ReviewA review of DoS attack models for 3G cellular networks from a system-design perspective
Introduction
Wide-area wireless access for mobile and portable terminals is now a reality thanks to the widespread deployment of third-generation (3G) cellular networks. The most prominent 3G standards are the Universal Mobile Telecommunications System (UMTS), developed by 3GPP as an evolution to GSM, and CDMA2000 derived from IS-95. Albeit not interoperable, all these technologies share the same fundamental design principles. Therefore our discussion applies in general to 3G technologies, although in the rest of this paper we will refer specifically to the 3GPP terminology.
Cellular data networks play an increasingly important role in society and economy. They provide ubiquitous data access to human and machine users, serving a broad range of applications, including critical services like remote control and surveillance, safety applications, e-care, localization services, tele-metering, support to logistics, etc. The development of a rich application and service ecosystem will be fostered by the prospective increase in the available radio bandwidth, thanks to the introduction of so-called 3.5G technologies like High-Speed Packet Access (HSPA, see [19]), to the expansion of geographical coverage and to the ongoing decrease of tariffs for end-customers. Many mobile operators worldwide are actively engaged along such development lines. However, ensuring a high degree of service availability remains a key prerequisite for the affirmation of any critical application. At the network layer this translates into a strong requirement for robustness: in order to ensure service continuity, the network infrastructure must be robust to overload conditions and failures, be them caused by legitimate unanticipated events or deliberate attacks.
As we will show, a number of features specific to cellular data network expose such systems to novel forms of Denial-of-Service (DoS) attacks that only recently have started to be recognized and investigated by the research community. In this paper, we review a number of DoS attack models specific for 3G networks that have recently appeared in the literature, sparse across different conferences papers. We analyze them collectively in order to identify the common root causes, i.e. the fundamental system-design aspects that ultimately generate exposure. Such understanding is important for the implementation of preventive countermeasures and, in general, for achieving a more robust configuration of the network infrastructure. Furthermore, clear awareness about the system-design weaknesses that affect 3G systems today would be beneficial for the ongoing design and standardization process of next generation systems (Long Term Evolution, LTE) and would help improving the intrinsic robustness of future 4G networks.
The rest of the paper is organized as follows. In Section 2 we recall some aspects of 3G networks that are relevant to subsequent discussion. In Section 4 we review the SMS flowing attack, which is the oldest example of DoS attack specific for cellular networks. In Sections 5 Paging attack, 6 Attacks based on Dedicated Channel (DCH) assignment we review three other attack models specific for 3G networks. All attack models are rooted in certain system-design aspects of 3G cellular networks that we highlight and comment in Section 7. In Section 8 we briefly suggest some possible directions for the design of future generation system. Finally, in Section 9 we draw the conclusions.
Section snippets
Setting the scene: overview of 3G networks
The structure of a GSM network (2G) consists of a circuit-switched (CS) Core Network connected to the PSTN and a Radio Access Network (RAN). These components are depicted in the upper part of Fig. 1. The radio interface based on TDMA/FDMA bundles a set of control channels for the signaling and traffic channels for the user data that are dynamically assigned to active MS during voice calls. The transition from 2G to 3G involves an intermediate step with the introduction of so-called 2.5G
Security issues in 3G
The design of UMTS networks is based on the combination of two distinct “parent” paradigms: GSM and IP. From the legacy second-generation (2G) cellular system it inherits the functional complexity, i.e. a “fat” control plane rich in signaling interactions between the Mobile Stations (MS) and the network, motivated by the need of performing seamless Mobility Management (MM) and efficient usage of scarce radio resources (Radio Resource Management, RRM). From GSM it also inherits a – more or less
Before 3G: SMS flooding attack
The pioneering work of Enck et al. [2] was the first one to point to the risk of connecting a complex cellular network to the open Internet. It did so still in the context of GSM where the only data service accessible from the Internet was the Short-Message Service (SMS). The attack model described in [2] builds upon the possibility of sending SMS from the Internet, a feature offered by several operators worldwide since the beginning of this decade and implemented via service gateways between
Review of paging procedure
The Mobility Management procedures in 3G are designed around the notion of “mobility states” – also called “modes”. To illustrate, Fig. 2 reports the mobility states for GPRS: similar schemes apply to UMTS and CDMA2000, albeit with different terminology. The “idle” state refers to MS that are not currently attached to the network, either because powered off or out of radio coverage. As we are interested only in MS that are attached to the network, we will ignore the “idle” mode hereafter. We
