6 years ago

Similar presentations

Presentation on theme: "Mobile Data Charging: New Attacks and Countermeasures"— Presentation transcript:

1 Mobile Data Charging: New Attacks and Countermeasures
CSCE 715 Paper Study Jingjing Gao Department of Computer Science and Engineering Mar 26th,2015

2 Outline Introduction Background Review 3G Accounting Vulnerability
Free Mobile Data Access Attack Stealth Spam Attack Conclusion

3 1.Introduction Mobile data service is increasing incredibly due to the explosive growth of smartphone users. 62% mobile users subscribe the wireless data plan; Figure1[1]

4 1.Introduction 3G/4G Charging Policy
- Based on users’ data volume instead of flat rate; 3G/4G Charging System - Does the system design have any vulnerability or any loopholes in charging policy? - Do operators charge users reasonably and totally depending on the real data volume?

5 1.Introduction Propose two types of attacks against charging system:
toll-free data access attack Access data service free of charge stealth spam attack Inject large amount of spam data without victim’s awareness This paper mainly assesses the vulnerability of 3g/4g charging system and discover loopholes in its policy and weekness in its charging architecture.

6 2.Background Review Terminology CDR Charging Data Records
CN Core Network EH External Host FBC Flow Based Charging GGSN Gateway GPRS Support Node SGSN Serving GPRS Support Node PDP Packet Data Protocol PS Packet-Switched UE User Equipment

7 2.Background Review 2.1 Data Charging Network
Figure 2[2]: 3G/4G network architecture and charging components in PS domain

8 2.Background Review 2.2 Data Charging Procedure
Data service set-up: 1-5; Data service tear down: 6-8 Figure 3[2]: Charging procedures for a data service flow

9 2.Background Review Goal of Charging: Problem:
Usage records of network = Usage of a mobile device Problem: Do they really equal under some circumstances? Exploit the Vulnerability of Charging System

10 3. 3G Accounting Vulnerability
3.1 Charging System Model SGSN/GGSN records the data which traverses it and map the records to the real flow volume and charge the corresponding usage towards the UE (the actual user). Figure 4[2]: Issues in data charging practice

11 3. 3G Accounting Vulnerability
3.2 Two Loopholes in Charging System Charging Policy Loophole Major US carriers do provide free DNS service and all data related to it is free of charge; This could be exploited by attackers to transfer the packet through DNS tunnel and perform undercharging even free of charge, which destroy the volume-based charging policy.

12 3. 3G Accounting Vulnerability
3.2 Two Loopholes in Charging System Charging Architecture Loophole User can terminate malicious service locally, but cannot terminate the charging operation at the carrier side. No security mechanism verifying the data which is actually requested by user. User suffered from such an attack could be overcharged.

13 3. 3G Accounting Vulnerability
3.3 Experimental Platform and Methodology Mobile devices: HTC Desire; Samsung Galaxy S2; Samsung Galaxy Note GT-N7000(Android 2.2, and 2.3.6) Content Server: ASUS EeeBox PC (an Intel Atom N GHz Dual Core processor and 1.5 GB DDR2 memory)

14 3. 3G Accounting Vulnerability
3.3 Experimental Platform and Methodology Methodology of Observing volume Operator Side: - Dial-In feature; - Log on to mobile carrier website User Side: - TrafficStats Interface SDK(on Android) - WireShark

15 4. Free Mobile Data Access Attack
Operators allow free data service for certain data flow, but do not enforce that the transmitted packets indeed belong to the designated free flow these loopholes can be exploited to enable any form of mobile data services for free

16 4. Free Mobile Data Access Attack
4.1 Experiment Principles and Methodology Figure5[2]: Web browsing in a normal case Two action: Red: Request IP address from DNS (UDP/TCP Port 53); Free Black: Request Http response from web server(TCP Port 80 or 8080 or 443); Volume-based charging

17 4. Free Mobile Data Access Attack
4.1 Experiment Principles and Methodology Build a separate server which exchanges data services with mobile phones using UDP/TCP over port 53 outside the cellular network; Figure 6[2]: Web browsing under a toll-free-data attack case HTTP proxy: running on port 53 CN is trapped in the free DNS tunnel.

