A review of DoS attack models for 3G cellular networks from a system-design perspective

doi:10.1016/j.comcom.2009.11.015

Computer Communications

Volume 33, Issue 5, 15 March 2010, Pages 551-558

https://doi.org/10.1016/j.comcom.2009.11.015 Get rights and content

Abstract

Third-generation cellular networks are exposed to novel forms of denial-of-service attacks that only recently have started to be recognized and documented by the scientific community. In this contribution, we review some recently published attack models specific for cellular networks. We review them collectively in order to identify the main system-design aspects that are ultimately responsible for the exposure to the attack. The goal of this contribution is to build awareness about the intrinsic weaknesses of 3G networks from a system-design perspective. In doing that we hope to inform the design practice of future generation networks, motivating the adoption of randomization, adaptation and prioritization as central ingredients of robust system design.

Introduction

Wide-area wireless access for mobile and portable terminals is now a reality thanks to the widespread deployment of third-generation (3G) cellular networks. The most prominent 3G standards are the Universal Mobile Telecommunications System (UMTS), developed by 3GPP as an evolution to GSM, and CDMA2000 derived from IS-95. Albeit not interoperable, all these technologies share the same fundamental design principles. Therefore our discussion applies in general to 3G technologies, although in the rest of this paper we will refer specifically to the 3GPP terminology.

Cellular data networks play an increasingly important role in society and economy. They provide ubiquitous data access to human and machine users, serving a broad range of applications, including critical services like remote control and surveillance, safety applications, e-care, localization services, tele-metering, support to logistics, etc. The development of a rich application and service ecosystem will be fostered by the prospective increase in the available radio bandwidth, thanks to the introduction of so-called 3.5G technologies like High-Speed Packet Access (HSPA, see [19]), to the expansion of geographical coverage and to the ongoing decrease of tariffs for end-customers. Many mobile operators worldwide are actively engaged along such development lines. However, ensuring a high degree of service availability remains a key prerequisite for the affirmation of any critical application. At the network layer this translates into a strong requirement for robustness: in order to ensure service continuity, the network infrastructure must be robust to overload conditions and failures, be them caused by legitimate unanticipated events or deliberate attacks.

As we will show, a number of features specific to cellular data network expose such systems to novel forms of Denial-of-Service (DoS) attacks that only recently have started to be recognized and investigated by the research community. In this paper, we review a number of DoS attack models specific for 3G networks that have recently appeared in the literature, sparse across different conferences papers. We analyze them collectively in order to identify the common root causes, i.e. the fundamental system-design aspects that ultimately generate exposure. Such understanding is important for the implementation of preventive countermeasures and, in general, for achieving a more robust configuration of the network infrastructure. Furthermore, clear awareness about the system-design weaknesses that affect 3G systems today would be beneficial for the ongoing design and standardization process of next generation systems (Long Term Evolution, LTE) and would help improving the intrinsic robustness of future 4G networks.

The rest of the paper is organized as follows. In Section 2 we recall some aspects of 3G networks that are relevant to subsequent discussion. In Section 4 we review the SMS flowing attack, which is the oldest example of DoS attack specific for cellular networks. In Sections 5 Paging attack, 6 Attacks based on Dedicated Channel (DCH) assignment we review three other attack models specific for 3G networks. All attack models are rooted in certain system-design aspects of 3G cellular networks that we highlight and comment in Section 7. In Section 8 we briefly suggest some possible directions for the design of future generation system. Finally, in Section 9 we draw the conclusions.

Section snippets

Setting the scene: overview of 3G networks

The structure of a GSM network (2G) consists of a circuit-switched (CS) Core Network connected to the PSTN and a Radio Access Network (RAN). These components are depicted in the upper part of Fig. 1. The radio interface based on TDMA/FDMA bundles a set of control channels for the signaling and traffic channels for the user data that are dynamically assigned to active MS during voice calls. The transition from 2G to 3G involves an intermediate step with the introduction of so-called 2.5G

Security issues in 3G

The design of UMTS networks is based on the combination of two distinct “parent” paradigms: GSM and IP. From the legacy second-generation (2G) cellular system it inherits the functional complexity, i.e. a “fat” control plane rich in signaling interactions between the Mobile Stations (MS) and the network, motivated by the need of performing seamless Mobility Management (MM) and efficient usage of scarce radio resources (Radio Resource Management, RRM). From GSM it also inherits a – more or less

