on cellular botnets : measuring the impact of malicious devices on a cellular network core

On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core

Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta

2/29/2012

Overview

Objectives Cellular Networks Describing the Attack Quantifying the Attack Mitigating the Attack Conclusions

22/29/2012

Objectives

Characterize an attack on cellular network core

Test the attack Optimize it Propose defenses

2/29/2012 3

4

Background

Cellular networks have Home Location Register (HLR) Mobile Switching Centers (MSC) Visiting Location Register (VLR) Serving GPRS Support Node (SGSN) Base Station Subsystem (BSS)

2/29/2012

Attack Characteristics

DDoS using a cellular botnet Target part that will cause most

disruption HLR is necessary for most actions

Authentication Phone calls Text messages Billing Etc.

HLR most effective target2/29/2012 5

Attack Characteristics

Only ‘legitimate’ transactions reach HLR

2/29/2012 6

Attack Characteristics

Write transactions use more HLR resources per transaction than reads

Which one the best? Update Location utilizes caching Update Subscriber Data averages 2.5 seconds Insert Call Forwarding averages 2.7 seconds Delete Call Forwarding averages 2.5 seconds Insert/Delete Call Forwarding must alternate

Best to use combination of Insert and Delete Call Forwarding

2/29/2012 7

Some Graphs

2/29/2012 8

9

Some More Graphs

2/29/2012

Attack Considerations

Why most resource usage per message? Why not just send more messages?

When sending that many messages, will clog up communications channels and never reach HLR Deny service for base station, not whole

network Need to distribute attack across

multiple base stations2/29/2012 10

Attack Numbers

Testbed system dropped 93% of traffic under a simulated call-forwarding attack with 5000 messages/sec

Need to be distributed evenly across 21 base stations to not DDoS the random access channel before getting to HLR

Need 375 base stations to not DDoS control channels

2/29/2012 11

Command and Control

Tried and true (Internet coordination) Easy to identify/snoop Clogs communication channels

Local Wireless Coordination Short range

Indirect Local Coordination Using exponential backoff?

2/29/2012 12

Mitigation

Filtering Can be aggressive because call forwarding

is not critical What if call forwarding is not the transaction

used? Shedding

How to deploy effective rules during an attack?

Make phone security better

2/29/2012 13

Conclusions

Cellular network are vulnerable to DDoS attacks

Single points of failure are bad Botnet must be fairly sophisticated Is there a way to distribute HLR data?

2/29/2012 14