cyber security for the smart grid - penn state engineering ...pdm12/cse545-s11/slides/cse545... ·...
TRANSCRIPT
CSE545 - Advanced Network Security - Professor McDaniel Page
Telecommunications Security
Professor Patrick McDanielCSE545 - Advanced Network Security
Spring 2011
1
CSE545 - Advanced Network Security - Professor McDaniel Page
Cellular Networks
• Provide communications infrastructure for an estimated 2.6 billion users daily.
‣ The Internet connects roughly 1 billion.
• For many people, this is their only means of reaching the outside world.
• Portable and inexpensive nature of user equipment makes this technology accessible to most socio-economic groups.
2
CSE545 - Advanced Network Security - Professor McDaniel Page
Aren’t They The Same?• Cellular networks and the Internet are built to support
very different kinds of traffic.
‣ Real-time vs Best Effort
• The notions of control and authority are different.
‣ Centralized vs distributed
• The underlying networks are dissimilar.
‣ Circuit vs packet-switched
3
CSE545 - Advanced Network Security - Professor McDaniel Page
Cellular Systems• Wireless Access‣ TDMA (IS-136, GSM)‣ CDMA (IS-95, CDMA2000)‣ WCDMA (UMTS)
• Connection oriented networks for voice‣ PSTN (ISDN)
• Packet overlay networks for data‣ General Packet Radio Service (GPRS) - GSM and UMTS‣ Enhanced Version Data “Optimized” (EVDO) - CDMA
• Rebranded from “Data Only”
• Signaling protocols‣ Signaling system number 7 (SS7) for voice and GPRS‣ IETF protocols for EVDO
4
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
2.75G
GSM EDGE
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
2.75G
GSM EDGE
3GExisting
Spectrum700 MHz
CDMA2000 1xRTT (1.25 MHz)
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
2.75G
GSM EDGE
3GExisting
Spectrum700 MHz
CDMA2000 1xRTT (1.25 MHz)
4G
CDMA2000 1xEVDO (1.25 MHz)
CDMA2000 3x (5 MHz)
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
2.75G
GSM EDGE
3GExisting
Spectrum700 MHz
CDMA2000 1xRTT (1.25 MHz)
4G
CDMA2000 1xEVDO (1.25 MHz)
CDMA2000 3x (5 MHz)
WCDMA
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
WiMAX
2.75G
GSM EDGE
3GExisting
Spectrum700 MHz
CDMA2000 1xRTT (1.25 MHz)
4G
CDMA2000 1xEVDO (1.25 MHz)
CDMA2000 3x (5 MHz)
WCDMA
CSE545 - Advanced Network Security - Professor McDaniel Page
Wireless Standards Evolution to 3G
5
1G
AnalogAMPS
TACS
2G
IS-95-A/cdmaOne
IS-136TDMA
GSM
GSM GPRS
HSCSD
2.5G
IS-95-B/cdmaOne
WiMAX
2.75G
GSM EDGE
3GExisting
Spectrum700 MHz
CDMA2000 1xRTT (1.25 MHz)
4G
CDMA2000 1xEVDO (1.25 MHz)
CDMA2000 3x (5 MHz)
LTE
WCDMA
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTSMS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
VLR
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
HLR
VLR
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
AuCHLR
VLR
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
AuCHLR
VLR
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
PSTN/ISDN
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
WirelessNetwork
HLRMSC
AuCHLR
VLR
Reference Architecture
• MS: Mobile Subscriber/Station
• BTS: Base Transceiver Station
• BSC: Base Station Controller
• MSC: Mobile Switching Center
• HLR: Home Location Register
• AuC: Authentication Center
• VLR: Visitor’s Location Register
6
BTS
BSC
BTS BTS
BSC
BSC
MSC
VLR
MSC
PSTN/ISDN
MS
CSE545 - Advanced Network Security - Professor McDaniel Page
VLRMSC
MSC
Basic Network Architecture
• Gateway MSC receives incoming calls for phones.• Serving MSC assigned based on location• HLR: Permanent registry for service profiles, pointer to VLR• VLR: Temporary repository for profile information, pointer to SMSC.