Shared and dedicated channels
In UMTS data packets can be forwarded over the radio interface either in a common (shared) channel, such as the Forward Access Channel (FACH), or in a Dedicated Channel (DCH). The MS is dynamically switched by the network between these two channels. Again, a two-state model underlies the design of the channel transition: when the MS is involved in intense traffic exchange, e.g. due to the ongoing download, it is assigned a DCH, while during periods of silence or low-traffic it is camped on a
Discussion on system-design aspects
The potential impact of each attack model depends on several aspects that are highly specific to the network configuration and setting, including factors like: the specific implementation of the state/channel transition logic at the RNC, the actual value of the timeouts and other parameter settings, the number and density of active MS (i.e. with an active PDP-context), the capacity provisioned for each control channel, the processing capacity of network elements, etc. It is not our goal here to
Towards a more robust design for cellular network
The process of rethinking system-design principles includes a pars destruens, where critical aspects of legacy approaches are identified and put into discussion, and a pars costruens where alternative solutions and new principles are proposed. The scope of the present work is focused on the first phase: we hope with this contribution to build awareness and feed a revision process of certain principles that have informed – more or less implicitly – the design of cellular networks insofar. This
Conclusions
In this contribution, we have presented four different attack models specific for cellular networks that have recently appeared in the literature. We have reviewed them collectively in an attempt to identify the system-design aspects that ultimately make them possible. Our goal here is not to identify specific patches and countermeasure against individual attacks. Instead, we aimed at drawing general system design lessons to be learned and applied to future generation systems.
At a very abstract
References (25)
- et al.
Security in third-generation mobile networks
Computer Communications
(2004) - W. Enck, P. Traynor, P. McDaniel, T. La Porta, Exploiting open functionality in SMS-capable cellular networks, in:...
- et al.
Securing a wireless world
Proceedings of the IEEE
(2006) Unwanted traffic in 3G networks
ACM Computer Communication Review
(2006)- J. Serror, H. Zang, J.C. Bolot, Impact of paging channel overloads or attacks on a cellular network, in: Proceedings of...
- P. Lee, T. Bu, T. Woo, On the detection of signaling DoS attacks on 3G wireless networks, in: IEEE INFOCOM 2007,...
- P. Traynor, P. McDaniel, T. La Porta, On attack causality in Internet-connected cellular networks, in: Proceedings of...
- et al.
Traffic analysis at short time-scales: an empirical case study from a 3G cellular network
IEEE Transactions on Network and Service Management
(2008) - et al.
Taxonomies of attacks and vulnerabilities in computer systems
IEEE Communications Surveys
(2008) - et al.
Discovering parameter setting in 3G networks via active measurements
IEEE Communications Letters
(2008)
Highly optimized tolerance: robustness and design in complex systems
Physical Review Letters
Cited by (49)
Threat modeling framework for mobile communication systems
2023, Computers and SecurityCitation Excerpt :They can also originate from compromised nodes within the operator network or, more likely, from interconnection and roaming. Many reported DoS attacks against the RAN abuse radio channel allocation requests (Bassil et al., 2012; 2013; Golde et al., 2013; Kambourakis et al., 2011; Lee et al., 2009; Ricciato et al., 2010). More generally, the attacker can cause DoS by repeatedly triggering resource allocation or revocation requests.
The best bang for the byte: Characterizing the potential of DNS amplification attacks
2017, Computer NetworksCitation Excerpt :Simply blocking the IP addresses of all the reflecting servers may cause replies from legitimate queries made by the victim’s users to be discarded, causing collateral damage. Even worse, for victims that are connected via cellular networks, such floods could dramatically impact the portions of the cellular network and degrade performance for unrelated network users [3]. Unfortunately, there is little a potential victim organization can do to protect its own network.
Secure Communications in Smart Grid: Networking and Protocols
2015, Smart Grid Security: Innovative Solutions for a Modernized GridAn advanced persistent threat in 3G networks: Attacking the home network from roaming networks
2014, Computers and SecurityCitation Excerpt :The literature includes some previous works, which present discovered vulnerabilities in 3G networks that can be exploited to mount DoS attacks to various segments of 3G networks. In (Ricciato et al., 2010), the authors have, collectively, reviewed four different DoS attacks that target 3G networks. The first one is the SMS (short message service) DoS attack (Enck et al., 2005), in which a high number of SMS are dispatched toward a large number of mobile users, virtually, to all active MS. The procedure of transmitting an incoming SMS through the GSM network is, relatively, complex and consumes resources, such as bandwidth, processing power, memory state, at several network elements and on the radio interface.
DETECTING NETWORK-UNFRIENDLY MOBILES with the RANDOM NEURAL NETWORK
2016, Probability in the Engineering and Informational Sciences