A review of DoS attack models for 3G cellular networks from a system-design perspective

Computer Communications 33 (2010) 551–558

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

Review

A review of DoS attack models for 3G cellular networks from a system-design perspective Fabio Ricciato a,b, Angelo Coluccia a,*, Alessandro D’Alconzo b a b

University of Salento, Lecce, Italy Forschungszentrum Telekommunikation Wien, Vienna, Austria

a r t i c l e

i n f o

Article history: Received 23 May 2009 Received in revised form 14 October 2009 Accepted 20 November 2009 Available online 26 November 2009 Keywords: 3G Cellular networks DoS Signaling attacks Network robustness

a b s t r a c t Third-generation cellular networks are exposed to novel forms of denial-of-service attacks that only recently have started to be recognized and documented by the scientific community. In this contribution, we review some recently published attack models specific for cellular networks. We review them collectively in order to identify the main system-design aspects that are ultimately responsible for the exposure to the attack. The goal of this contribution is to build awareness about the intrinsic weaknesses of 3G networks from a system-design perspective. In doing that we hope to inform the design practice of future generation networks, motivating the adoption of randomization, adaptation and prioritization as central ingredients of robust system design. Ó 2009 Elsevier B.V. All rights reserved.

1. Introduction Wide-area wireless access for mobile and portable terminals is now a reality thanks to the widespread deployment of third-generation (3G) cellular networks. The most prominent 3G standards are the Universal Mobile Telecommunications System (UMTS), developed by 3GPP as an evolution to GSM, and CDMA2000 derived from IS-95. Albeit not interoperable, all these technologies share the same fundamental design principles. Therefore our discussion applies in general to 3G technologies, although in the rest of this paper we will refer specifically to the 3GPP terminology. Cellular data networks play an increasingly important role in society and economy. They provide ubiquitous data access to human and machine users, serving a broad range of applications, including critical services like remote control and surveillance, safety applications, e-care, localization services, tele-metering, support to logistics, etc. The development of a rich application and service ecosystem will be fostered by the prospective increase in the available radio bandwidth, thanks to the introduction of socalled 3.5G technologies like High-Speed Packet Access (HSPA, see [19]), to the expansion of geographical coverage and to the ongoing decrease of tariffs for end-customers. Many mobile operators worldwide are actively engaged along such development lines. However, ensuring a high degree of service availability remains * Corresponding author. Tel.: +39 0832 297206. E-mail addresses: [email protected] (F. Ricciato), [email protected], angelo.coluccia@ unisalento.it (A. Coluccia), [email protected] (A. D’Alconzo). 0140-3664/$ - see front matter Ó 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2009.11.015

a key prerequisite for the affirmation of any critical application. At the network layer this translates into a strong requirement for robustness: in order to ensure service continuity, the network infrastructure must be robust to overload conditions and failures, be them caused by legitimate unanticipated events or deliberate attacks. As we will show, a number of features specific to cellular data network expose such systems to novel forms of Denial-of-Service (DoS) attacks that only recently have started to be recognized and investigated by the research community. In this paper, we review a number of DoS attack models specific for 3G networks that have recently appeared in the literature, sparse across different conferences papers. We analyze them collectively in order to identify the common root causes, i.e. the fundamental system-design aspects that ultimately generate exposure. Such understanding is important for the implementation of preventive countermeasures and, in general, for achieving a more robust configuration of the network infrastructure. Furthermore, clear awareness about the system-design weaknesses that affect 3G systems today would be beneficial for the ongoing design and standardization process of next generation systems (Long Term Evolution, LTE) and would help improving the intrinsic robustness of future 4G networks. The rest of the paper is organized as follows. In Section 2 we recall some aspects of 3G networks that are relevant to subsequent discussion. In Section 4 we review the SMS flowing attack, which is the oldest example of DoS attack specific for cellular networks. In Sections 5 and 6 we review three other attack models specific for 3G networks. All attack models are rooted in certain system-de-

552

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

sign aspects of 3G cellular networks that we highlight and comment in Section 7. In Section 8 we briefly suggest some possible directions for the design of future generation system. Finally, in Section 9 we draw the conclusions. 2. Setting the scene: overview of 3G networks The structure of a GSM network (2G) consists of a circuitswitched (CS) Core Network connected to the PSTN and a Radio Access Network (RAN). These components are depicted in the upper part of Fig. 1. The radio interface based on TDMA/FDMA bundles a set of control channels for the signaling and traffic channels for the user data that are dynamically assigned to active MS during voice calls. The transition from 2G to 3G involves an intermediate step with the introduction of so-called 2.5G technology such as the Generalized Packet Radio Service (GPRS). With GPRS the cellular infrastructure is augmented with an IP-based packet-switched (PS) Core Network connected to the Internet and packet forwarding capabilities in the RAN. With the introduction of UMTS, a second RAN based on W-CDMA is added which connects to both the CS and PS domains for voice and data calls, respectively. The resulting overall scheme is sketched in Fig. 1, with the CS and PS domains coexisting side by side. While in 2G the only data service accessible from the Internet is SMS – by the mediation of SMS gateway servers – in 3G the MS is provided with direct Internet access as any other wired host. The PS domain is connected directly to the Internet through the Gateway GPRS Serving Node (GGSN). Besides voice calls, which are still routed over the CS domain, the MS can establish data connections – i.e. the so-called ‘‘PDP-context” in 3GPP terminology – which are conceptually similar to dial-up connection for home computers. At the PDP-context activation the MS is assigned an IP address, and since then it can exchange traffic directly with the open Internet. When the PDP-context is deactivated, the IP address is released and the MS cannot send nor receive packets. The PDP-context can be closed either by the MS or by the network, typically after a certain period of inactivity – e.g. after 30 min from the last packet sent or received.