18 4. Free Mobile Data Access Attack
4.1 Experiment Principles and methodology Fake DNS Attack: Send fake DNS messages through this tunnel to check if the operator allow this happen; Volume Check Attack: Exchange data with proxy to check if the operator has the volume check mechanism;

19 4. Free Mobile Data Access Attack
4.2 Experiment Introduction 1. Fake DNS Attack - five tests toward two operators: DNS Default: UE sends 100 DNS queries to default DNS; DNS-Google: UE sends 100 DNS queries to a Google public DNS server (IP address: ); TCP53-Google: UE sends 100 DNS queries using TCP via port 53 to the Google DNS server above ; TCP53-Server: the UE sends 50 random packets to our own server using TCP via port 53, and require the server to return the received packets; each packet is 1KB, including IP/TCP headers; Source port number is randomly allocated; UDP53-Server: we repeat (4) but using UDP.

20 4. Free Mobile Data Access Attack
4.2 Experiment Introduction Experiments Results: Operator-I: Packets via port 53 are FREE Operator-II: Packets via UDP + port 53 are FREE Figure 7[2]: VUE and VOP in five DNS tests

21 4. Free Mobile Data Access Attack
4.2 Experiment Introduction 2. Volume Check Attack: Three Experiments: (I) FreeOne: UE sends one request to our server to download a 5MB file; (II) Free-Equal: UE uploads a 3MB file to our server, and requests to return the delivered packets; (III) Free-Long: the UE sends many small requests (100 B) to our server for an hour, each of which requests a 1KB response.

22 4. Free Mobile Data Access Attack
4.2 Experiment Introduction Experiments Results: Operator-I does not allow unbounded traffic for one fake “DNS” request, since it have a checking mechanism to verify the size of the response message; Operator-II delivers much larger file (up to 4 MB). But the volume observed by operator is totally free Figure 8[2]: Feasibility test of free data services; VOP = 0

23 4. Free Mobile Data Access Attack
4.3 Conclusion and Analysis Loophole: - Free Fake DNS Loophole: No mechanism enforce the packets going through this DNS tunnel are real DNS messages; - No Volume-check Loophole: No mechanism limit the volume mentioned above;

24 4. Free Mobile Data Access Attack
4.3 Experiment Conclusion and Analysis Reason: The standard stipulate: one data flow is typically identified by five tuples: Source IP address Source port number Destination IP address Destination port number Protocol ID of the protocol above IP, e.g., TCP or UDP. E.g., A HTTP data flow can be represented by (*, *, *, 80, TCP)3.

25 4. Free Mobile Data Access Attack
4.3 Experiment Conclusion and Analysis Reason: Operator verifies free DNS only depending on destination port instead of standard five-tuples (src IP, dest IP, src port, dest port, protocol); No mechanism enforce a limit of data volume going through the charge-free port.

26 4. Free Mobile Data Access Attack
4.4 Remedies Provide quota for free DNS service; usage beyond quota should be charged; Enforce checking on the destination IP address of DNS request instead of merely checking destination port number.

27 5. Stealth Spam Attack 5.1 Challenges and Opportunities
Two Loopholes in charging system: Data flow termination at the UE ≠ charging termination at the operator. Initial authentication ≠ authentication during the whole data process.

28 5. Stealth Spam Attack 5.1 Challenges and Opportunities
Data flow termination at the UE ≠ charging termination at the operator. Figure 9[2]: Illustration of stealth spam attack

29 5. Stealth Spam Attack 5.1 Challenges and Opportunities
Initial authentication ≠ authentication during the whole data process. As it be, all the authentication operation are performed at the beginning of the data flow but not when terminate a flow. The current charging procedure does secure the initialization of the flow but not the whole process. It cannot protect the data flow in the teardown process.

30 5. Stealth Spam Attack 5.1 Challenges and Opportunities
Stealth spam attack can be performed due to these two loopholes: Figure 10[2]: Steps to launch stealth spam attack

31 5. Stealth Spam Attack 5.2 Spam Attack in TCP-based Services
Experiment methodology: Deploy a Web server as the attacker; Disable the normal TCP connection teardown procedure(TCP will never send FIN or FIN-ACK signals like a normal TCP); Induce the user to click malicious web link; At this point, the attack was performed by the following two ways: Sends junk packets at a fixed rate for five minutes; Send junk packets for various duration but for a low rate(150kbps).

