A SURVEY ON THREATS, VULNERABILITIES AND SECURITY
SOLUTIONS FOR CELLULAR NETWORK 文章里提到
4GSystem (LTE) Security
Modern LTE cellular networks provide advanced services for billions of users, which exceed
traditional voice and short messaging traffic. The coming attack in LTE is Distributed Denial of
Service (DDoS) attacks. The availability of communication systems, explains the importance of
strengthening the flexibility of mobility networks against Denial of Service (DoS) and DDoS threats
to ensure the LTE network availability against security attacks.
Examples of threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
interception and cryptanalysis of IP traffic
There are interfaces in the LTE system which are exposed to different attacks such as Radio access
network, Core evolved packet system (EPC) and Packet data network (PDN). DoS and DDoS
attacks in LTE mobility networks can be classified based on the traffic load maliciously generated
into one single attacker or low traffic volume (DoS) and a large set of multiple simultaneous
attackers or high traffic volume (DDoS).
Denial of Service attacks (DoS)
Radio jamming is the intended transmission of radio signals which disrupt communications by
decreasing the signal to noise ratio. The way of blocking an attack is to locate and stop the jamming
device where that the large amount of power required reduces the effectiveness of the attack.——無線電干擾設備!!!是Dos惡意攻擊的源頭之一。
Smart jamming consists of attacks that aim to locally disrupt the communications of an LTE
network without sending alerts. It can be implemented by saturating one or more of the important
control channels which required by all mobile devices to access the spectrum(僅僅控制某些重要信道來發起攻擊). Saturation of these
channels causes the network unresponsive. In addition to, this attack requires low transmitted power
and requires no authentication, detection and reduction. This type of attack can be started against
essential control channels in both the downlink and the uplink. This attack concentrates on the much
narrower control channels instead of saturating the entire channel and so it consumes less power.
Classic computer vulnerabilities that cellular equipment and the software running on mobile
networks are the same as any other computer system, so it can be affected by the same
vulnerabilities. [21]
Distributed Denial of Service attacks (DDoS)
Botnet of mobile devices——當然僵屍網絡設備也是導致Dos的一個可能因素: a smartphone botnet presents a new and very powerful attack vector
against mobility networks. So, a new set of DDoS attacks is affected when large volumes of traffic
and signaling messages can be generated from within the network.
Signaling amplification attacks: A botnet of infected mobile devices can be used to generate a
signaling amplification attack by forcing each terminal to continually establish and release IP
connections to an external server. Such saturation of the EPC could occur legitimately due to the
large amount of traffic.
HSS saturation: The HSS is a key node of the EPC which stores information(攻擊HSS節點) for every subscriber in
the network. The stored parameters per user or the phone number, international mobile subscriber
identity (IMSI), billing and account information, cryptographic primitives, keys which perform
authentication of subscribers and the last known location of the user. A DDoS attack against this
node could prevent the network from being operated.
DDoS against external nodes/networks: The attacks are generated from a number of servers which
are remotely controlled by an attacker and have been able to inject large traffic loads into the
network. The high volume of traffic aimed at a specific target during a DDoS attack which could
generate at a botnet of mobile phones, so it could impact the performance of the mobile network.
[21]
3G WCDMA Mobile Network DoS Attack and Detection Technology 這個文章里
說的是使用GTP echo消息來發起DoS攻擊
also released a DoS attack on the 3G
mobile network, using the GTP Echo scan message [9][10].
當然,也可以發送其他信令
A.GTP-in-GTP based DoS Attack 第一種方式使用GTP消息(信令???應該不是)
If the GTP-C message for 3G WCDMA mobile network
control, such as IP address allocation for the 3G mobile
network, sends the GGSN’s IP address to the destination via the
terminal, the IP address resource can be allocated abnormally.
This type of GTP-in-GTP packet processing vulnerability can
be exploited in most GGSNs installed in the domestic
commercial service environment, and the P-GATEWAT
equipment in the 4G LTE network that performs a similar
function to the 3G network’s GGSN as well.
If the terminal creates many “GTP-C Create PDP Context”
messages and sends them to the GGSN’s IP address, the TEID
and IP address of the GGSN are allocated abnormally.
Likewise, a DoS attack can be launched against normal users
that use the 3G mobile Internet service, if the TEID and IP
address of the GGSN are exhausted by exploiting the GGSN’s
GTP-in-GTP packet processing vulnerability.
google翻譯就是:
如果GTP-C消息為3G WCDMA移動網絡
控制,如3G手機的IP地址分配
網絡,通過發送GGSN的IP地址到目的地
終端,IP地址資源可以異常分配。
這種類型的GTP-in-GTP數據包處理漏洞可以
在國內安裝的大多數GGSN中被利用
商業服務環境和P-GATEWAT
執行類似的4G LTE網絡中的設備
也適用於3G網絡的GGSN。
如果終端創建了許多“GTP-C創建PDP上下文”
消息並將它們發送到GGSN的IP地址TEID
GGSN的IP地址異常分配。
同樣,可以針對普通用戶啟動DoS攻擊
使用3G移動互聯網服務,如果是TEID和IP
通過利用GGSN,GGSN的地址已經耗盡
GTP-in-GTP數據包處理漏洞。
看原文的圖就知道確實可能。
B. Signaling DoS Attack
The 3G mobile network releases the allocated wireless
resource, if the mobile terminal doesn’t transmit the data for a
certain period of time, in order to use the limited wireless
resource efficiently. By taking advantage of this architecture, a
DoS attack that causes RNC and SGSN overload using multiple
signaling messages can be launched.
The signal message can be created by maliciously and
abnormally repeating wireless resource re-allocation right after
resource release [5].
這里說的就應該RRC導致的信令風暴。
As shown in Fig.3, if the active terminal doesn’t establish the
data communication for a certain period of time, a wireless
resource release request message will be sent to the SGSN to
switch to the dormant mode. In addition, if the terminal in a
dormant mode transmits the data, the terminal can be switched
to an active mode again by sending a wireless resource
allocation message to the SGSN. Using this mode switching
method, the 3G mobile network manages the limited wireless
resource efficiently. When the wireless resource is maliciously
and abnormally allocated/released, small traffic is sent at a
particular interval to switch the dormant mode of the terminal
to the active mode, and many signaling messages are created,
which results in a DoS attack by causing overload on the RNC
and SGSN.
說的就是3G狀態切換導致的信令風暴。不進行數據傳輸。