7
MS
VLR
Network
BS
BS
BS
SMSC
HLRGMSC
CSE545 - Advanced Network Security - Professor McDaniel Page
Cellular Services• Automatic call delivery‣ find a user, deliver a call
• IN-type services‣ e.g., call forwarding
• Messaging‣ short message service
• Connection oriented user data transfer‣ voice, fax, circuit-switched data
• Packet Data‣ General Packet Radio Service (GPRS) - GSM and UMTS‣ Enhanced Version Data “Optimized” (EVDO) - CDMA
8
CSE545 - Advanced Network Security - Professor McDaniel Page
High Level Call Flow• Mobile User Registers
‣ Power up/down
‣ Movement
‣ Periodic
• Call recipient located
‣ Call routed to gateway or home MSC
‣ Gateway MSC searches for called mobile (via HLRs and VLRs)
‣ Mobile user is paged (determines current base station)
• Call delivered
‣ Uses standard SS7 procedures
9
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
1. 404-894-2000
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
2. 404-894-2000maps to HLR X
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
3. How do I deliver callto User 222?
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
4. How do I deliver callto User 222?
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
5. 999-xxx
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
6. 999-xxx
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
7. 999-xxx
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
8. Call to 999-xxx
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
9. Page
CSE545 - Advanced Network Security - Professor McDaniel Page
Delivering a Call
10
MSC
MS
VLR
Network
BS
BS
BS
SMSC HLR
GMSC
10. Call
CSE545 - Advanced Network Security - Professor McDaniel Page
Protocols of Note
11
MSC
MS
VLR
PSTN/ISDN
BS
BS
BS
MSC HLR
SS7
Mobility Management ProtocolsGSM-MAP, ANSI41-MAP
Air InterfacesGSM, IS136, IS-95, UMTS
CSE545 - Advanced Network Security - Professor McDaniel Page
Mobile Registration - High Level
12
Old SMSC
Old VLR
HLR VLR MSC BS
Update Location
Cancel Location OK
CSE545 - Advanced Network Security - Professor McDaniel Page
GSM - Air Interface• Let’s get into the details of the most widely used air
interface...
• The GSM Air Interface supports:
‣ Call origination and termination
‣ Registration (location update and authentication)
‣ SMS
‣ Mobile assisted handoff
‣ User confidentiality
‣ Data confidentiality
‣ Sleep mode
13
CSE545 - Advanced Network Security - Professor McDaniel Page
GSM Spectrum
• 50 MHz
‣ Uplink and downlink split bandwidth and use different frequencies
• Reverse channel (uplink)
‣ 890-915 MHz
• Forward channel (downlink)
‣ 935-960 MHz
• Carriers spread at 200 KHz
‣ Why is this?
14
Time-Division Multiple Access (TDMA) with 8 timeslots that
service every 4.615 msec
CSE545 - Advanced Network Security - Professor McDaniel Page
GSM Structure
• Common Control Channel (CCCH)
‣ Used for control information: registration, paging, call origination/termination.
• Traffic Channel (TCH)
‣ Information transfer
‣ in-call control (fast/slow associated control channels)
15
Common Control Channel (CCCH)
Traffic Channel (per user in a call)
TCH (13 KBps)
CSE545 - Advanced Network Security - Professor McDaniel Page
GSM Structure• The CCCH is really a series of many logical channels,
each discernible by their position in time.
• The diagram in the previous slide should not be viewed “to scale”.
‣ The control channels generally represent ~3-6% of the resources in a cell.
‣ Everything else is dedicated to TCHs.
‣ Why?
16
CSE545 - Advanced Network Security - Professor McDaniel Page
Low Rate DoS Attacks• While recent attacks on cellular networks seem unrelated, there
is a common factor that catalyzes them all.
• Comparing multiple attacks uncovers causality:
‣ SMS Attack (JCS’09, CCS’05)
‣ Network Characterization andPartial Mitigations (TON’10, MobiCom’06)
‣ Data Teardown/Setup Attacks(USENIX Security’07)
• The architecture of cellular networks inherently makes them susceptible to denial of service attacks.