Some operators are starting to implement ‘‘always online” packages, where the PDP-context is kept active indefinitely as long as the terminal is powered on. Always-on connections are meant to enable those applications that involve continuous communication with the MS, typically for periodic reporting and/or applicationlayer keep-alive messages. These mechanisms are used for example by Blackberry devices as well as by several custom machineto-machine applications. Another advantage of always-on PDPcontext is that the human users experience a faster response time with transactional applications (e.g. WEB browsing) since the context activation procedure is avoided. On the other hand, the biggest disadvantage is a higher consumption of IP addresses, which are a relatively scarce resource nowadays for most operators. Operators can block incoming TCP/UDP connections from the Internet, e.g. using private addressing and/or by means of policy restrictions at the firewall or at the GGSN. This choice is motivated by the fact that the most common applications in use nowadays are still based on ‘‘classic” client-initiated sessions, like e.g. WEB browsing. On the other hand, many operators implement public IP addressing and do not restrict incoming TCP/UDP connections from the Internet, in order to avoid hindering the spread of future applications not necessarily based on client-initiated sessions. In this case, any host in the Internet can contact any active MS, i.e. MS with an active PDP-context, by simply sending an IP packet to the current MS address. The passage of IP packets across the 3G cellular network triggers a number of events on the controlplane and on the radio interface which ultimately consume certain physical and/or logical resources. The attack models presented later show that a properly calibrated sending strategy can cause a non-negligible stress onto the cellular network, and in the extreme case impair seriously the service availability for legitimate users. 3. Security issues in 3G The design of UMTS networks is based on the combination of two distinct ‘‘parent” paradigms: GSM and IP. From the legacy second-generation (2G) cellular system it inherits the functional com-

Fig. 1. Simplified structure of 3G network, including CS and PS domains.

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

plexity, i.e. a ‘‘fat” control plane rich in signaling interactions between the Mobile Stations (MS) and the network, motivated by the need of performing seamless Mobility Management (MM) and efficient usage of scarce radio resources (Radio Resource Management, RRM). From GSM it also inherits a – more or less implicit – orientation towards individual assignment of logical resources, for instance dedicated channels, which is typical of the circuitswitched world traditionally devoted to telephony. On the other hand, from the TCP/IP model it inherits the openness of the access to the network and a huge heterogeneity in the range of supported data applications, and consequently a huge diversity of individual behavioral patterns. As pointed out already in [13,3,7], the tension between these two paradigms introduces novel vulnerabilities and exposes 3G networks to a range of additional risks, in particular new forms of DoS attacks that are highly specific to such systems: these are the focus of the present contribution. Besides those, 3G networks inherit the whole range of known problems from each of the parent technologies, including ‘‘classical” frauds1 and all forms of TCP/IP vulnerabilities – see [9] for a recent review. In particular, any form of (D)DoS attack known for IP applies to 3G networks as well – see e.g. [14,15] for an exhaustive review. We do not cover here such ‘‘legacy” TCP/IP attacks since (i) they have been extensively addressed elsewhere in the previous literature and (ii) they do not point to any system-design aspect specific to cellular networks. Also, we leave out of consideration the threats to information security, like interceptions and impersonation attacks (see e.g. [22]) aimed at breaking the confidentiality or integrity of the information transported over the cellular network. These attacks are localized (i.e. target individual connections) and deal with weaknesses of the authentication and encryption mechanisms standardized for GSM/UMTS (see [23] for an overview) while our focus here is on system-design aspect of the underlying network infrastructure and on large-scale incidents. Some works [17,16] have recognized the possibility for a malicious terminal to deceive the 3G scheduling mechanisms on the radio interface in order to obtain a greater share of the cell bandwdith, with obvious impairment to the quality of service delivered to other concurrent terminals in the same cell. The impact of such attacks remains localized to the cell where the malicious terminal is found, and cannot scale easily to network-wide scope. Other types of attacks often considered within the realm of 3G security include battery depletion [25] and overbilling.2 Briefly, such attacks consist in sending unsolicited traffic from the Internet towards a large population of mobile terminals. In the first case, the goal is to force the victim terminals to remain in active mode, where the power consumption level is higher, and therefore drain their battery. In the second case the goal is simply to inflate the customer bill. Albeit fastidious for the end-users, such kinds of attacks do not result in severe large-scale service interruption, and are left outside the scope of this contribution. Finally, several researchers have investigated the security weaknesses of the IP Multimedia Subsystem (IMS) – see e.g. [13] and the recent survey by Berger et al. [12]. At an abstract level, security vulnerabilities in 3G networks, and particularly in IMS, originate from the high functional complexity of such systems that involve many different logical components linked by an intricate web of interdependencies. In such scenario, hidden security holes can trigger cascading effects leading to large-scale service interruption. The pioneering work by Kotapati et al. [24] aims at identifying possible vulnerabilities at the network layer based on the representation of the functional interdependencies 1 Note, however, that while SIM cloning was a recognized issue in GSM [21], there is no evidence that the encryption mechanisms used in UMTS to protect the SIM keys are vulnerable. 2 http://www.theregister.co.uk/2003/10/02/official_crackers_have_broken_into/.

