Modeling and Analysis of RRC-Based Signalling Storms in 3G Networks 還是使用狀態機模型來做惡意UE識別 https://san.ee.ic.ac.uk/publications/ggorbil_gelenbe_TETC_15_final.pdf
看他的仿真:In the simulations, we have 1,000 UEs in an area of 2x2 km, which is covered by seven
Node-Bs connected to a single RNC. The CN consists of the
SGSN and the GGSN, and the GGSN is connected to ten
Internet hosts acting as web servers. All UEs attach to the
mobile network at the start of the simulation, (此時,UE已經有臨時ID了,在沒有臨時ID前怎么檢測呢?因為attach過程本身有大量信令) and remain
attached. We simulate a high level of web browsing activity
in a two and a half hour period. Our web browsing model
is based on 3GPP recommendations
DETECTING NETWORK-UNFRIENDLY MOBILES WITH THE RANDOM NEURAL NETWORK——使用RNN檢測惡意UE,RNN模型適用於我們區分正常行為和不正常行為的問題的移動設備。【補充:RNN在文中是指隨機神經網絡:隨機神經網絡(英語:Stochastic Neural Networks)是一種人工神經網絡,並作為人工智能的工具。它們向神經網絡引進隨機變化,一類是在神經元之間分配隨機過程傳遞函數,一類是給神經元隨機權重。這使得隨機神經網絡在優化(Optimization)問題中非常有用,因為隨機的變換避免了局部最優(local minima)。由隨機傳遞函數建立的隨機神經網絡通常被稱為波茨曼機(Boltzmann machine)。】
the present approach intercepts packets at the edge of the mobile network using standard
monitoring technologies. This offers the advantages of not requiring to decode lower radio
related layers, lack of network encryption, and fewer number of nodes to monitor [60].
Moreover, the algorithm relies mainly on timestamps and packet header information to
classify users, and does not require knowledge of the application generating a packet nor
its service type, thus eliminating the need to use a commercial deep packet inspection
tool which may result in considerable overhead. It also interacts with existing network
management systems to reduce computational overhead, storage requirements and false
alarm rate.使用在移動端截獲報文header,timestamp,不需要解包。本質上是一個分類問題。
里面提到了3G和4G的狀態切換問題:
One can observe that promotions from idle to connected are
quite expensive in terms of signaling, thus motivating the introduction of sub-states in
the connected mode. In UMTS, there are usually three sub-states: a low-energy cell
PCH
state which allows the UE to stay in the connected mode without being able to transfer
data, a low bandwidth cell
FACH state, and a high bandwidth cell
DCH state. In LTE,
the UE has the ability to go into short and long discontinuous reception (DRX) states
while in the connected mode, where it sleeps most of the time and periodically wakes up
to check if there is data to be transferred, with longer sleep periods in long DRX than in
short DRX. 看下面的圖,就非常清楚了。
Large-scale mobile malware infections may
also trigger a storm, if the malware exhibit frequent communications as in premium SMS
diallers, spammers and adware which are among the top encountered threats on smart
devices [48]. This is confirmed by a recent analysis of mobile subscribers’ traffic in China [46]which indicated a positive correlation between the frequency of signaling-intensive traffic
and malicious activities such as private data upload and billing fraud.
這個例子說了大規模的僵屍網絡UE活動也會導致信令風暴,例如發送SMS信息,發送垃圾郵件,廣告等。
然后看其(針對3G)解決方案:
但是有一個致命問題:RRC的報文在核心網是拿不到的!!!所以,僅僅能夠檢測RRC接入成功以后的惡意UE報文。之前看那個文章,說是拿到信令的時間序列,明顯也會遇到同樣的問題!!!
從這個圖看,它是在做HSS的信令風暴檢測哈!!!這樣就沒有邏輯問題了。——不對!!!本質上是惡意UE利用app群發消息,迫使基站來尋呼達到信令風暴攻擊效果。見后面論文。
因為文章中說到:which intercepts packets directed to/from the network gateway; in
3GPP standards, the user data transported over this interface are encapsulated in GTP-U
(a simple IP-based tunneling protocol) packets. The detector also utilizes information from
the OSS to reduce search space and optimize performance, and periodically produces a list of
anomalous users to the OSS for root cause analysis and mitigation.