17
CSE545 - Advanced Network Security - Professor McDaniel Page
Low Rate DoS Attacks• While recent attacks on cellular networks seem unrelated, there
is a common factor that catalyzes them all.
• Comparing multiple attacks uncovers causality:
‣ SMS Attack (JCS’09, CCS’05)
‣ Network Characterization andPartial Mitigations (TON’10, MobiCom’06)
‣ Data Teardown/Setup Attacks(USENIX Security’07)
• The architecture of cellular networks inherently makes them susceptible to denial of service attacks.
Clash of Design Philosophies
17
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
18
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
18
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
18
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
18
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
18
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
CCH
18
CSE545 - Advanced Network Security - Professor McDaniel Page
SMS Delivery (simplified)
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
18
CSE545 - Advanced Network Security - Professor McDaniel Page
Control Channels
• Control channels are used for a handful of infrequently used functions.
‣ Call setup, SMS delivery, mobility management, etc...
• The SDCCH allows the network to perform most of these functions.
• The number of SDCCHs typically depends on the expected use in an area.
‣ 4/8/12...
PCH
AGCHRACH
SDCCH
19
CSE545 - Advanced Network Security - Professor McDaniel Page
Recognition• Once you fill the SDCCH channels with SMS traffic,
call setup is blocked
• The goal of an adversary is therefore to fill SDCCHs with SMS traffic.‣ Not as simple as you might think...
SMS
Voice
SMS SMS SMS SMS SMS SMS SMS
X
20
CSE545 - Advanced Network Security - Professor McDaniel Page
Reconnaissance
• Can such an attack be launched by targeting a single phone?
‣ Low end phones: 30-50 msgs
‣ High end phones: 500+ msgs (battery dies)
• How do you get messages into the network?
‣ Email, IM, provider websites, bulk senders, etc...
• Don’t the networks have protections?
‣ IP Address blocking, Spam filtering
21
CSE545 - Advanced Network Security - Professor McDaniel Page
Finding Phones• North American Numbering Plan (NANP)
‣ Mappings between providers and exchanges publicly documented and available on the web
• Implication: An adversary can identify the prefixes used in a target area.
NPA-NXX-XXXX
Numbering Plan Area(Area code)
Numbering Plan Exchange
22
CSE545 - Advanced Network Security - Professor McDaniel Page
Web-Scraping• Googling for phone numbers
gives us better results:
7,300 in NYC6,184 in D.C.
in 5 seconds...
23
CSE545 - Advanced Network Security - Professor McDaniel Page
Provider Interfaces
• Almost all provider interfaces indicate whether or not a number is good.
‣ Some sites even tell you a target phone’s availability.
• This interface is an “oracle” for available phones.
24
CSE545 - Advanced Network Security - Professor McDaniel Page
Exploit (Metro)
• 165 msgs/sec * 1500 bytes = 1933.6 kb/sec
• 193.36 kb/sec on multi-send interface...
• Comparison: Cable modem ~= 768 kb/sec
Sectors in Manhattan
SDCCHs persector
Messages per SDCCH per hour
CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH
TCH TCH TCH TCH TCH TCH TCH TCH
TCH TCH TCH TCH TCH TCH TCH TCH
TCH TCH TCH TCH TCH TCH TCH TCH
TRX 1
TRX 2
TRX 3
TRX 4
0 1 2 3 4 5 6 7
Figure 4: An example air interface with four carriers (each
showing a single frame). The first time slot of the first carrier
is the Common CCH. The second time slot of the first chan-
nel is reserved for SDCCH connections. Over the course of a
multiframe, capacity for eight users is allotted. The remaining
time slots across all carriers are designated for voice data. This
setup is common in many urban areas.
is divided into eight timeslots and, when viewed as a whole, form
a frame. During a given timeslot, the assigned user receives full
control of the channel. From the telephony perspective, a user as-
signed to a given TCH is able to transmit voice data once per frame.
In order to provide the illusion of continuous voice sampling, the
frame length is limited to 4.615 ms. An illustration of this system
is shown in Figure 4.