Before 3G: SMS flooding attack

The pioneering work of Enck et al. [2] was the first one to point to the risk of connecting a complex cellular network to the open Internet. It did so still in the context of GSM where the only data service accessible from the Internet was the Short-Message Service (SMS). The attack model described in [2] builds upon the possibility of sending SMS from the Internet, a feature offered by several operators worldwide since the beginning of this decade and implemented via service gateways between

Review of paging procedure

The Mobility Management procedures in 3G are designed around the notion of “mobility states” – also called “modes”. To illustrate, Fig. 2 reports the mobility states for GPRS: similar schemes apply to UMTS and CDMA2000, albeit with different terminology. The “idle” state refers to MS that are not currently attached to the network, either because powered off or out of radio coverage. As we are interested only in MS that are attached to the network, we will ignore the “idle” mode hereafter. We

Shared and dedicated channels

In UMTS data packets can be forwarded over the radio interface either in a common (shared) channel, such as the Forward Access Channel (FACH), or in a Dedicated Channel (DCH). The MS is dynamically switched by the network between these two channels. Again, a two-state model underlies the design of the channel transition: when the MS is involved in intense traffic exchange, e.g. due to the ongoing download, it is assigned a DCH, while during periods of silence or low-traffic it is camped on a

Discussion on system-design aspects

The potential impact of each attack model depends on several aspects that are highly specific to the network configuration and setting, including factors like: the specific implementation of the state/channel transition logic at the RNC, the actual value of the timeouts and other parameter settings, the number and density of active MS (i.e. with an active PDP-context), the capacity provisioned for each control channel, the processing capacity of network elements, etc. It is not our goal here to

Towards a more robust design for cellular network

The process of rethinking system-design principles includes a pars destruens, where critical aspects of legacy approaches are identified and put into discussion, and a pars costruens where alternative solutions and new principles are proposed. The scope of the present work is focused on the first phase: we hope with this contribution to build awareness and feed a revision process of certain principles that have informed – more or less implicitly – the design of cellular networks insofar. This

Conclusions

In this contribution, we have presented four different attack models specific for cellular networks that have recently appeared in the literature. We have reviewed them collectively in an attempt to identify the system-design aspects that ultimately make them possible. Our goal here is not to identify specific patches and countermeasure against individual attacks. Instead, we aimed at drawing general system design lessons to be learned and applied to future generation systems.

At a very abstract

References (25)

C. Xenakis et al.
Security in third-generation mobile networks
Computer Communications
(2004)
W. Enck, P. Traynor, P. McDaniel, T. La Porta, Exploiting open functionality in SMS-capable cellular networks, in:...
H. Yang et al.
Securing a wireless world
Proceedings of the IEEE
(2006)
F. Ricciato
Unwanted traffic in 3G networks
ACM Computer Communication Review
(2006)
J. Serror, H. Zang, J.C. Bolot, Impact of paging channel overloads or attacks on a cellular network, in: Proceedings of...
P. Lee, T. Bu, T. Woo, On the detection of signaling DoS attacks on 3G wireless networks, in: IEEE INFOCOM 2007,...
P. Traynor, P. McDaniel, T. La Porta, On attack causality in Internet-connected cellular networks, in: Proceedings of...
F. Ricciato et al.
Traffic analysis at short time-scales: an empirical case study from a 3G cellular network
IEEE Transactions on Network and Service Management
(2008)
V.M. Igure et al.
Taxonomies of attacks and vulnerabilities in computer systems
IEEE Communications Surveys
(2008)
A. Barbuzzi et al.
Discovering parameter setting in 3G networks via active measurements
IEEE Communications Letters
(2008)

J. Carlson et al.

Highly optimized tolerance: robustness and design in complex systems

Physical Review Letters

(2000)

A. Berger, I. Gojmerac, O. Jung, Internet security meets the IP multimedia subsystem: an overview, in: Security and...

Cited by (49)

