yavuz selim Özzengİn hacettepe Üniversitesi bilgisayar ...abc/teaching/bil... · home location...
TRANSCRIPT
![Page 1: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/1.jpg)
Yavuz Selim ÖZZENGİN
Hacettepe Üniversitesi
Bilgisayar Mühendisliği Bölümü
![Page 2: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/2.jpg)
Outline� Introduction
� Overview of Cellular Systems
� Attack Overview
Charactering HLR Performance� Charactering HLR Performance
� Profiling Network Behavior
� Attack Characterization
� Avoiding Wireless Bottlenecks
� Conclusion
![Page 3: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/3.jpg)
Introduction� Denial of Service attacks on HLR
� Botnets as small as 11750 phones can cause a reduction of throughput of more than 90%of throughput of more than 90%
![Page 4: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/4.jpg)
Overview of Cellular Systems� Network Architecture and Components
� Home Location Register (HLR)
� Mobile Switching Centers (MSCs)
� Visiting Location Register (VLR)� Visiting Location Register (VLR)
� Serving GPRS Support Node (SGSN)
![Page 5: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/5.jpg)
Overview of Cellular Systems (cont.)� Mobile Phone Architecture
� Application Processor
� Baseband Processor
![Page 6: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/6.jpg)
Overview of Cellular Systems(cont.)� Mobile OS
� Windows Mobile, Android, Mobile OS X…
� 10% of cellular users downloaded games at least once a � 10% of cellular users downloaded games at least once a month in 2007
![Page 7: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/7.jpg)
Attack Overview
Attacker
Legitimate UserLegitimate User
![Page 8: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/8.jpg)
Attack Overview (cont.)� Different from DoS on the Internet
� Mobile devices cannot transmit entirely arbitrary requests to HLRrequests to HLR
� Such requests must be made in a manner such that unnecessary traffic or side effects are not generated
![Page 9: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/9.jpg)
Characterizing HLR Performance� Types of HLR service requests
![Page 10: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/10.jpg)
Characterizing HLR Performance� Different commands on MySQL
![Page 11: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/11.jpg)
Characterizing HLR Performance� Different commands vs Number of subscribers
![Page 12: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/12.jpg)
Profiling Network Behavior (cont.)� GPRS Attach: update_location
![Page 13: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/13.jpg)
Profiling Network Behavior (cont.)� Avg: 2.5 sec // Peak: 3 sec
![Page 14: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/14.jpg)
Profiling Network Behavior (cont.)� Call Waiting: update_subscriber_data
![Page 15: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/15.jpg)
Profiling Network Behavior (cont.)� Avg: 2.5 sec
![Page 16: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/16.jpg)
Profiling Network Behavior (cont.)� Avg: 2.7 sec (insert) / 2.5 sec (delete)
![Page 17: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/17.jpg)
Attack Characterization� The effect of an attack on HLR with 1 million users
(MySQL)
![Page 18: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/18.jpg)
Attack Characterization� With SolidDB
![Page 19: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/19.jpg)
Attack Characterization� MySQL:
� Normal condition: 11750 infected mobile phones
� High traffic: 23500 infected mobile phones� High traffic: 23500 infected mobile phones
� SolidDB:� 141000 infected mobile phones
![Page 20: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/20.jpg)
Avoiding Wireless Bottlenecks� Random Access Channel (RACH) Capacity
� TDMA� Timeslot: 0.577 ms
� A frame: 8 timeslots = 4.615 ms� A frame: 8 timeslots = 4.615 ms
� Slotted ALOHA protocol
![Page 21: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/21.jpg)
Avoiding Wireless Bottlenecks� Max throughput S
S is maximized at 37% when G=1
GGeS
−=� S is maximized at 37% when G=1
� G is the number of transmission attempts per timeslot
GeS =
![Page 22: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/22.jpg)
Avoiding Wireless Bottlenecks� The offered load, G, also known as ρ, is defined as:
λρ =
� λ is the arrival rate in commands per second
� 1/μ is the channel hold time (4.615 ms)
� ρ = 1/0.004615 * 0.37 = 80 transmission per sec
µρ =
![Page 23: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/23.jpg)
Avoiding Wireless Bottlenecks� The attack would need to be distributed over α base
stations:
ecmessages/s 5000=α
stations base 21
.ions/sec transmissRACH 80 * llsectors/ce 3
ecmessages/s 5000
=
=
α
α
![Page 24: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/24.jpg)
Avoiding Wireless Bottlenecks� Standalone Dedicated Control Channels (SDDCH)
� Sectors in GSM allocate 8 or 12 SDCCHs
� We hold SDCCH for 2.7 sec (insert_call_forwarding)
stations base 37537.0*12*3
5000
* SDCCHs * sectors
msgs/sec
37.07.2
1
SDCCH
SDCCH
==
=
==
α
ρα
ρ
![Page 25: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/25.jpg)
Conclusion� Small botnets composed entirely of mobile phones
pose significant threats to the availability of these network
� C & C channel is more challenging in this environment
![Page 26: Yavuz Selim ÖZZENGİN Hacettepe Üniversitesi Bilgisayar ...abc/teaching/bil... · Home Location Register (HLR) Mobile Switching Centers (MSCs) Visiting Location Register (VLR) Serving](https://reader030.vdocuments.us/reader030/viewer/2022040221/5e2da42dc2561628c92190d5/html5/thumbnails/26.jpg)
QUESTIONS?QUESTIONS?