Because the bandwidth within a given frame is limited, data (es-
pecially relating to the CCH) must often span a number of frames,
as depicted in Figure 5. This aggregation is known as a multiframe
and is typically comprised of 51 frames6. For example, over the
course of a single multiframe, the base station is able to dedicate
up to 34 of the 51 Common CCH slots to paging operations.
Each channel has distinct characteristics. While the PCH is used
to signal each incoming call and text message, its commitment to
each session is limited to the transmission of a TMSI. TCHs, on
the other hand, remain occupied for the duration of a call, which on
average is a number of minutes [44]. The SDDCH, which has ap-
proximately the same bandwidth as the PCH across a multiframe,
is occupied for a number of seconds per session establishment. Ac-
cordingly, in many scenarios, this channel can become a bottleneck.
In order to determine the characteristics of the wireless bottle-
neck, it is necessary to understand the available bandwidth. As
shown in Figure 5, each SDCCH spans four logically consecutive
timeslots in a multiframe. With 184 bits per control channel unit
and a multiframe cycle time of 235.36 ms, the effective bandwidth
is 782 bps [4]. Given that authentication, TMSI renewal, the en-
abling of encryption, and the 160 byte text message must be trans-
ferred, a single SDCCH is commonly held by an individual session
for between four and five seconds [44]. The gray-box testing in
Section 3.1 reinforces the plausibility of this value by observing no
messages delivered in under six seconds.
This service time translates into the ability to handle up to 900
SMS sessions per hour on each SDCCH. In real systems, the total
number of SDCCHs available in a sector is typically equal to twice
the number of carriers7, or one per three to four voice channels.
For example, in an urban location such as the one demonstrated
in Figure 4 where a total of four carriers are used, a total of eight
SDCCHs are allocated. A less populated suburban or rural sector
may only have two carriers per area and therefore have four allo-
6Multiframes can actually contain 26, 51 or 52 frames. A justifica-tion for each case is available in the standards [4].7Actual allocation of SDCCH channels may vary across implemen-tations; however, these are the generally accepted values through-out the community.
SDCCH 0
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7Time Slot #
SDCCH 1Multiframe
Frame # 0 1 2 3 4 5 6 7 8 9 04 5
0 1 2 3 4 5 6 7
Radio Carrier
Figure 5: Timeslot 1 from each frame in a multiframe creates
the logical SDCCH channel. In a single multiframe, up to eight
users can receive SDCCH access.
cated SDCCHs. Densely populated metropolitan sectors may have
as many as six carriers and therefore support up to 12 SDCCHs per
area.
We now calculate the maximum capacity of the system for an
area. As indicated in a study conducted by the National Communi-
cations System (NCS) [44], the city of Washington D.C. has 40 cel-
lular towers and a total of 120 sectors. This number reflects sectors
of approximately 0.5 to 0.75 mi2 through the 68.2 mi2 city. Assum-
ing that each of the sectors has eight SDCCHs, the total number of
messages per second needed to saturate the SDCCH capacity C is:
C � (120 sectors)
„8 SDCCH1 sector
« „900 msgs/hr1 SDCCH
«
� 864, 000 msgs/hr
� 240 msgs/sec
Manhattan is smaller in area at 31.1 mi2. Assuming the same
sector distribution as Washington D.C., there are 55 sectors. Due
to the greater population density, we assume 12 SDCCHs are used
per sector.
C � (55 sectors)
„12 SDCCH
1 sector
« „900 msg/hr1 SDCCH
«
� 594, 000 msg/hr
� 165 msg/sec
Given that SMSCs in use by service providers in 2000 were capa-
ble of processing 2500 msgs/sec [59], such volumes are achievable
even in the hypothetical case of a sector having twice this number
of SDCCHs.
Using a source transmission size of 1500 bytes as described in
Section 3.1 to submit an SMS from the Internet, Table 3 shows the
bandwidth required at the source to saturate the control channels,
thereby incapacitating legitimate voice and text messaging services
for Washington D.C. and Manhattan. The adversary’s bandwidth
requirements can be reduced by an order of magnitude when at-
tacking providers including Verizon and Cingular Wireless due to
the ability to have a single message repeated to up to ten recipients.