模型提取的數據特征:
describe various characteristics of the users’ behavior. Time is divided into slots, each of duration Δ seconds, in which
summary statistics of several quantities related to the IP traffic of each user are collected。。。
【【【補充:
GTP是GPRS核心網中使用的主要協議。它使得GSM或UMTS網絡的終端能夠在網絡中移動位置,同時能持續的通過同一個GGSN連接到因特網。為了實現這一功能,GTP協議總是將用戶面數據從用戶位置所屬的SGSN傳輸到它開戶信息所對應的GGSN。
GPRS核心網使用三種 GTP協議。
- GTP-U用於為每個PDP上下文提供一個或多個隧道,用以傳輸用戶數據
- GTP-C用於控制目的,包括:
- GTP'用於從各個GSN傳送計費數據到計費網關功能(CGF,英語:Charging Gateway Function)。
GGSN和SGSN(合稱為“GSN”)在UDP端口2123上監聽GTP-C消息,在端口2152上監聽GTP-U消息。GTP協議通信可以通過GPRS漫游交換(英語:GPRS Roaming Exchange)發生在不同運營商之間。
計費網關功能(CGF,英文:Charging Gateway Function)在TCP/UDP端口3386上監聽發送自GSN的GTP'消息。核心網發送計費信息到CGF,計費信息至少包含PDP上下文激活次數以及終端用戶傳送的數據量。與GTP-C和GTP-U不同,GTP'協議承載的報文通常只在單個運營商網絡內部使用,因此並不那么標准化。運營商可以做特殊的配置,使用特別的編碼,甚至使用完全不同的系統來完成計費。】】】
特征:
(1)間隔時間 Inter-arrival Time.——為啥還有RRC呢???
RRC signaling occurs whenever the UE sends or receives packets following an inactivity period that exceeds an RRC timer. Thus, the volume of traffic exchanged by a UE does not map directly into signaling load which is more influenced by the frequency of intermittent transmissions. To capture this coupling between the data and RRC signaling planes, we define a burst as a collection of packets whose inter-arrival times are less than δ seconds, where δ is smaller than the RRC timers, typically in the order of few seconds. Thus, for a sequence of packets whose arrival instants are {t1,t2。。。會用它計算熵值特征和均值等。
(2)Packet Size.
The packet size distribution for a normal device can be markedly
different from that of a device that runs a misbehaving application. For example, when
signaling storms occur due to unexpected events in the Internet such as cloud outages
(3)Burst Rate.
Another obvious characteristic of signaling storms is the sudden
sustained rate acceleration of potentially harmful bursts generated by a misbehaving user.
Moving average of the burst rate per slot and entropy of the rates across the observation
window are used as features in order to capture, respectively, the frequent and repetitive
nature of nuisance transmissions.。。。
(4)Destination Address.
The number of destination IP addresses for a normally
functioning mobile device can be very different from that of an attacker [42], whether the
attack originates from the mobile network due to a misbehaving application, or from the
Internet as in the case of unwanted traffic reaching the mobile network [56]. In the former,
the number of destination IP addresses will be very small compared to the frequency of
bursts, while in the latter this number is high. Thus, we calculate the percentage of
unique destination IP addresses contacted within each time slot, and use the average of the most
recent w values as a feature.
檢測效果:
The results indicate an accuracy between 88% and 98% with an average of 93% over the 50 test cases. This fluctuation can be attributed to the fact that our algorithm does not classify an attack as such until few time slots have passed (depending on the number of slots w within the window), and therefore misbehaving UEs with many silent periods will produce higher false positives; fortunately, these less aggres-sive UEs will generate lower signaling load.——如果有很多惡意UE執行惡意操作后,進行slient操作就容易產生誤報。
Distribution-based anomaly detection via generalized likelihood ratio test: A general Maximum Entropy approach 提到的信令風暴檢測方法也是去檢測UE的信令時間序列,計算熵值特征來判斷惡意UE。和之前看的那個文章類似。
Detecting MS Initiated Signaling DDoS Attacks in 3G/4G Wireless Networks ——使用監督方式做,是使用數據面的報文進行分類???貌似是的。里面有句話是核心:examine IP packets to infer the presence of a malicious signaling attack application.就是通過檢查數據報文,看這個UE是不是在其他不同UE發送網絡數據(可能導致其他UE的尋呼),所以這個文章里才會有目的IP熵值特征啥的東西來檢測。(all IP packets generated by a MS(UE) to infer the presence of a signaling attack application.)