553

described in the 3GPP specifications. The methodology demonstrated in [24] could be further extended to cover IMS. One example of cascading attack in IMS is documented in [18], where it is shown that overload on a single component, namely the presence server, would impact other IMS services depending on it. The key point is that the overload can be caused deliberately by an attacker with a relatively limited amount of traffic, assuming that the presence server was provisioned based on ‘‘typical” load scenario consisting of many low-intensity users. This aspect is common to all the other attacks discussed later in the following section. 4. Before 3G: SMS flooding attack The pioneering work of Enck et al. [2] was the first one to point to the risk of connecting a complex cellular network to the open Internet. It did so still in the context of GSM where the only data service accessible from the Internet was the Short-Message Service (SMS). The attack model described in [2] builds upon the possibility of sending SMS from the Internet, a feature offered by several operators worldwide since the beginning of this decade and implemented via service gateways between the Internet and the 2G Core Network (SMSC servers). In simple words, the attack consists in dispatching a high rate of SMS toward a large number of mobile users, virtually to all active MS. The procedure of transmitting an incoming SMS through the GSM network is relatively complex and consumes resources – bandwidth, processing power, memory state – at several network elements and on the radio interface. First, the destination Mobile Station (MS) must be localized via a paging procedure. A paging request message is sent in the whole paging area – called Location Area in GSM – which typically includes many radio cells, possibly controlled by different Base Station Controllers (BSCs). In each cell, the paging message is transmitted over a common control channel, the Paging Channel (PCH). The target MS replies via the Random Access Channel (RACH), a shared uplink control channel accessed via a Slotted ALOHA mechanism. Once localized, the network – i.e. the BSC – assigns one of the available Stand-alone Dedicated Control Channel (SDCCH) to the MS, the command being sent over the Access Grant Channel (AGCH). After this initial phase, the network and the MS engage in a signaling interaction which includes an authentication procedure and finally the transmission of the SMS message. In summary, the arrival of a SMS triggers a sequence of signaling exchanges that involves several network elements – the SMSC, one or more BSC, the HLR/AuC for authentication – and consumes bandwidth across the various control channels: PCH, AGCH, RACH and SDCCHs. The goal of the SMS flooding attack is to cause overload and starve some of these resources, e.g. processing capacity or signaling bandwidth. Which resource will first hits its capacity limit? In practice the answer depends on several details about the configuration and state of the network: provisioned capacity of the common control channels, configuration of the paging area, capacity of network elements, density and number of active mobile users, capacity and service disciplines within each network element. For a default configuration Enck et al. [2] calculate that the SDCCHs are the bottleneck, i.e. the first to be starved upon SMS flooding. It is important to remark that some of such resources – and most prominently the control channels, including the SDCCHs – are shared between the SMS service and the voice calls. Since often in practice no prioritization is in place for voice calls over SMS, a successful SMS flooding attack would not only impair the messaging service, but also the much more critical telephony service. Despite its simplicity, the SMS flooding attack anticipates several key ingredients of other 3G-specific attacks, as we will show in the following sections.