Due to the data gathered in Section 3.1, sending this magnitude
of messages to a small number of recipients would degrade the ef-
fectiveness of such an attack. As shown in the previous section, tar-
geted phones would quickly see their buffers reach capacity. Unde-
liverable messages would then be buffered in the network until the
space alloted per user was also exhausted. These accounts would
likely be flagged and potentially temporarily shut down for receiv-
ing a high number of messages in a short period of time, thereby
25
CSE545 - Advanced Network Security - Professor McDaniel Page
Attack Profile
• Applied simulation and analysis to better characterize the attacks.
• Examined call blocking under multiple arrival patterns with exponentially distributed service times.
• Using 495 msgs/sec, a blocking probability of 71% is possible with the bandwidth of a cable modem.
0
0.2
0.4
0.6
0.8
1
1.2
0 500 1000 1500 2000 2500 3000 3500 4000
Uti
lizati
on
Time (seconds)
SDCCH Utilization
TCH Utilization
SDCCH Utilization
TCHUtilization
26
CSE545 - Advanced Network Security - Professor McDaniel Page
Security Goals• Goal: To preserve the fidelity of both voice services and
legitimate text messages during targeted SMS attacks.
• Security Model:
‣ We must trust equipment in the network core.
‣ We can not trust Internet users or customer devices.
27
CSE545 - Advanced Network Security - Professor McDaniel Page
Placing Mitigations
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
28
CSE545 - Advanced Network Security - Professor McDaniel Page
Placing Mitigations
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
28
CSE545 - Advanced Network Security - Professor McDaniel Page
Placing Mitigations
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
28
CSE545 - Advanced Network Security - Professor McDaniel Page
Placing Mitigations
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
28
CSE545 - Advanced Network Security - Professor McDaniel Page
Placing Mitigations
Network
Internet
PSTN
MSC
VLR
VLR
MSC
ESME
HLR
SMSC
28
CSE545 - Advanced Network Security - Professor McDaniel Page
Solution Classifications
• Scheduling/Shaping/Regulation
‣ WFQ, Leaky Bucket, Priority Queues
‣ AQM (WRED, REM, AVQ)
• Resource Provisioning
‣ SRP
‣ DRP
‣ DCA 0
0.2
0.4
0.6
0.8
1
0 500 1000 1500 2000 2500 3000 3500 4000
Percent
of A
ttem
pts
Blo
cked
Time (seconds)
Service Queue (SMS)
Service Queue (Voice)
TCH (Voice)
0
0.2
0.4
0.6
0.8
1
0 500 1000 1500 2000 2500 3000 3500 4000
Percent
of A
ttem
pts
Blo
cked
Time (seconds)
SDCCH (SMS)
SDCCH (Voice)
TCH (Voice)
0
0.2
0.4
0.6
0.8
1
0 500 1000 1500 2000 2500 3000 3500 4000
Percen
t o
f A
ttem
pts
Blo
ck
ed
Time (seconds)
SDCCH (SMS)
SDCCH (Voice)
TCH (Voice)
0
0.2
0.4
0.6
0.8
1
0 500 1000 1500 2000 2500 3000 3500 4000
Uti
lizati
on
Time (seconds)
SDCCH
TCH
Service Queue
29
CSE545 - Advanced Network Security - Professor McDaniel Page
WRED - Overview
LowMedHigh
tlow,mintmed,mintmed,maxtlow,max
30
CSE545 - Advanced Network Security - Professor McDaniel Page
WRED - Overview
LowMedHigh
closer to a moving average and not capacity, space typically exists
to accommodate sudden bursts of traffic. However, one of the chief
difficulties with traditional RED is that it eliminates the ability of
a provider to offer quality of service (QoS) guarantees because all
traffic entering a queue is dropped with equal probability. Weighted
Random Early Detection (WRED) solves this problem by basing
the probability a given incoming message is dropped on an attribute
such as its contents, source or destination. Arriving messages not
meeting some priority are therefore subject to increased probabil-
ity of drop. The dropping probability for each class of message is
tuned by setting tpriority,min and tpriority,max for each class.