considered the detection of mobile-initiated signaling attacks via
a supervised learning approach, which monitors transmissions that trigger a radio access
bearer setup procedure, and extracts from the corresponding packets features relating to
destination IP and port numbers, packet size and response-request ratio
摘要摘錄:propose
a new detector that examines a subset of IP packets transmitted
by a mobile station (MS) to determine its infection status. Service
providers can install this detector anywhere in the data path, i.e.,
MS, Base Station (BS), gateway, etc., to detect and quarantine
infected terminals. The proposed algorithm was trained using one
week of IP packet traces generated by 62 different smartphones.
Results indicate that this method can detect most types of
signaling attacks with more than 0.9 detection probability and
less than 0.1 false alarm probability.
看看文章里的樣本收集:都是收集的移動端UE的IP報文,然后自己寫惡意app來迫使尋呼導致信令風暴。就像文章說的:The attack
program sends small sized IP packets from the Internet host to
a large number of MS, causing many of them to transition from
STANDBY to READY mode. This can dramatically increase
the core network signaling load resulting in network wide
service degradation.
The classifier was trained using one week long IP traffic
traces collected from 62 different smartphones (23 Android,
6 Nokia, 5 iPhone, 2 Windows Mobile, 5 Samsung Bada
1 Blackberry, 20 unidentified) that belong to undergraduate
university students. These traces were used to form labeled
training samples of normal MS. For malicious MS, since our
search for an existing signaling attack application did not yield
any results, we were compelled to generate our own attacks.
We generated 7 different types of attacks to train and test our
system and the results were very encouraging in most cases.
The detector when trained using a particular type of attack
was tested using both the same type of attack and a different
type of attack for which it had no prior training.
特征:基本上就是網絡流量檢測的常用手段啦!!
文中使用SVM來做分類!!!
攻擊手法:
When in a state, the
probability of staying in that state is 0.95 and the probability
of transitioning to the other state is 0.05. As another example,
attack 2 was a TCP SYN attack, where the TCP packets had
fixed source and destination ports, the payload length was
0, and inter-arrival times were random (from markov chain
model). The destination IPs were randomly drawn from a set
of ten responsive IPs (e.g., google.com). Attack 5 consisted of
IP packets with destination UDP port 53 (DNS) sent to one
of the commonly used DNS servers (e.g., google DNS).
In another type of attack (A6), our malicious program
established a TCP connection with a web server and retrieved
the webpage using linux wget. The inter wget time was
Countering mobile signaling storms with counters 就是那個狀態躍遷模型的文章,針對3G做的。使用的是閾值模型。
mitigating signal-ing based attacks on smartphones 直接去修改android底層來緩解心靈風暴的。。。也是醉了,完全不可行啊!!!——在這項工作中,我們提出了一個駐留在手機上的保護系統。我們的解決方案是將手機軟件堆棧划分為應用程序操作系統和通信分區。應用程序系統是標准的全功能Android系統。另一方面,與蜂窩網絡的通信由在通信分區上運行的靈活監視和執行系統調解。我們在真正的智能手機上實施和評估了我們的保護系統我們的評估表明,它可以緩解所有當前已知的基於信令的攻擊
Security Attacks Against the Availability of LTE Mobility Networks: Overview and Research Directions
探討了ddos攻擊的原因:見圖,寫得比較好。尤其是對ddos的攻擊原因進行了分類分析:
分布式拒絕服務(DDoS)攻擊最近影響通信系統可用性的趨勢說明了增強移動網絡抵御拒絕服務(DoS)和DDoS威脅的彈性的重要性,從而確保這種方式可以完全滿足LTE網絡對安全攻擊的可用性。與此同時,高級持續威脅(APT)的出現已經破壞了有關攻擊者和威脅的常見假設。當談到計划周密且資金充足的網絡攻擊時,威脅的規模不再是關鍵因素。相反,例如針對大公司總部或證券交易所周圍的小區服務的本地DoS攻擊等場景變得非常重要。因此,傳統上忽視的低范圍威脅,例如無線電干擾(radio jamming),不應該在安全研究中被排除優先級。
補充:無線電干擾是各種無線網絡的常見威脅。除了設計干擾緩解和阻塞技術之外,重要的是確保移動網絡的主要控制和廣播信道免受無線電干擾。這可以防止智能干擾攻擊,通過該攻擊,攻擊者可以通過低功率和低帶寬信號阻止對整個小區的訪問。 [8]中提出了解決這一問題的安全解決方案的初步建議。
例如,隨着當前移動惡意軟件的爆發,被感染的手機僵屍網絡發起攻擊蜂窩網絡的可能性更接近現實。由於應用程序編程不當導致蜂窩載體嚴重服務降級,因此在野外已經觀察到這種情況的實際較溫和版本。
New research directions are proposed to tackle the major security concerns and architectural challenges of LTE, cover- ing all the network layers. For example, the Physical Layer (PHY) should be revisited to address the growing threat of new sophisticated radio jamming attacks [8], [9]. Moreover, the mobility network architecture should be flattened and distributed to prevent large loads of signaling traffic in the LTE EPC as a result of common NAS (Non-Access Stratum) operations, such as idle-to-connected and connected-to-idle Radio Resource Control (RRC) state transitions. Such signal- ing overloads are known to be a potential way to attack a mobility network [10]. Note that this challenge becomes highly important with the expected rapid increase of the number of connected devices.