554

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

5. Paging attack 5.1. Review of paging procedure The Mobility Management procedures in 3G are designed around the notion of ‘‘mobility states” – also called ‘‘modes”. To illustrate, Fig. 2 reports the mobility states for GPRS: similar schemes apply to UMTS and CDMA2000, albeit with different terminology. The ‘‘idle” state refers to MS that are not currently attached to the network, either because powered off or out of radio coverage. As we are interested only in MS that are attached to the network, we will ignore the ‘‘idle” mode hereafter. We are left with a two-state model: ‘‘ready” and ‘‘standby”. When in ‘‘ready” mode, the MS can send or receive packets over a traffic channel – either shared or dedicated, as discussed below. If the MS moves to another cell while in ready mode, it signals the event to the network (i.e. the BSC) so that the latter can track the MS location at the cell level. If a packet arrives from the Internet directed to a MS in ready mode, the network can immediately forward it over in the current cell. Such mechanism requires frequent cell update signaling for traveling MS, and consequently consumes bandwidth of control channels at the radio interface and processing power at the MS. In order to avoid unnecessary resource consumption, those MS that are not involved in active data exchange are switched to the ‘‘standby” mode. The network cells are organized into larger clusters, called ‘‘Routing Areas” in the PS domain. While in ‘‘standby” mode, the MS does not report to the network the cell changes internal to the routing area, but it does so only when traversing a routing area border. As a consequence, the network knows the location of ‘‘standby” MS only at the granularity of routing area. If a packet arrives directed to a standby MS, the network must first localize its current cell in order to deliver the packet. This is achieved through the paging procedure: a paging request is broadcasted through the Packet Paging Channel (PCH) in all the cells included in the current routing area. Note that standby MS must keep listening on the PCH in order to receive paging requests. Finally, the target MS replies over the Random Access Channel (RACH) and than the network can proceed to forward the incoming packet. Note that after replying to the paging request the MS switches to the ‘‘ready” state (refer Fig. 2). The transition from ‘‘ready” to ‘‘standby” is governed by a simple timeout TR (‘‘ready_timeout”) which is reset upon each data packet sent or received by the MS. The value of TR is set by the network operator and is typically in the range 30–120 s. This is an important aspect to be considered for the implementation of the paging attack, as discussed in the following section. 5.2. Attack description From the above discussion, we know that sending a single data packet to a MS in standby mode can cause a paging procedure. The

Standby_timer expires

GPRS Attach

Idle

Ready

GPRS Detach

Ready_timer expires

Stand-by

Paging request or packet sent

Fig. 2. Mobility states of GPRS.

paging attack presented in [5] is conceptually simple: it aims at overloading the paging channel by causing an exceptionally high rate of paging requests. This is achieved by sending IP packets to a large number of MS in a short interval. Although [5] presents the attack in the context of CDMA2000, the same principle applies to GPRS and UMTS as well. There is no way for an attacker to know which IP addresses are currently allocated to active MSs, nor which MSs are in standby mode. However, the attacker can simply scan the address space allocated to the mobile network – for example an entire class-B pool can be scanned in 10 s with packets of 40 bytes with only 260 Kbps of aggregate bandwidth. Besides overloading the paging channel, the attack induces a higher frequency of cell updates, since the target MS are forced to remain in ‘‘ready” state and therefore signal to the network every cell change. This contributes to increase the load on the signaling channels, including the RACH, and leads to higher power consumption at the MS. Recall that after being paged the MS switches to ‘‘ready” mode and cannot trigger a new paging procedure until it switches back to ‘‘standby”, i.e. after TR seconds from the last packet. Therefore, any generic MS can be paged at most once every TR seconds. In order to build up a sustained attack the scan period should be (slightly) larger than TR, as explained in the following. Denote by r c the average rate of paging messages required to saturate the whole network, by a the probability that a packet sent to a generic IP address in the network pool results in a paging procedure, by N the number of MS that are in standby with an open PDP-context and by D the size of the address pool allocated to the network. Clearly, a ¼ ND in case of blind scanning. The minimum scanning rate that ensures saturation is ra ¼ r c =a. If the condition rc < TNR holds, it is possible to sustain the saturation rate ra indefinitely by cycling the scan in the address pool with a period slightly larger than TR. In order to tune the attack and maximize impact, it is important for the attacker to know the exact value of the ready_timout TR. This is not a problem since the value of TR can be easily measured, either by end-to-end measurements (see [10] for proof-of-concept measurements on two different networks) or by means of a mobile terminal configured to report state transitions and channel (de)allocation events (see e.g. the Appendix of [7]).

6. Attacks based on Dedicated Channel (DCH) assignment 6.1. Shared and dedicated channels In UMTS data packets can be forwarded over the radio interface either in a common (shared) channel, such as the Forward Access Channel (FACH), or in a Dedicated Channel (DCH). The MS is dynamically switched by the network between these two channels. Again, a two-state model underlies the design of the channel transition: when the MS is involved in intense traffic exchange, e.g. due to the ongoing download, it is assigned a DCH, while during periods of silence or low-traffic it is camped on a shared channel (FACH). Channel transitions are commanded by the network – specifically by the Radio Network Controller (RNC) – based on the recent traffic patterns for the specific MS. The transition FACH ? DCH is typically triggered upon exceeding a minimum rate threshold, the rate being defined over a measurement window which depends on the RNC implementation (e.g. one second). Instead the transition DCH ? FACH is triggered by timeout expiration: the DCH is released after TD seconds from the last data packet sent or received by the MS. A sample realization of the DCH assignment/release process is sketched in Fig. 3a. The value of TD is typically set in the order of a few seconds, the recommended default setting being 5 s. The actual value of TD can be easily measured in a similar way to the ready_timeout, either by end-to-end mea-

555

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

DCH up

DCH up

-a-

DCH down

timeout T D (e.g. 5 sec)

timeout T D (e.g. 5 sec)

time

DCH is almost always up + frequent transitions cause signaling overload

-btime

spacing=T D (e.g. 5.1 sec)

