1

Discovering parameter setting in 3G networksvia active measurements

Antonio Barbuzzi, Fabio Ricciato, and Gennaro Boggia

Abstract— The behavior and performance of a UMTS networkare governed by a number of parameter settings that areconfigured by the network operator, e.g. timeouts. In this letter weshow that the actual value of such parameters can be inferred bya conceptually simple set of end-to-end measurements, withoutany cooperation with the network operator. In principle, suchinformation can be used by researchers to define realistic networkscenarios, e.g. for their simulations. Moreover, it can be used bya malicious attacker to fine-tune a large scale attack against theRadio Access Network, e.g., a paging attack.

Index Terms— Active Measurements, Cellular Networks, DoS

I. INTRODUCTION AND MOTIVATIONS

Third-generation (3G) mobile networks combine two differ-ent technology paradigms: the legacy cellular network model(e.g., GSM) on one hand, and the TCP/IP data protocols on theother. From the former they inherit a large degree of functionalcomplexity, due to the need of guaranteeing efficient useof the logical and physical resource (Resource Management,RM) as well as seamless connectivity in mobility (MobilityManagement, MM). An example of RM procedure is theassignment/release of a Dedicated CHannel (DCH) on theradio interface [1, p. 330], while an example of MM procedureis the paging [1, p. 406]. In general, RM/MM proceduresrequire signaling interactions between the network and theMobile Station (MS) and consume resources on both sides(bandwidth, memory, CPU, power). The algorithms triggeringsuch procedures are typically very simple and often involve asingle parameter, e.g., a timeout or a threshold, whose value istunable by the network operator. In this work, we address theproblem of inferring this value via end-to-end measurements.

We play the role of a network user, Bob, wishing to discoverthe value of some key network parameters without cooperationwith the network operator. We see at least four possiblemotivations for Bob to carry out such investigation. He couldbe a researcher willing to set up a realistic 3G simulationscenario, with real parameter setting. Alternatively, Bob mightbe a staff member of a 3G mobile operator willing to discoverthe setting of other competitor networks, or instead checkingthat the actual parameter setting and equipment behavior of hisown network are compliant with the planned values. Finally,Bob might be an attacker planning to launch a Denial-of-Service (DoS) attack toward the 3G network.

A. Barbuzzi and G. Boggia are with the Department of Electrical and Com-puter Engineering, Politecnico di Bari, Italy ({g.boggia,a.barbuzzi}@poliba.it). F. Ricciato is with the University of Salento, Italy and withthe Forschungszentrum Telekommunikation Wien (FTW), Vienna, Austria(ricciato@ftw.at). This work was partially done while A. Barbuzzi andG. Boggia were visiting FTW in Fall 2007.

The latter scenario is probably the most intriguing anddeserves some clarification. As noted already in [2] and [3], thefunctional complexity of the GSM paradigm, coupled with the“openness” of TCP/IP, exposes 3G networks to new securityproblems that only recently the research community has startedto unveil. The most prominent example is the so-called “pagingattack” (see [4], [3]): an attacker on the Internet contacts alarge number of target MSs so as to trigger a high load ofpaging traffic in the radio network. If the attack is properlytuned, it can overload the capacity of the paging channels inthe cells, thus impairing legitimate new connections. Similarly,it is possible to conceive a “DCH starvation” attack, where theattacker contacts many target MS at regular intervals slightlyshorter than the DCH release timer, so as to prevent the releaseof the DCH and induce starvation of the available logicalresources. Another form of attack considered in [5] is basedon sending interval slightly longer than the DCH release timer.Following similar approaches, we believe that it is possible toconceive further forms of attacks, exploiting the deterministicnature of the mechanisms governing the RM/MM procedures.In order to tune the attack pattern, the attacker would needto discover the exact value of some key parameters, e.g., thetimers governing the channel transitions. In this letter we showthat carefully designed end-to-end measurements can be usedto discover the actual value of these parameters and at the sametime to collect additional information about the network behav-ior. We present the principles of the measurement methodologyand a set of preliminary results from two distinct operationalnetworks located in different EU countries.