Threat modeling framework for mobile communication systems
2023, Computers and Security
Citation Excerpt :
They can also originate from compromised nodes within the operator network or, more likely, from interconnection and roaming. Many reported DoS attacks against the RAN abuse radio channel allocation requests (Bassil et al., 2012; 2013; Golde et al., 2013; Kambourakis et al., 2011; Lee et al., 2009; Ricciato et al., 2010). More generally, the attacker can cause DoS by repeatedly triggering resource allocation or revocation requests.
This paper presents a domain-specific threat-modeling framework for the cellular mobile networks. We survey known attacks against mobile communication and organize them into attack phases, tactical objectives, and techniques. The Bhadra framework aims to provide a structured way to analyze and communicate threats on a level that abstracts away the technical details but still provides meaningful insights into the adversarial behavior. Our goals are similar to existing threat modeling frameworks for enterprise information systems, but with a focus on mobile operator networks. The framework fills a gap that has existed in tools and methodology for sharing of threat intelligence within and between organizations in the telecommunications industry. The paper includes concrete case studies of applying the framework. It can also be read as a survey of attacks against mobile networks.
CCS CONCEPTS
Security and privacy $\to$ Security requirements; Mobile and wireless security; Networks $\to$ Networks Mobile networks
The best bang for the byte: Characterizing the potential of DNS amplification attacks
2017, Computer Networks
Citation Excerpt :
Simply blocking the IP addresses of all the reflecting servers may cause replies from legitimate queries made by the victim’s users to be discarded, causing collateral damage. Even worse, for victims that are connected via cellular networks, such floods could dramatically impact the portions of the cellular network and degrade performance for unrelated network users [3]. Unfortunately, there is little a potential victim organization can do to protect its own network.
DNS amplification has been instrumental in over 34% of high-volume network DDoS attacks, with some floods exceeding 300 Gbps. Today’s best practices require Internet-wide cooperation and have been unable to prevent these attacks. In this work, we investigate whether these best practices can eliminate DNS amplification attacks and characterize what threats remain. In particular, we study roughly 130 million DNS domains and their associated servers to determine the DNS amplification potential associated with each. We find attackers can easily use these servers to create crippling floods and that few servers employ any protection measures to deter attackers.
Secure Communications in Smart Grid: Networking and Protocols
2015, Smart Grid Security: Innovative Solutions for a Modernized Grid
The key attributes of a smarter power grid include: pervasive interconnection of smart devices; extensive data generation and collection; and rapid reaction to events across a widely dispersed physical infrastructure. Modern telecommunications technologies are being deployed across power systems to support these monitoring and control capabilities. To enable interoperability, several new communications protocols and standards have been developed over the past 10 to 20 years. These continue to be refined, even as new systems are rolled out.
This new hyper-connected communications infrastructure provides an environment rich in sub-systems and physical devices that are attractive to cyber-attackers. Indeed, as smarter grid operations become dependent on interconnectivity, the communications network itself becomes a target. Consequently, we examine cyber-attacks that specifically target communications, particularly state-of-the-art standards and protocols. We further explore approaches and technologies that aim to protect critical communications networks against intrusions, and to monitor for, and detect, intrusions that infiltrate Smart Grid systems.
An advanced persistent threat in 3G networks: Attacking the home network from roaming networks
2014, Computers and Security
Citation Excerpt :
The literature includes some previous works, which present discovered vulnerabilities in 3G networks that can be exploited to mount DoS attacks to various segments of 3G networks. In (Ricciato et al., 2010), the authors have, collectively, reviewed four different DoS attacks that target 3G networks. The first one is the SMS (short message service) DoS attack (Enck et al., 2005), in which a high number of SMS are dispatched toward a large number of mobile users, virtually, to all active MS. The procedure of transmitting an incoming SMS through the GSM network is, relatively, complex and consumes resources, such as bandwidth, processing power, memory state, at several network elements and on the radio interface.
The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) in 3G networks that aims to flood an HLR/AuC of a mobile operator. We also prove that the discovered APT can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available.
DETECTING NETWORK-UNFRIENDLY MOBILES with the RANDOM NEURAL NETWORK
2016, Probability in the Engineering and Informational Sciences
Threat modeling framework for mobile communication systems
2020, arXiv

View all citing articles on Scopus

View full text

ReviewA review of DoS attack models for 3G cellular networks from a system-design perspective

Abstract

Introduction

Section snippets

Setting the scene: overview of 3G networks

Security issues in 3G

Before 3G: SMS flooding attack

Review of paging procedure

Shared and dedicated channels

Discussion on system-design aspects

Towards a more robust design for cellular network

Conclusions

Computer Communications

Securing a wireless world

Proceedings of the IEEE

Unwanted traffic in 3G networks

ACM Computer Communication Review

Traffic analysis at short time-scales: an empirical case study from a 3G cellular network

IEEE Transactions on Network and Service Management

Taxonomies of attacks and vulnerabilities in computer systems

IEEE Communications Surveys

Discovering parameter setting in 3G networks via active measurements

IEEE Communications Letters

Highly optimized tolerance: robustness and design in complex systems

Physical Review Letters

Review
A review of DoS attack models for 3G cellular networks from a system-design perspective