就提到了從idle到connected態的轉換會導致大量的信令。
放大攻擊:與此同時,一些理論研究指出了放大攻擊對EPC的潛在風險。具體地,眾所周知,電話側的單個簡單事件(RRC狀態機中的狀態轉換)需要在若干EPC節點之間交換大量消息。從理論上講,這可以被用來成為DDoS攻擊[10],[19]。由於安裝在許多智能手機上的即時通訊應用程序更新,美國一家主要的移動運營商的部分網絡高度飽和 - 經常使用服務器進行檢查[4]。這導致EPC的RRC引擎處的大量連接/斷開事件,結果在EPC上產生非常大的負載。
其中,文獻10(On the Detection of Signaling DoS Attacks on 3G Wireless Networks)里關鍵部分:其實就是rrc連接和釋放!!!
要做到這一點,一個
攻擊者首先向移動設備發送低容量數據包突發。
如果移動設備當前沒有無線電頻道,那么
網絡將分配一個新的來完成數據傳輸。
在不活動超時后,無線電信道被拆除為
回收它以供其他人使用並幫助保護移動設備
否則將浪費在保持能量上的能量
渠道。 通道發布后,攻擊者立即發起攻擊
發送另一個低容量數據包突發到移動設備,以便
觸發另一個無線電信道建立。 通過反復
在適當的時間段這樣做,這可以產生
相當多的信令操作。
文章舉例:就是類似微信的心跳機制。
Thus, the signaling attack can effectively evade
detection by today’s intrusion detection/prevention systems,
which are effective mostly against flooding-based DoS attacks.
To understand the damage caused by the signaling attack,
suppose that a 3G wireless network has inactivity timeout set
to 5 s1 and that an attacker generates a 40-byte packet burst.