DCH is always up

-ctime

spacing < T D (e.g. 4.9 sec)

Fig. 3. (a) DCH assignment and release for different packet arrival patterns: designed-for pattern; (b) worst-case pattern for signaling maximization; and (c) worst-case pattern for DCH consumption.

surements [10] or based on direct reporting by the terminal [7]. Note that both types of channel transitions require a signaling procedure between the MS and the network – i.e. the RNC – and consequently consume control-plane resources: bandwidth of signaling channels along the path between the MS and the RNC, and processing power at both elements. 6.2. Two attack models on DCH In this section, we describe two simple attack models that build upon the dynamic assignment of DCH. In both cases, the goal is to generate a ‘‘naughty” traffic pattern that represent a sort of ‘‘worstcase” of resource consumption for the channel assignment and release logic described above. By sending such packet pattern to a large number of target MS, the attacker seeks to overload the network resources. We will consider two types of critical patterns, graphically reported in Fig. 3b and c. The first type of attack was termed ‘‘signaling attack” in [6]. The goal is to maximize the frequency of channel transitions so as to induce a higher signaling load and eventually congest the relevant control channels at the radio interface. The idea is to trigger a DCH assignment immediately after each DCH release, by sending bursts of packets at period slightly larger than TD, as sketched in Fig. 3b. The second type of attack, which was termed ‘‘DCH starvation attack” in [10], goes in the opposite direction. The goal is now to prevent the DCH from being released, even in absence of legitimate traffic produced by the target MS, so as to make it unavailable for other MS. In other words, the attacker aims at starving the available DCHs by forcing them to remain assigned to (possibly inactive) terminals. This can be achieved simply by sending a periodic sequence of packets to the target MS at a regular interval slightly smaller than TD, as shown in Fig. 3c, so as to prevent the expiration of the DCH release timer. The first attack can be considered as a control-plane attack – hence the name ‘‘signaling attack” given in [6] – since the aim is to congest control channels, similarly to what is done with the paging attack seen above in Section 5. Instead, the second attack should be considered as a user-plane attack, since the goal is to congest the set of available DCHs which are (logical) resources on the user-plane.

7. Discussion on system-design aspects The potential impact of each attack model depends on several aspects that are highly specific to the network configuration and setting, including factors like: the specific implementation of the state/channel transition logic at the RNC, the actual value of the timeouts and other parameter settings, the number and density of active MS (i.e. with an active PDP-context), the capacity provisioned for each control channel, the processing capacity of network elements, etc. It is not our goal here to provide a quantitative risk assessment: any such analysis would unavoidably lack generality given that most – if not all – the relevant configuration aspects are highly network-dependent. This exercise should be carried out by network operators, based on the detailed knowledge of equipment and network settings and on the principles of the attack models referenced here, in order to identify the bottleneck resources and eventually upgrade the network to a more robust setting (e.g. increase the provisioning of control channels). Instead, we are interested here in deriving general lessons about the root causes of the exposure, to be learned and taken into consideration for the design process of future generation systems. 7.1. Asymmetry, openness Although conceived in the scope of 3G networks, the SMS flooding attack already contains a number of fundamental ingredients that are common to all other attack models for 3G. The most important one perhaps is the marked asymmetry in the cost of transmitting a message between the attacker and the target cellular network. For an attacker on the side of the Internet such cost is practically negligible, and even a relatively low-bandwidth dial-up connection suffices to send a high-rate of messages – being SMS or IP packets – towards a large number of target MS. On the other hand, we have seen that on the side of the target cellular network some of these messages consume a non-negligible amount of control-plane processing and signaling bandwidth inside the network and at the radio interface. This is due to the high functional complexity of the cellular system, but that does not represent a problem when the network operates at nominal planned-for conditions.

