1. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Patrick Traynor @Gatech Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel and Thomas La Porta @Psu ACM CCS 2009

2. .... We have background knowledge !

3. Background Knowledge Core Network in GSM Reference: http://www.mobile01.com/topicdetail.php?f=18&t=1753 http://www.mobile01.com/topicdetail.php?f=18&t=1753

4. Background Knowledge (cont.) Glossary ▫MSC: Mobile Switching Center  Act as telephony switch and deliver circuit-switched traffic in a GSM network  Handoff (handover) / Roaming  Update information with HLR

5. Background Knowledge (cont.) ▫HLR: Home Location Register  Users are assigned to specific HLR’s based on their phone number  The central repository of user profile data ▫VLR: Visitor Location Register  Each MSC has a VLR  VLRs save all information of the cellphones in this Location Area

6. Outline Introduction Overview of Cellular Systems Attack Overview Charactering HLR Performance Profiling Network Behavior Attack Characterization Avoiding Wireless Bottlenecks Attack Mitigation Conclusion

7. Introduction Denial of Service attacks on HLR Botnets as small as 11750 phones can cause a reduction of throughput of more than 90% Contributions: ▫Attack Characterization and Quantification ▫Reduce Adversary’s Workload ▫Provide Intelligent Control Mechanisms

8. Overview of Cellular Systems Mobile Phone Architecture ▫Application Processor  Support normal OS functionality ▫Baseband Processor  Establish telephony and data links  Invoke network supported services When a process needs to use the network, the Application Processor passes an AT command to the Baseband Processor

9. Overview of Cellular Systems(cont.) Mobile OS ▫Windows Mobile, Android, Mobile OS X… ▫Just begin to implement basic security mechanisms  Memory protection and separation of privilege 10% of cellular users downloaded games at least once a month in 2007

10. Attack Overview Attacker Legitimate User

11. Attack Overview (cont.) Different from DoS on the Internet ▫Mobile devices cannot transmit entirely arbitrary requests to HLR ▫Such requests must be made in a manner such that unnecessary traffic or side effects are not generated

12. Characterizing HLR Performance Telecom One (TM1) Benchmarking Suite ▫MQTh: Maximum Qualified Throughput Setting: ▫HLR:  Xeon 2.3 GHz * 2 + 8 GB RAM  Linux 2.6.22  MySQL 5.0.45 or SolidDB v6.0

13. Characterizing HLR Performance Normal HLR Behavior ▫The number of subscribers per HLR  Reality: 100000 ~ five million ▫The rate and type of service requests

14. Characterizing HLR Performance MQTh vs Numbers of subscribers

15. Characterizing HLR Performance MySQL ▫Only caching data and indexes are stored in memory SolidDB ▫All in memory

16. Characterizing HLR Performance Different commands on MySQL

17. Characterizing HLR Performance Different commands vs Number of subscribers

18. Profiling Network Behavior Setting: ▫Nokia 9500 with Symbian S80 ▫Motorola A1200 with Linux kernel 2.4.20 ▫Live cellular network ▫AT command + 2 sec delay  Repeat 200 times during low traffic hours  Some phones caused extended delays as immediate execution

19. Profiling Network Behavior (cont.) GPRS Attach: update_location

20. Profiling Network Behavior (cont.) Avg: 2.5 sec // Peak: 3 sec

21. Profiling Network Behavior (cont.) Comparsion: GPRS Detach

22. Profiling Network Behavior (cont.) GPRS Attach ▫Turnaround time:  3 sec response time + 2 sec command delay  0.2 commands per second  But.. Only one in five commands reach the HLR  0.2/5 = 0.04 commands per second

23. Profiling Network Behavior (cont.) Call Waiting: update_subscriber_data

24. Profiling Network Behavior (cont.) Avg: 2.5 sec

25. Profiling Network Behavior (cont.) Call Waiting ▫Turnaround time:  2.5 sec + 2 sec  0.22 commands per second  Better than update_location

26. Profiling Network Behavior (cont.) Insert/Delete Call Forwarding ▫ insert_call_forwarding / delete_call_forwarding

27. Profiling Network Behavior (cont.) Avg: 2.7 sec (insert) / 2.5 sec (delete)

28. Profiling Network Behavior (cont.) Insert Call Forwarding ▫0.21 commands per second ▫Extra database read Delete Call Forwarding ▫0.19 commands per second ▫Only can be sent if call forwarding is enabled Choose insert_call_forwarding

29. Attack Characterization The effect of an attack on HLR with 1 million users (MySQL)

30. Attack Characterization With SolidDB

31. Attack Characterization MySQL: ▫Normal condition: 11750 infected mobile phones  1.2% ▫High traffic: 23500 infected mobile phones  2.4% SolidDB: ▫141000 infected mobile phones  14.1%

32. Avoiding Wireless Bottlenecks Random Access Channel (RACH) Capacity ▫TDMATDMA  Timeslot: 0.577 ms  A frame: 8 timeslots = 4.615 ms ▫Slotted ALOHA protocolSlotted ALOHA protocol

33. Avoiding Wireless Bottlenecks Max throughput S ▫S is maximized at 37% when G=1 ▫G is the number of transmission attempts per timeslot

34. Avoiding Wireless Bottlenecks The offered load, G, also known as ρ, is defined as: ▫λ is the arrival rate in commands per second ▫1/μ is the channel hold time (4.615 ms) ▫ρ = 1/0.004615 * 0.37 = 80 transmission per sec

35. Avoiding Wireless Bottlenecks The attack would need to be distributed over α base stations:

36. Avoiding Wireless Bottlenecks Standalone Dedicated Control Channels (SDDCH) ▫Sectors in GSM allocate 8 or 12 SDCCHs ▫We hold SDCCH for 2.7 sec ( insert_call_forwarding )

37. Command and Control Internet Coordination ▫3G Local Wireless Coordination ▫Bluetooth / WiFi Indirect Local Coordination ▫Via RACH

38. Attack Mitigation HLR Replication? Filtering Call gapping

39. Conclusion Small botnets composed entirely of mobile phones pose significant threats to the availability of these network C & C channel is more challenging in this environment