II. METHODOLOGY AND PRELIMINARY RESULTS

The measurement setting is depicted in Fig. 1. A wiredhost W attached to the public Internet sends packets to amobile host M connected to the network under test witha 3G datacard. In our experiments, we used an Option GTFUSION+ HSDPA and an Option GT MAX 3.6 with Nozomi2.1-2ubuntu1 driver. Both hosts were run on the samephysical machine - an off-the-shelf Linux PC - so that asingle clock is used. All packets departing/arriving on bothinterfaces (wired and wireless) are captured and timestampedwith tcpdump, and one-way delays are computed as thedifference in the arrival times. The accuracy of the PC clockis in the order of 0.1-0.2 ms, which is enough for ourpurposes as the typical delays through a 3G network is inthe order of tens of milliseconds. Note also that the delaycomponent in the wired section is typically much smaller thanthe delay in the 3G section and, most importantly, it is largely

2

3G core

network

3G core

network

InternetMobileStation WiredHostM H WFig. 1. Monitoring scenario.

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

11000

0 0.5 1 1.5 2 2.5

byte

co

un

t (b

yte

)

time (s)0 a

b c

d

e

f

SW, sent bytesSM, received bytes

Fig. 2. Basic Rate graph from Net.1.

independent from the sending pattern, i.e., the inter-departuretime (IDT). Therefore, we will account to the 3G radio sectionthe observed dependency of the total end-to-end delay with thesending pattern. Most of our experiments involve downlink-only packet transmissions, where the mobile host was inhibitedfrom sending uplink packets in order to minimize conflictswith the downlink probes. We used ICMP Echo Requests oftotal length L = 92 bytes as probe packets. For this work, wetested the UMTS networks of two mobile operators in differentEU countries, hereafter referred to as Net.1 and Net.2.

In a first set of experiments, we send from host W a seriesof packets (indexed by k) of length L at fixed interval τtoward host M . We initially set a high sending rate (lowτ ) and then repeat the experiment with increasing values ofτ . We define by SW (t) and SM (t), respectively, the countprocess of the number of bytes sent by W and received byM in the time interval [0, t]. In Fig. 2 we draw jointly thegraphs of SW (t) and SM (t) for a sample experiment. We showhereafter that the geometry of this graphs contains severalinformation about the network setting. Recall that on the radiolink packets can be transferred in a Dedicated Channel (DCH)or in a Common/Shared Channel (hereafter denoted simplyas “CCH”, typically it is the FACH or DSCH [1, p. 278]).Denote by BCCH and BDCH the capacity available to a singleMS on the CCH and DCH, respectively. The first packet istransmitted over the CCH, hence the length of the segment oain Fig. 2 represents the (end-to-end) downlink delay on CCH,denoted by dCCH . The following packets are also transferredover CCH, but since the sending rate is larger than the CCHbandwidth, i.e., L/τ > BCCH , they are queued and the delaysincrease. The actual value of BCCH equals the slope of thesegment ab in Fig. 2. After about 1 second (point b) thenetwork, specifically the Radio Network Controller (RNC),decides to assign a DCH to the user. The DCH assignmentprocedure requires a non negligible completion time - denoteit by DDCH,on - during which packet forwarding on the radiolinks is interrupted. The value of DDCH,on represents aninteresting performance indicator, and its actual value can be

directly quantified from the length of the silence period bc. Thelength bf represents the maximum amount of buffered bytesbefore switching to DCH. At point c, the DCH is availableand the buffered packets are transmitted at rate BDCH , whosevalue can be obtained from the slope of the segment cd.Obviously it holds that BDCH À BCCH . At point d, thebuffer is again empty. After this point the horizontal distancebetween the two curves represents the downlink delay in theDCH channel, denoted by dDCH .

In summary, the geometric analysis of the graph in Fig. 2enables the estimation of several system parameters. A certainestimation error is present due the delay jitter introduced by thewired network, but the accuracy can be improved by averagingover multiple experiments. To avoid lengthy manual analysisof the graphs, we used simple heuristics to automaticallyidentifies the “knees” of the piece-wise process SM (t) andextract the length and location of the various segments.

