A System for Signaling DoS Traffic Detection in 3G WCDMA Networks

A System for Signaling DoS Traffic Detection in 3G WCDMA Networks* JooHyung Oh, Sekwon Kim, Chaetae Im Advanced Technology Development Team Korea Internet & Security Agency Jungdaero 135, Songpa, Seoul, Korea {jhoh, heath82,chtim}@kisa.or.kr Abstract - Due to the rapid increase of the smartphone user and various mobile services, the closed service structure of the 3G WCDMA wireless networks was changed with open type service structure. In open structure, any device which uses 3G service will be able to access to the wireless network for mobile internet. Also, any data traffic originating from smartphones and tables would be allowed to access 3G wireless network regardless of whether it is malicious or not. Like Dos Attack, similar events might take place in 3G WCDMA networks because of malicious traffic. However, IP-based traffic analysis and DoS attack detection technology can not adapt to the wireless network. In this paper, we present a system for signaling DoS traffic detection in 3G wireless network. Our system provided an analysis and detection of malicious signaling overhead traffic. It also provides a detection of signaling DoS attacks based on malicious establishment/release of wireless resources. Index Terms – Signaling DoS, 3G, Wireless Network

I. INTRODUCTION Third generation (3G) wireless networks based on the CDMA2000 and UMTS standards are widely deployed. d. As of December 2005, there were over 300 million CDMA subscribers worldwide. Emerging 3G data standards, such as EV-DO and HSDPA, promise to deliver broadband mobile Internet services with peak rates of 2.4 Mbps and 14.4 Mbps, respectively. However, data traffic explosion due to a large increase in the number of smart phone users, widely-spread online app. is troubling mobile carriers [1][2] (shown in Fig. 1).

Especially, malicious or potentially malicious data traffic originating from mobile malware infected smart device can cause serious problems of 3G WCDMA wireless network just like DoS attack in wireline networks. DoS attack is an attempt to prevent legitimate users of a service or network resource from accessing that service or resource. In case of DoS attack at 3G WCDMA wireless networks more fragile than wireline networks. In this paper, we present the design of signaling DoS traffic detection system. Our system provides an analysis and detection of malicious signaling overhead traffic. It also provides a detection of signaling DoS attacks based on malicious RAB establishment. This paper is structured as follows. We present background information related to 3G WCDMA wireless network in Section 2. In section 3, we describe the principles of our signaling DoS traffic detection approach and the architecture and details of system. And we conclude our paper in Section 4. II. BACKGROUND INFORMATION In this section we first overview the network elements of 3G WCDMA wireless network architecture and their interconnections. We focus on the signaling procedures among the network elements for radio channel establishment and release. We then demonstrate how an attacker may exploit these signaling procedures to overload the control plane. Finally, we describe related works and background of signaling DoS detection techniques. A. 3G WCDMA Wireless Network

Fig. 2 Packet switch network of 3G WCDMA wireless networks

Fig. 1 Mobile data traffic growth forecast

*

Fig. 2 shows the typical architecture of a packet switch network of 3G WCDMA wireless network. We first describe

This research was supported by the KCC(Korea Communications Commission), Korea, under the R&D program supervised by the KCA(Korea Communications Agency) (KCA-2011-11914-06001).

two of its main components: the Gateway GPRS Support Node (GGSN) and the Serving GPRS Support Node (SGSN). The GGSN is a GPRS network entity that serves as the mobile wireless gateway between an SGSN and the Internet. When a mobile successfully authenticates and registers with the network, a Point-to-Point (PPP) link is set up between the GGSN and the mobile. On the other hand, the SGSN is responsible for sending data to and from mobile stations, in addition to maintaining information about the location of a mobile and performing authentication for the mobile. Typically, there are multiple SGSNs, each of which serves the GPRS users physically located in its serving area. Another key component of a UMTS network is the Radio Network Controller (RNC), which is the point where wireless link layer protocols terminate. The RNC provides the interface between a mobile communicating through a Base Station (BS) and the network edge. This includes management of radio transceivers in BS equipment (radio resource control), admission control, channel allocation, as well as management tasks such as handoffs between BSs and deciding power control parameters. The functionalities of a BS include wireless link transmission/reception, modulation/demodulation, physical channel coding, error handling, and power control. In this hierarchical architecture, multiple mobiles communicate with a BS, and multiple BSs communicate with an RNC, and multiple RNCs talk to the SGSN/GGSN. B. Signaling DoS Attack in 3G WCDMA Wireless Network The targets of most DoS attacks so far are wireline endpoints, whose prevalence provides vast opportunities for an attacker to explore and launch new attacks. To begin, most of the wireline DoS attacks would still apply to a wireless network. Actually, due to the signaling overhead required for RAB setup/release, an attacker may seek to trigger excessive amount of signaling messages in order to overload an RNC and potentially the BSs. This can be done by regularly sending low-volume bursts at appropriately timed periods such that immediately after a RAB is torn down due to inactivity, a burst arriving from the attacker will trigger a new RAB establishment.