556

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

Cellular networks, as many other engineered systems, are typically dimensioned following a ‘‘reference user model” – hereafter referred as RUM for short. The RUM is meant to capture the ‘‘average” (or ‘‘typical”) user behavior and is used to project the expected consumption of network resources for the whole network after the expected user population size. Some simple models are defined by the standards and used for the initial network deployment, while during the network lifetime each operator produces its own models based on past measurements and predictions informed by marketing strategies. Often different reference models are used for different user classes – e.g. residential vs. business. The network is therefore designed, provisioned, configured and optimized to operate under nominal conditions which are defined based on a set of RUMs, which by definition capture only ‘‘wellbehaved” users. In general, the farther is the actual user behavior from the planned-for RUM, the higher is the risk of generating overload on some resource, and in the extreme case service disruption. In the context of 3G cellular data network the risk of departing from the RUM due to deliberate attacks is particularly serious. This is a key point that we try to develop throughout the paper. Consider the task of provisioning the control-plane resources, i.e. processing and bandwidth dedicated to signaling. In traditional 2G cellular networks, the typical RUMs reflect essentially ‘‘thin” users that individually generate a modest load on the controlplane. In fact, the rate of signaling procedures per-user is relatively low, and in fact it is normally measured on the per-hour timescale: one does not expect any normal user to receive or generate more than few calls and/or SMS per-hour, and even relocation procedures are relatively infrequent, in the order of a few per minute also for high-speed traveling users. Therefore, the network control-plane is designed for a large-population of thin users, and the relative high complexity and resource consumption associated to each signaling procedure are offset by the low rate of such events. No single user can reasonably influence the total load, since the monetary cost of initiating such activities is high, and the individual access capacity from any circuit-switched network – being it PSTN or another cellular network – is seriously limited. Therefore, as far as 2G networks are connected exclusively to other circuit-switched networks, large deviations in the total network load can only occur by macroscopic phenomena involving large fractions of the user population, e.g. social events like soccer games, concerts, festivities, etc. These can be easily anticipated by the operator and accommodated by local temporary capacity upgrades. Instead, when the functionally complex cellular network is connected to the open Internet, it becomes possible for even a single malicious user to cause a macroscopic increase in the network-wide control plane load. Furthermore, an attacker in the Internet has the possibility of leveraging a large number of compromised hosts, i.e. a botnet, to mediate the attack, in order to evade detection and at the same time increase the volume of the attack. Such considerations put the three control-plane attacks considered here – namely the SMS flooding attack [2], paging attack [5] and signaling attack [6] – in a more general system-design perspective. They are ultimately rooted in the fact that a control-plane designed for thin users is exposed to the open Internet, from where attackers can easily generate high signaling load on the target network by contacting many active MS (virtually all) with ‘‘specially crafted” sequences of messages, calibrated to trigger certain signaling procedure (e.g. paging or DCH assignment) in the large scale. Notably, the accurate calibration of the attack is possible because several network parameters (e.g. timeouts) can be easily inferred or measured, which is in turn a consequence of the fact that the logic governing such procedures is simple and deterministic. It should be remarked that this is a distinguishing aspect from other types of volume attacks – e.g. the attack against the IMS presence

server described in [18] – which do not require any particular sending pattern to be effective. 7.2. Two-state models, determinism The paging attack and the two DCH attacks represent different forms of misuse of the standard procedures for Mobility Management and Radio Resource Management, respectively. Such procedures have been designed following a two-state model: ready vs. idle, FACH vs. DCH. Furthermore, the transitions between the states are deterministic, often governed by extremely simple logic, e.g. by a timeout and/or a threshold. This approach can be considered somehow a legacy from the 2G circuit-switched systems designed to support voice calls, where there was a clear separation between active and inactive terminals: either the MS is busy in conversation or it is not. Instead, when moving to data applications the level of MS ‘‘activity” becomes a more blurred concept: different sending and receiving patterns can occur at different timescales, and they cannot always be mapped to a simple ON/OFF scheme. Having in mind a set of reference applications, the 3G designers have tried to reduce the expected MS behavior into a simple two-state model, which in turn forms the basis for the design of MM/RRM model. This approach works fine as far as the considered reference applications involve human-attended sessions, e.g. WEB browsing and content download, which are reminiscent somehow of voice conversations: either the user is attending the application, or not. In this sense, as argued already in [7], the 3GPP specifications are still informed by a ‘‘circuit-switched” mindset of the designers. The state transition logic is kept simple because it aims at recognizing the boundaries between activity and inactivity states, which are implicitly assumed to represent of how ‘‘typical” users really behave. Given a MM/RRM setting optimized for a reference user model, a potential attacker will try to systematically identify the ‘‘worst case” patterns that put the network setting at stress. In order to design the attack and anticipate the potential impact, the attacker must know the details of RRM/MM procedures, like for example the logic of state transitions. The fact that such transitions are deterministic enables the attacker to anticipate exactly how the network will react to any given input. The adoption of very simple transition logic – often involving a single parameter like a timeout or a threshold – facilitates further the attacker’s job. 7.3. Risks from unwanted traffic In general, the correct network operation is challenged whenever the macroscopic traffic patterns deviate substantially from the planned-for reference models. As we have seen, deviations can take the form of higher-than-expected rate of control-plane procedures or different-than-expected packet patterns. Such deviations can be caused by malicious attackers. However, the open Internet provides at least another possible source of macroscopic deviations from planned-for patterns: unwanted traffic. This term refer collectively to the mass of ‘‘unproductive” traffic – also known as ‘‘background radiation” [20] – generated in the Internet by activities like host scanning, worm propagation, DoS backscatter, etc. In some cases, such traffic can mimic quite closely the ‘‘naughty” traffic patterns seen above. For example, in a previous study [8] we have observed that otherwise ‘‘innocuous” sources performing sequential host scanning can cause unintentional excess of paging traffic in an operational 3G network. Similarly, scanning traffic generated by self-propagating worms can play the role of keep-alive packets for DCH channels if the average rate of probes received by target MS is below the DCH release timer TD (see [4] for a discussion about this point). Although such events cannot be