We consider the use of authentication as a means of creating
messaging priority classes. For example, during a crisis, messages
injected to a network from the Internet by an authenticated mu-
nicipality or from emergency personnel could receive priority over
all other text messages. A number of municipalities already use
such systems for emergency [32] and traffic updates [36]. Mes-
sages from authenticated users within the network itself receive
secondary priority. Unauthenticated messages originating from the
Internet are delivered with the lowest priority. Such a system would
allow the informative messages (i.e. evacuation plans, additional
warnings, etc) to be quickly distributed amongst the population.
The remaining messages would then be delivered at ratios corre-
sponding to their priority level. We assume that packet priority
marking occurs at the SMSCs such that additional computational
burden is not placed on base stations.
Here, we illustrate how WRED can provide differentiated ser-
vice to different classes of SMS traffic using the attack scenario
described in Tables 1 and 2. We maintain separate queues, which
are served in a round robin fashion, for voice requests and SMS
requests. We apply WRED to the SMS queue. In this example we
assume legitimate text messages arrive at a sector with an average
rate of 0.7 msgs/sec with the following distribution: 10% high
priority, 80% medium priority, and 10% low priority. The attack
generates an additional 9 msgs/sec.To accommodate sudden bursts of high priority SMS traffic, we
choose an SMS queue size of 12. Because we desire low latency
delivery of high priority messages, we target an average queue oc-
cupancy Qavg = 3.To meet this objective, we must set tlow,min and tlow,max. For
M/M/n systems with a finite queue of size m, the number of mes-sages in the queue, NQ, is:
NQ = PQ!
1 ! !(2)
where:
PQ =p0(m!)m
m!(1 ! !)(3)
where:
p0 =
"
m!1X
n=0
(m!)n
n!+
(m!)m
m!(1 ! !)
#
!1
(4)
Setting NQ = 3, we derive a target load !target = 0.855.!target is the utilization desired at the SDCCHs. Thus, the packet
dropping caused byWREDmust reduce the actual utilization, !actual
or "SMS/(µSMS · n), caused by the heavy offered load during anattack, to !target. Therefore:
!target = !actual(1 ! Pdrop) (5)
where Pdrop is the overall dropping probability of WRED. For traf-
fic with average arrival rate of "SMS = 9.7 msgs/sec, !actual =3.23. Solving for Pdrop,
Pdrop = 1 !!target
!actual= 0.736 (6)
Pdrop can be calculated from the dropping probabilities of theindividual classes of messages by ("low = 9.07):
Pdrop =Pdrop,high · !high + Pdrop,med · !med + Pdrop,low · !low
!SMS(7)
Because we desire to deliver all messages of high and medium
priority, we set Pdrop,high = Pdrop,med = 0. Using Equation 7,we find Pdrop,low = 0.787. This value is then used in conjunctionwith Equation 1 to determine tlow,min and tlow,max.
The desired average queue occupancy, Qavg, is 3. From equa-
tion 1, tlow,min must be an integer less than the average queue
occupancy. This leaves three possible values for tlow,min: 0, 1,and 2. The best fit is found when tlow,min = 0 and tlow,max = 4,resulting in 75% dropping of low priority traffic.
Using this method it is possible to set thresholds to meet delivery
targets. Of course, depending on the intensity of an attack, it may
not be possible to meet desired targets according to Equation 7, i.e.,
it may not be possible to limit blocking to only low priority traffic.
While the method outlined here provides just an approximate solu-
tion, given the quantization error in setting tlow,min and tlow,max
(they must be integers), we believe the method is sufficient. We
provide more insight into the performance of WRED in Section 5.
4.3 Resource ProvisioningNone of the above methods deal with the system bottleneck di-
rectly; rather, they strive to affect traffic before it reaches the air
interface. An alternative strategy of addressing targeted SMS at-
tacks instead focuses on the reallocation of the available messaging
bandwidth. We therefore investigate a variety of techniques that
modify the way in which the air interface is used.
To analyze these techniques we resort to simple Erlang-B queue-
ing analysis. We present a brief background here. For more details
see Schwartz [35]. In a system with n servers, and an offered loadin Erlangs of A, the probability that an arriving request is blockedbecause all servers are occupied is given by:
PB =An
n!Pl=n!1
l=0
All!