32 5. Stealth Spam Attack 5.2 Spam Attack in TCP-based Services
Figure13: As the incoming source rate grows beyond one threshold (about 400Kbps for Operator-I, 200Kbps for Operator-II), the attack seems to be blocked by the operator. The higher the source rate, the earlier the attack is blocked. .Figure 14:The low-rate attack can easily bypass the security check implemented by both operators. The attack can last for two hours; there is no sign to end during our experiments Figure 11[2]: Data volume caused by TCP-based stealth spam attacks under various source rates. Figure 12[2]: Data volume caused by TCP-based stealth spam attacks for various durations.

33 5. Stealth Spam Attack 5.2 Spam Attack in TCP-based Services
Experiment results: Both operators offer some mechanism to block spam attack. The block threshold depends on the flow rate; If the spam attack performs at low source rate (150 Kbps), it can easily bypass the security check implemented by both operators and incurred more than 100 MB usage. Operator actual charging time window > charging time window expected by user

34 5. Stealth Spam Attack 5.3 Spam Attack in UDP-based Services
Spam Attack in VoIP Skype and Google Talk Start a call to victim without the victim’s awareness Spam Attack in Video Streaming Create a malicious link to redirect Web-browsing operations to start a realtime video streaming (e.g. rtsp://*.*.1.204:554/trackID=5)

35 5. Stealth Spam Attack 5.3.1 Spam Attack in VoIP Process: Victim side:
- Send access information to attacker captured by Wireshark trace; - Notifies the operator it accepts this flow. Attacker side: - Keep sending junk UDP packets

36 5. Stealth Spam Attack 5.3.1 Spam Attack in VoIP Results:
Figure 13[2]: Data volume caused by UDP-based (Skype) stealth spam attacks under various source rates. Figure 14[2]: Data volume caused by UDP-based (Skype) stealth spam attacks for various durations.

37 5. Stealth Spam Attack 5.3.1 Spam Attack in VoIP Results:
Operators do not enforce any security mechanism for UDP-based services, even it lasts 24 hours!

38 5. Stealth Spam Attack Process: 5.3.2 Spam Attack in Video Streaming
Victim side: - A new RTSP(over UDP) running on port 554 is set up; - release its confidential access information to the attacker Attacker side: - Blasts spam packets

39 5. Stealth Spam Attack Results: 5.3.2 Spam Attack in Video Streaming
Similar to Skype spam attack. UDP-based spam can inject an arbitrarily large volume of traffic and force the UE to pay more

40 5. Stealth Spam Attack 5.4 Remedy strategy
Users must adopt precaution to be able to aware of potential attack (e.g. limit the size of any automatic downloaded data); UE must be capable to detect unwanted traffic and send feedback.(e.g. applications like Skype must be fixed to run over a metered charging service); The carriers must take feedback from the UE to stop unwanted traffic

41 6. Conclusion Undercharge: the current 3G/4G accounting architecture lacks proper validation and verification on the traversing traffic types and content, when offering different charging for applications. Overcharge: the charging system records the data volume on behalf of users, but does not take any user feedback when making charging decisions. Concerted renovations among the network, the mobile device and applications contributes to a dependable, usage based charging system.

42 References [1] Meet the Average Smartphone User. The mobile marketer < [2] Chunyi Peng, Chi-yu Li, Guan-Hua Tu, Songwu Lu, and Lixia Zhang Mobile data charging: new attacks and countermeasures. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, DOI= /

43 Thank you!

Download ppt "Mobile Data Charging: New Attacks and Countermeasures"

Similar presentations

Can We Pay for What We Get in 3G Data Access? ACM MOBICOM 2012 Istanbul, Turkey Chunyi Peng, Guan-Hua Tu, Chi-Yu Li, Songwu Lu University of California,

Can We Pay for What We Get in 3G Data Access? ACM MOBICOM 2012 Istanbul, Turkey Chunyi Peng, Guan-Hua Tu, Chi-Yu Li, Songwu Lu University of California,
MOBILE DATA CHARGING: NEW ATTACKS AND COUNTERMEASURES Chunyi Peng,

MOBILE DATA CHARGING: NEW ATTACKS AND COUNTERMEASURES Chunyi Peng,
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

Similar presentations

Ads by Google