Fig. 3 Signaling DoS attack scenario

C. Related Works

Recently many detection and response technologies against anomaly traffic in 3G WCDMA wireless network had proposed. Ricciato [3] defines an anomaly traffic, which can occur in 3G networks such as scanning traffic or flooding traffic. However, he cannot propose any algorithms for detecting them. Also, he does not consider 3G specific attack just like signaling DoS attack. Patrick[4] was first introduced to signaling DoS attack in 3G WCDMA wireless network and proposed an algorithm for detecting it with malicious RAB setup/release analysis. But, it simply analyzes a data traffic sent from mobile device for detecting signaling DoS attack. III. SYSTEM DESIGN In this section, design of the our signaling DoS attack detection system will be described in detail.. The overall architecture of system is shown in Fig. 4. In this system, we have applied hardware based data stream capture techniques to capture network packets in real time, while for the upper layer protocol event analysis and filtering.

Fig. 4 System architecture

There are mainly 3 modules in this architecture. GTP-C Packet Filtering Engine is implemented by a set of parallel processing hardware, which can perform simple analysis and filtering of t thousands of packets simultaneously. Malicious RAB Establishment Detector is mainly used to detect the malicious RAB Establishment. It analyze GTP-C packet collected GTP-C Packet Filtering Engine for classifying malicious RAB Establishment. Signaling DoS Attack Detector finally calculates the time interval of malicious RAB establishment detected Malicious RAB Establishment Detector, and examines whether it is malicious or not. A. GTP-C Message Analysis and Malicious RAB Establishment Detection In our System, the detection for malicious RAB Establishment is performed by the GTP-C message analysis. In Gn interface, all GTP-C messages sent/received between the GGSN and SGSN are collected by GTP-C Packet

Filtering Engine. Our monitor and collect GTP-C messages are below.

No 1 2 3

TABLE I MONITORING AND COLLECT GTP-C MESSAGE Message Object Create PDP Context response To calculate RAB setup timec Update PDP Context Request To calculate RAB release time Delete PDP Context Request To calculate RAB release time

When the mobile device tries to access 3G WCDMA wireless network for mobile internet, PDP context activation procedure is initiated. To establishment a PDP context, SGSN send the create PDP context request message to GGSN and then SGSN may initiate the RAB assignment procedure upon receiving a create PDP context response message from a GGSN. There are about a total of 15 signaling messages being processed by the RNC during the RAB setup time. The allocated RAB is released along with the PDP context deactivation after an inactivity timeout. There are a total of 12 signaling messages being processed by the RNC for the release of allocated RAB. Due to the signaling overhead required for RAB setup/release, an attacker may seek to trigger excessive amount of signaling messages in order to overload an RNC and potentially the BSs. Therefore, we define a RAB establishment as Fig 4.

TABLE II INTER-RAB ESTABLISHMENT TIME Inter-RAB establishment time = max(inter-RAB establishment +(-interval of malicious RAB establishment),0)

Iter-RAB establish time means that how many and repetitive malicious RAB establishment is occurred. When the computed Inter-RAB establishment time crosses the preselected threshold, R is marked malicious and signaling DoS is detected. IV. CONCLUSION AND FUTURE WORK The signaling DoS detection is very important to the overall health of 3G WCDMA wireless networks. Since 3G WCDMA wireless networks was a closed service structure, there is not much research for 3G network security. In this paper, we have presented a system for signaling DoS traffic detection in 3G wireless network. Our system provides an analysis and detection of malicious signaling overhead traffic. The proposed system will be available to detect and response attacks, especially signaling DoS. However, since evaluation is not performed it is not sufficient in many cases. Thus, our future work will focus on implementation of our proposed system for experiment and evaluation of the system design REFERENCES

Fig. 4 RAB Establishment

If the RAB establishment is detected, we analyze a sending/receiving traffic of mobile device in order to decide whether it is malicious or not. The signaling DoS attacks can be done by regularly sending low-volume bursts at timed periods such that immediately after a RAB is torn down due to inactivity, a burst arriving from the attack will trigger a new RAB establishment. So, our malicious RAB establishment detection operates with RAB establishment detection and analysis of RAB establishment. If there is no sending/receiving traffic during the period of RAB establishment, the RAB establishment is considered as malicious. B. Signaling DoS Attack Detection Signaling DoS attack detection is performed by analysis of time interval between malicious RAB establishments. It is to detect a repetitive and short RAB establishment from malicious RAB establishments. Our signaling DoS attack detection algorithm first determines the corresponding flow F, which identifies mobile M and remote host R. If the malicious RAB establishment is not the first one from R, an inter-RAB establishment time is computed as table 2.

[1] “Mobile Traffic Data(2010~2015)”, CISCO VNI Mobile, 2011. [2] “Global Mobile Data Traffic. By Type”, Morgan Stanley, 2010. [3] F. Ricciato, "Unwanted Traffic in 3G Networks", ACM Computer Commun. Rev., Vol. 36, no. 2, Apr, 2006. [4] P. LEE, T. Bu, T. Woo, "On the Detection of Signaling DoS Attacks on 3G Wireless Networks", Proceeding of InfoCom 2007, May 2007. [5] X. Peng, W. Yingyou, Z. Dazhe, Z. Hong, “GTP Security in 3G Core Network”, Proceeding of Networks Security Wireless Communications and Trusted Computing,, April 2010.