(8)
The load in Erlangs is the same as the utilization, !, in a queueingsystem; it is simply the offered load multiplied by the service time
of the resource. The expected occupancy of the servers is given by:
E(n) = !(1 ! PB) (9)
4.3.1 Strict Resource Provisioning
Under normal conditions, the resources for service setup and de-
livery are over-provisioned. At a rate of 50, 000 calls/hour in ourbaseline scenario, for example, the calculated average utilization
of SDCCHs per sector is approximately 2%. Given this observa-
tion, if a subset of the total SDCCHs can be used only by voice
calls, blocking due to targeted SMS attacks can be significantly
mitigated. Our first air interface provisioning technique, Strict Re-
source Provisoning (SRP), attempts to address this contention by
allowing text messages to occupy only a subset of the total num-
ber of SDCCHs in a sector. Requests for incoming voice calls can
compete for the entire set of SDCCHs, including the subset used
for SMS. In order to determine appropriate parameters for systems
using SRP, we apply Equations 8 and 9.
closer to a moving average and not capacity, space typically exists
to accommodate sudden bursts of traffic. However, one of the chief
difficulties with traditional RED is that it eliminates the ability of
a provider to offer quality of service (QoS) guarantees because all
traffic entering a queue is dropped with equal probability. Weighted
Random Early Detection (WRED) solves this problem by basing
the probability a given incoming message is dropped on an attribute
such as its contents, source or destination. Arriving messages not
meeting some priority are therefore subject to increased probabil-
ity of drop. The dropping probability for each class of message is
tuned by setting tpriority,min and tpriority,max for each class.
We consider the use of authentication as a means of creating
messaging priority classes. For example, during a crisis, messages
injected to a network from the Internet by an authenticated mu-
nicipality or from emergency personnel could receive priority over
all other text messages. A number of municipalities already use
such systems for emergency [32] and traffic updates [36]. Mes-
sages from authenticated users within the network itself receive
secondary priority. Unauthenticated messages originating from the
Internet are delivered with the lowest priority. Such a system would
allow the informative messages (i.e. evacuation plans, additional
warnings, etc) to be quickly distributed amongst the population.
The remaining messages would then be delivered at ratios corre-
sponding to their priority level. We assume that packet priority
marking occurs at the SMSCs such that additional computational
burden is not placed on base stations.
Here, we illustrate how WRED can provide differentiated ser-
vice to different classes of SMS traffic using the attack scenario
described in Tables 1 and 2. We maintain separate queues, which
are served in a round robin fashion, for voice requests and SMS
requests. We apply WRED to the SMS queue. In this example we
assume legitimate text messages arrive at a sector with an average
rate of 0.7 msgs/sec with the following distribution: 10% high
priority, 80% medium priority, and 10% low priority. The attack
generates an additional 9 msgs/sec.To accommodate sudden bursts of high priority SMS traffic, we
choose an SMS queue size of 12. Because we desire low latency
delivery of high priority messages, we target an average queue oc-
cupancy Qavg = 3.To meet this objective, we must set tlow,min and tlow,max. For
M/M/n systems with a finite queue of size m, the number of mes-sages in the queue, NQ, is:
NQ = PQ!
1 ! !(2)
where:
PQ =p0(m!)m
m!(1 ! !)(3)
where:
p0 =
"
m!1X
n=0
(m!)n
n!+
(m!)m
m!(1 ! !)
#
!1
(4)
Setting NQ = 3, we derive a target load !target = 0.855.!target is the utilization desired at the SDCCHs. Thus, the packet
dropping caused byWREDmust reduce the actual utilization, !actual
or "SMS/(µSMS · n), caused by the heavy offered load during anattack, to !target. Therefore:
!target = !actual(1 ! Pdrop) (5)
where Pdrop is the overall dropping probability of WRED. For traf-
fic with average arrival rate of "SMS = 9.7 msgs/sec, !actual =3.23. Solving for Pdrop,
Pdrop = 1 !!target
!actual= 0.736 (6)
Pdrop can be calculated from the dropping probabilities of theindividual classes of messages by ("low = 9.07):
Pdrop =Pdrop,high · !high + Pdrop,med · !med + Pdrop,low · !low
!SMS(7)
Because we desire to deliver all messages of high and medium
priority, we set Pdrop,high = Pdrop,med = 0. Using Equation 7,we find Pdrop,low = 0.787. This value is then used in conjunctionwith Equation 1 to determine tlow,min and tlow,max.