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

assimilated to intentional attacks, they share the same weaknesses and root causes, and call for similar countermeasures. 8. Towards a more robust design for cellular network The process of rethinking system-design principles includes a pars destruens, where critical aspects of legacy approaches are identified and put into discussion, and a pars costruens where alternative solutions and new principles are proposed. The scope of the present work is focused on the first phase: we hope with this contribution to build awareness and feed a revision process of certain principles that have informed – more or less implicitly – the design of cellular networks insofar. This is just the beginning of the process and we do not propose here ultimate solutions, although in this section we suggest some directions that, we believe, are worth further consideration by the developers of future cellular networks and standards. First of all, the opportunity of performing individual assignment of logical resources in RRM might be carefully reconsidered. Notably, the 3.5G specifications go already in this direction, as HSPA relies on completely shared traffic channel, with no dedicated channels. This is already one step away from the ‘‘circuit-switched mindset” already spotted by [7]. The point to be taken here is that robustness against deliberate attacks is an additional motivation for avoiding dedicated logical resources also in future generation system. We believe that it would be beneficial to inject a certain degree of randomization into the RRM/MM procedure. This would make it less easy for prospective attackers to anticipate and control the response by the network to malicious traffic patterns, thus complicating the task of designing minimum-cost-maximum-impact attack patterns. Notably, randomization is a standard ingredient of protocol design for distributed systems – think e.g. to MAC protocols for shared-medium Local Area Networks – but not for centralized systems like managed public networks: as such, it has found little space within the 3GPP specifications. For instance, randomizing the timeouts used for state/channel transition would increase the costs (for the attacker) of launching a ‘‘signaling attack” and complicate the tuning of the paging attack. The transition logic between states might be sophisticated and made adaptive, in order to learn and adapt to the individual profile of each MS. The proposal made in [26] goes in this direction: in order to mitigate the signaling attack [5], the authors propose a more efficient paging scheme where a short-list of most-visited cells is maintained for each terminal. This increases the paging efficiency, i.e. reduces the average number of paging messages required to locate the mobile, so that the network can absorb a higher rate of paging requests. Other examples of adaptation can be conceived for transition parameters: instead of using the same value always and for all MSs, timeouts can be dynamically adjusted based on the frequency of past transitions for each specific MS, based on some heuristic scheme. In case of the ready_timer, also the frequency of recent cell changes can be taken into account: in this way MS camped on the same cell for long time (as usual e.g. for laptops at home) would tend to have larger timeout values than traveling ones, thus reducing the probability of being paged without increasing the cell update load. With randomization and adaptation, it would be difficult for an attacker to foresee the time of next transition for all MS. The accurate calibration of the attack would be much more difficult. Furthermore, the network would constantly adapt the transition parameters to the actual traffic conditions on a per-MS basis, thus easing the operator from the (often frustrating) pursue of the Holy Graal of a universal ‘‘optimal setting” for the whole network. More in general, we notice incidentally that the shift from static settings to adaptive mechanisms is a clear trend also in the physical layer of

557

wireless communications – think e.g. to the introduction of power adaptation, Adaptive Modulation and Coding, adaptive beamforming. The capacity provisioning of control-plane resources, and especially signaling bandwidth, should depart from the ‘‘thin user” assumption and, whenever possible, be adjusted to absorb ‘‘storms” caused by deliberate attacks and/or legitimate but unanticipated changes in macroscopic traffic patterns. It might be useful to implement prioritization mechanisms, at least for those resources that are more exposed to become the bottleneck, for example on a per-MS basis. Apart from the particular decision logic – i.e. which traffic is given which level of priority – the adoption of prioritization schemes, eventually in combination with adaptation and randomization, call for the adoption of more sophisticated platforms for network equipments on the side of the manufacturers. The inherent costs would, however, be compensated by the increased robustness of the whole network. 9. Conclusions In this contribution, we have presented four different attack models specific for cellular networks that have recently appeared in the literature. We have reviewed them collectively in an attempt to identify the system-design aspects that ultimately make them possible. Our goal here is not to identify specific patches and countermeasure against individual attacks. Instead, we aimed at drawing general system design lessons to be learned and applied to future generation systems. At a very abstract level, there is a fundamental trade-off between optimality and robustness in system design: the more a complex system is optimized around an expected operating point, the higher the risks when it is driven to operate at a different point – see e.g. [11] for an elegant discussion on this point. For 3G cellular networks, the operating space is defined by global traffic patterns. Because of the openness of the Internet, even a single attacker can build up traffic patterns that put the whole network infrastructure at stress. Additional risks can be produced unintentionally by the unwanted traffic found in the Internet, which in some cases can mimic closely such ‘‘naughty” patterns. Given such a scenario, we believe that the primary design objective of future generation cellular networks should be shifted from optimality to robustness. The research agenda should be re-oriented towards increasing the elasticity of cellular networks to absorb unexpected changes in the macroscopic traffic patterns, including those caused by intentional attacks. This calls for a paradigmatic U-turn in the design practice of such systems: future cellular networks should be designed and configured against ‘‘malicious users”, rather than exclusively for ‘‘reference users” as done insofar. In doing that, future developers of network equipment and protocols will likely have to resort to ingredients like randomization, adaptation and prioritization. References [2] W. Enck, P. Traynor, P. McDaniel, T. La Porta, Exploiting open functionality in SMS-capable cellular networks, in: Proceedings of the ACM CCS’05, Alexandria, Virginia, US, November 2005. [3] H. Yang, F. Ricciato, S. Lu, L. Zhang, Securing a wireless world, Proceedings of the IEEE 94 (2) (2006). [4] F. Ricciato, Unwanted traffic in 3G networks, ACM Computer Communication Review 36 (2) (2006). [5] J. Serror, H. Zang, J.C. Bolot, Impact of paging channel overloads or attacks on a cellular network, in: Proceedings of the ACM WiSe’06, Los Angeles, USA, September 2006. [6] P. Lee, T. Bu, T. Woo, On the detection of signaling DoS attacks on 3G wireless networks, in: IEEE INFOCOM 2007, Phoenix, USA, April 2007. [7] P. Traynor, P. McDaniel, T. La Porta, On attack causality in Internet-connected cellular networks, in: Proceedings of the 16th USENIX Security Symposium (SECURITY), Boston, MA, August 2007.