The next step is to repeat the experiment for differentvalues of packet transmission interval τ and size L. Whenthe packet sending rate falls below a certain threshold theDCH switch does NOT take place, and the MS remains inCCH. Such threshold can be empirically discovered by testingwith different combinations of τ and L. This is an importantinformation as it allows us to control the usage of CCH/DCHchannels in the following experiments. In principle, one couldperhaps infer the detailed DCH assignment algorithm used bythe RNC, but we leave this point for further study.

The DCH release is based on a timeout that is reset uponeach packet transmission (sent or received) by the MS. Thevalue of the timeout, denoted hereafter by TDCH,off , istunable by the operator. The experiment to discover its valueis conceptually simple: we first force the MS to acquire aDCH by sending an initial high-rate burst. This is basicallythe same pattern discussed above in Fig. 2 until point d.Then we send a sequence of packets with slowly increasinginter-departure time (IDT). Formally, the kth IDT is givenby τk = τk−1 + ∆τ + ω, where ∆τ is a fixed incrementand ω a small randomization term uniformly distributed in[−∆τ/2, +∆τ/2]. We refer to such pattern as “chirp”, inanalogy to some radar techniques. The randomization preventsmeasurement bias, and turns useful when merging data pointsof different experiments in the same plot to avoid superpositionof data points. At some point during the chirp, the MS switchesback to CCH. The last value of the IDT is then taken as anestimate for TDCH,off . The CCH transition can be recognizedin two ways. First, some 3G cards/drivers report explicitlythe channel status. Alternatively, one can look at the one-waydelay packets of the secondary sequence for different values ofthe IDT: as dDCH ¿ dCCH , the sharp transition point marksthe DCH-to-CCH switch. In Fig. 3 we report the resultinggraphs for both tested networks (vertical log-scale). Theyreveal a value of TDCH,off around 5 and 2.7 seconds for Net.1and Net.2, respectively. We observe that the packets arrivingexactly during the channel switch experience very large delays,around 2 seconds. This can be taken as an estimate of thecompletion time of the channel switch procedure. We verifiedexperimentally that sending a continuous low-rate stream ofpackets with IDT slightly below the value of TDCH,off forces

3

0.01

0.1

1

10

0 2 4 6 8 10

en

d-t

o-e

nd

de

lay [

s]

IDT [s]

(a) Net.1.

0.01

0.1

1

10

0 1 2 3 4 5

en

d-t

o-e

nd

de

lay [

s]

IDT [s]

(b) Net.2.

Fig. 3. Highlight of DCH-to-CCH transition in chirp experiments.

0.01

0.1

1

10

0 20 40 60 80 100 120 140

en

d-t

o-e

nd

de

lay [

s]

IDT [s]

(a) Net.1.

0.01

0.1

1

10

0 10 20 30 40 50 60

en

d-t

o-e

nd

de

lay [

s]

IDT [s]

(b) Net.2.

Fig. 4. Highlight of CCH to PCH transition in chirp experiments.

the DCH to remain assigned to the MS indefinitely. Thissuggests the possibility of launching DCH starvation attacks.

In the next set of experiments we aim at discovering thevalue of the timer governing the paging. If the MS is silentfor more than TPCH seconds, it is instructed by the RNCto switch to the Paging Channel (PCH). If then a downlinkpacket arrives for this MS, the network must start a pagingprocedure in the whole Routing Area to learn its current celland to transfer the packet [1, p. 332]. We denote by Dpag

the time required to complete a paging procedure (pagingcompletion time). The end-to-end delay of the front packet(triggering the paging) includes the paging delay. If the firstpaging fails the network repeats a new paging requests afterTrep seconds, which further increases the total downlink delayof the front packet. In order to discover the value of theTPCH , we set the MS on CCH and send a “chirp” patternwith initial IDT slightly larger than TDCH,off . The initialchirp packets experience a delay equal to dCCH as long as theinter-departure time stays below the (unknown) value of TPCH

(refer to Fig. 4). After this point, the probe packets will triggerpaging and their end-to-end delays increase considerably dueto the paging delay component. The change-point marks theactual value of TPCH . The delay gap between the two datapoint clusters represents an estimate of the paging completiontime, denoted by Dpag (see Fig. 4).