The desired average queue occupancy, Qavg, is 3. From equa-
tion 1, tlow,min must be an integer less than the average queue
occupancy. This leaves three possible values for tlow,min: 0, 1,and 2. The best fit is found when tlow,min = 0 and tlow,max = 4,resulting in 75% dropping of low priority traffic.
Using this method it is possible to set thresholds to meet delivery
targets. Of course, depending on the intensity of an attack, it may
not be possible to meet desired targets according to Equation 7, i.e.,
it may not be possible to limit blocking to only low priority traffic.
While the method outlined here provides just an approximate solu-
tion, given the quantization error in setting tlow,min and tlow,max
(they must be integers), we believe the method is sufficient. We
provide more insight into the performance of WRED in Section 5.
4.3 Resource ProvisioningNone of the above methods deal with the system bottleneck di-
rectly; rather, they strive to affect traffic before it reaches the air
interface. An alternative strategy of addressing targeted SMS at-
tacks instead focuses on the reallocation of the available messaging
bandwidth. We therefore investigate a variety of techniques that
modify the way in which the air interface is used.
To analyze these techniques we resort to simple Erlang-B queue-
ing analysis. We present a brief background here. For more details
see Schwartz [35]. In a system with n servers, and an offered loadin Erlangs of A, the probability that an arriving request is blockedbecause all servers are occupied is given by:
PB =An
n!Pl=n!1
l=0
All!
(8)
The load in Erlangs is the same as the utilization, !, in a queueingsystem; it is simply the offered load multiplied by the service time
of the resource. The expected occupancy of the servers is given by:
E(n) = !(1 ! PB) (9)
4.3.1 Strict Resource Provisioning
Under normal conditions, the resources for service setup and de-
livery are over-provisioned. At a rate of 50, 000 calls/hour in ourbaseline scenario, for example, the calculated average utilization
of SDCCHs per sector is approximately 2%. Given this observa-
tion, if a subset of the total SDCCHs can be used only by voice
calls, blocking due to targeted SMS attacks can be significantly
mitigated. Our first air interface provisioning technique, Strict Re-
source Provisoning (SRP), attempts to address this contention by
allowing text messages to occupy only a subset of the total num-
ber of SDCCHs in a sector. Requests for incoming voice calls can
compete for the entire set of SDCCHs, including the subset used
for SMS. In order to determine appropriate parameters for systems
using SRP, we apply Equations 8 and 9.
Pdrop = Pdrop,max · (Qavg − tmin)(tmax − tmin)
tlow,mintmed,mintmed,maxtlow,max
NQ = PQρ
1− ρ
31
CSE545 - Advanced Network Security - Professor McDaniel Page
WRED - Results
• Messages of high and medium-priority experience no blocking, but increased delay.
• An average of 77% of low-priority messages are blocked.
• This is a nice solution, assuming meaningful partitioning of flows.
0
0.2
0.4
0.6
0.8
1
0 500 1000 1500 2000 2500 3000 3500 4000
Perc
ent o
f Atte
mpt
s Blo
cked
Time (seconds)
Service Queue (SMS - Priority 1)Service Queue (SMS - Priority 2)Service Queue (SMS - Priority 3)
Low PrioritySMS Blocking
0
0.2
0.4
0.6
0.8
1
0 500 1000 1500 2000 2500 3000 3500 4000
Uti
lizati
on
Time (seconds)
SDCCH
TCH
Service Queue
Average Queue Occupancy
32
CSE545 - Advanced Network Security - Professor McDaniel Page
A Cautionary Tale...
• Cellular networks are among the most specialized systems ever constructed.
• Adding services that violate the assumptions upon which the network is optimized allows an attacker to force such systems to fail at very low rates...
‣ The unintended consequence of attempts to save battery life allow attackers to shut down the network.
• Many more vulnerabilities exist in this network...
33