558

F. Ricciato et al. / Computer Communications 33 (2010) 551–558

[8] F. Ricciato, E. Hasenleithner, P. Romirer-Maierhofer, Traffic analysis at short time-scales: an empirical case study from a 3G cellular network, IEEE Transactions on Network and Service Management 31 (8) (2008). [9] V.M. Igure, R.D. Williams, Taxonomies of attacks and vulnerabilities in computer systems, IEEE Communications Surveys 10 (1, Q1) (2008). [10] A. Barbuzzi, F. Ricciato, G. Boggia, Discovering parameter setting in 3G networks via active measurements, IEEE Communications Letters 12 (10) (2008). [11] J. Carlson, J. Doyle, Highly optimized tolerance: robustness and design in complex systems, Physical Review Letters 84 (11) (2000). [12] A. Berger, I. Gojmerac, O. Jung, Internet security meets the IP multimedia subsystem: an overview, in: Security and Communication Networks, Wiley, New York, Available online 11 September 2009, doi:10.1002/sec.142. [13] K. Kotapati, P. Liu, Y. Sun, T.F. LaPorta, A taxonomy of cyber attacks on 3G networks, in: IEEE International Conference on Intelligence and Security Informatics, ISI 2005, Atlanta, GA, USA, May 19–20, 2005. [14] J. Mirkovic, J. Martin, P. Reiher, A taxonomy of DDoS attacks and DDoS defense mechanisms, ACM SIGCOMM Computer Communications Review 34 (2) (2004). [15] A. Hussain, J. Heidemann, C. Papadopoulos, A framework for classifying denial of service attacks, in: Proceedings of the SIGCOMM’03, New York, USA, 2003. [16] S. Bali, S. Machiraju, H. Zang, V. Frostl, A measurement study of schedulerbased attacks in 3G wireless networks, in: IEEE PAM, 2007.

[17] R. Racic, D. Ma, H. Chen, X. Liu, Exploiting opportunistic scheduling in cellular data networks, in: Proceedings of the 16th Annual Network & Distributed System Security (NDSS) Symposium, 2008. [18] B. Zhao, C. Chi, W. Gao, S. Zhu, G. Cao, A chain reaction DoS attack on 3G networks: analysis and defenses, in: IEEE INFOCOM, 2009. [19] H. Holma, A. Toskala, HSDPA/HSUPA for UMTS: High-Speed Radio Access for Mobile Communications, Wiley, New York, 2006. [20] R. Pang, V. Yegneswaran, in: Characteristics of Internet Background Radiation, IMC’04, Taormina, Sicily, Italy, October 25–27, 2004. [21] J. Rao, P. Rohatgi, H. Scherzer, S. Tinguely, Partitioning attacks: or how to rapidly clone some GSM cards, in: IEEE Symposium on Security and Privacy, Berkeley, CA, 12–15 May 2002. [22] U. Meyer, S. Wetzel, in: A Man-in-the-Middle Attack on UMTS, WiSe04, Philadelphia, USA, 1 October 2004. [23] C. Xenakis, L. Merakos, Security in third-generation mobile networks, Computer Communications 27 (2004) 638–650. [24] K. Kotapati, P. Liu, T.F. Laporta, Dependency relation based vulnerability analysis of 3G networks: can it identify unforeseen cascading attacks?, Telecommunication Systems 35 (3–4) (2007) [25] R. Racic, D. Ma, H. Chen, Exploiting MMS vulnerabilities to stealthily exhaust mobile phones battery, in: SECURECOMM’06, Baltimore, USA. [26] H. Zang, J.C. Bolot. Mining call and mobility data to improve paging efficiency in cellular networks, in: ACM MobiCom’07, New York, USA, 2007.