In Net.2, we observe that for IDT in the range 28.6− 36.8seconds the probe packets experience alternatively high andlow delays. To explain the phenomenon we ran a number ofadditional experiments - not shown here for space constraints- that led to two interesting discoveries. First, we found thatin Net.2 every paging procedure is followed immediatelyby a DCH assignment regardless of the actual followingtraffic. If no packet follows the paging, the DCH is releasedafter TDCH,off (measured earlier). The second finding isthat the timer TPCH is restarted upon DCH release. The

k-th packettriggerspaging

timetkPaging

procedureDPCH

DCHswitch on

DPCH,on

DCHtimeoutTDCH,off

DCHswitch off

DPCH,off

tk+θ

Ready_timeris reset

(k+1)-th packetNO paging

(k+2)-th packettriggerspaging

tk+1 tk+2

PCHtimeout

TPCH

Fig. 5. Time diagram of paging events.

combination of these events produces the dynamic shownin Fig. 5, where it can be seen that for IDT in the range[TPCH , TPCH + Dpag + DDCH,on + TDCH,off ] only onepacket out of two triggers paging. This is one example out of anumber of unexpected findings that we encountered during ourmeasurement campaign, often pointing to particular dynamicsinternal to the network equipments.

TABLE IESTIMATED VALUES OF MOST RELEVANT PARAMETERS.

TDCH,off DDCH,on TP CH BCCH wired net. delay # hops

Net.1 4.97-4.99 s 0.74-0.78 s 105-106 s 2570±20 (byte/s) 18.9-24.4 ms 17

Net.2 2.65-2.69 s 0.32-0.33 s 28.6-29.1 s 1834±13 (byte/s) 1.19-1.96 ms 10

dDCH dCCH Dpag BDCH Buffered bytes (bf )

Net.1 42±0.7 ms 0.16±0.02 s 3.731±0.108 s 91711±2351 (byte/s) 1950±192 (byte)

Net.2 27±0.1 ms 0.08±0.001 s 2.548±0.020 s 37278±645 (byte/s) 371±47 (byte)

III. DISCUSSION AND FUTURE WORKS

In Table I we summarize the estimated values of the mostrelevant parameters for both tested network (ranges indicate95% confidence intervals). A direct comparison indicates thatNet.2 has globally better delay performances than Net.1 - atleast in the tested location. One could repeat the experimentsat several different locations (cells) to gather a more compre-hensive view of the network-wide performance.

During our experiments, we had to cope with the fastidiouspresence of so called “unwanted traffic” [6], i.e., unsolicitedpackets arriving from the Internet. Such packets are receivedin between probes packets, thus breaking the regularity of theIDT sequence within the chirp, leading to an invalid delaysample. The problem is particularly critical for experimentswith large IDT, e.g., for TPCH estimation. The frequency ofunwanted packets was very high in Net.1 and almost negligiblein Net.2. In fact, the latter is configured to block a few portsknown to be used mainly by malware (e.g., tcp:445,135), whileit seems that Net.1 does not filter any port. This again suggestsa somehow less mature setting of Net.1 compared to Net.2.

The possibility of performing such measurements is boundto the deterministic nature of the parameter setting. As partof our future work on countermeausers, we intend to explorethe role of RM/MM randomization (e.g., timers, thresholds)to increase the network robustness to deliberate attacks.

REFERENCES

[1] J. Bannister, P. Mather, S. Coope, Convergence Technologies for 3GNetworks. Wiley, 2004.

[2] H. Yang et al., “Securing a Wireless World,” Proceedings of the IEEE,vol. 94, no. 2, 2006.

[3] P. Traynor, et al., “On Attack Causality in Internet-Connected CellularNetworks,” USENIX Security07, Boston, August 2007.

[4] J. Serror,et al., “Impact of paging channel overloads or attacks on acellular network,” ACM WiSe’06, Los Angeles, September 2006.

[5] P. Lee, et al., “On the Detection of Signaling DoS Attacks on 3G WirelessNetworks,” IEEE INFOCOM 2007, Anchorage, May 2007.

[6] F. Ricciato, “Unwanted Traffic in 3G Networks,” ACM Computer Com-munication Review, vol. 36, no. 2, April 2006.