By sending packet bursts periodically at a time slightly larger
than 5 s, the attacker generates only 64bps attack traffic, which
is invisible to volume-based detection systems. If the attacker
is using a cable modem with 1Mbps uplink bandwidth, then
it can simultaneously attack approximately 160K mobiles, a
number potentially sufficient to bring down a wireless network
infrastructure that serves a large metropolitan area
2)信令放大攻擊:移動網絡沒有足夠的無線電資源來同時為每個客戶提供服務。通常,部署資源以便能夠維持峰值流量時間,並且在已知先驗的負載峰值的情況下,可以臨時部署額外容量[27]。
帶寬的稀缺需要先進的技術以有效的方式重用空閑資源。當連接空閑幾秒鍾時,網絡的RRC引擎重新分配來自給定用戶的無線電資源。當不活動定時器到期時,移動設備和核心網絡之間的無線承載被關閉,並且那些資源變得可用於被重新分配給另一個UE。在此階段,UE從連接狀態移動到空閑狀態。
承載斷開和建立的每個實例涉及在EPC內的節點之間交換的大量控制消息。如果管理不當,這種信令負載可能導致網絡的大規模飽和,這可能在DDoS攻擊的背景下被利用[10]。這種影響已經在..看到了。設計糟糕的即時消息應用程序經常檢查服務器上的新消息,並淹沒了美國主要提供商之一的蜂窩網絡部分[4]。
通過強制每個終端不斷建立和釋放與外部服務器的IP連接,可以使用受感染移動設備的僵屍網絡來產生信令放大攻擊[19]。一段惡意軟件也可能同時觸發移動電話重啟,因此一旦重新啟動,可能會使注冊過載的EPC過載。由於數量龐大的流量和頻繁重新連接數十億M2M節點,EPC的這種飽和可能也會合法地發生[16]。
In the context of the signaling attack detection, for each
remote host, the CUSUM test monitors a set of n inter-setup
time samples {t1, t2, ··· , tn}。。。
Upon the arrival of a packet P (either inbound or outbound), the This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2007 proceedings. 1294 detection algorithm first determines the corresponding flow F, which identifies mobile M and remote host R
他是采用(信令)報文采集思路做的,這個在工業應用里不可行啊,有巨大的性能問題。
提出了非參數CUSUM
測試基於周期性檢測基於洪水的DoS攻擊
采樣。在本文中,我們提出了一種不同的基於CUSUM的方法
適用於檢測低速信令的方法
攻擊並確保沒有攻擊者可以智能地逃脫
我們的檢測機制。
論文里還提到了一些DoS攻擊的相關工作——TODO待看:
Other forms of DoS attacks
that specifically target wireless networks include packetforwarding
disruption [3], [10], base-station impersonation
[19], control-channel congestion via a sufficient number of
SMS messages [7], and depletion of mobile batteries [21]. In
particular, the DoS attack in [7] saturates the control channels
for SMS communication, while that in [21] keeps a mobile in
a high-battery-consumption state. Both of the attacks, similar
to ours, can be achieved with low-volume attack traffic. On
the other hand, the signaling attack considered in this paper
exploits the heavy signaling overhead in 3G wireless networks.
Statistical online detection schemes have been studied by
[14], [27] for countering DoS attacks. Specifically, [14] focuses
on detecting malicious connection attempts based on
Wald’s test [26]. However, this detection scheme requires a
priori probability distributions for the benign and malicious
behaviors. In contrast, [27] propose a non-parametric CUSUM
test to detect flooding-based DoS attacks based on periodic
sampling. In this paper, we propose a different CUSUM-based
method that is suitable for detecting the low-rate signaling
attack and ensure that no attacker can intelligently escape from
our detection mechanism.
Detection of malicious base station attacks through the carrier analysis——偽基站,降維攻擊
Cellular networks generations have suffered many threats such as eavesdropping and phone cloning, impersonation of a user, Man
in the middle, compromising authentication vectors in the network, spoofing, camping on a false
BTS, Denial of Service (DoS), passive identity caching, encryption suppression, suppressing
encryption between the target user and the intruder, eavesdropping on user data by suppressing
encryption, hijacking outgoing calls in networks with encryption disabled.
UMTS systems suffer from Eavesdropping signaling or control data, Masquerading as a user,
Masquerading as a serving network, jamming the user’s traffic and Denial of Service (DoS).
The common attacks in LTE are Distributed Denial of Service (DDoS) and Denial of Service (DoS)
attacks. Other threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
interception and cryptanalysis of IP traffic.
2. SECURITY AND PRIVACY SERVICES
The most critical issue in cellular network is personal privacy requirements which would involve
security and privacy services. Due to the increasing number of m-business, security services will get
more critical in the future cellular system. Such services include entity authentication of the
principal entities, data confidentiality, data integrity, message origin and destination authentication,
anonymity, location confidentiality and identity confidentiality, untraceability, transaction
confidentiality and privacy.
Principal entities have identity structures to be authenticated. The main entities may have multiple
identities. Some of these identities may be public while others may be unknown. The identities may
be long lived or they may be short lived.
Data confidentiality protects the data against eavesdrop attack. Data integrity protects the data
against unlawful modification. Message origin and destination authentication provide corroboration
of the transmitter/receiver identities or more the associated routing addresses. These services are
provided by symmetric and asymmetric cryptographic methods.
The subscriber may not want to publish his/her identity. The subscriber identity that it may be the
system identity and international mobile subscriber identity (IMSI) is known for both the home
operator and the serving network. So it should be protected against eavesdropping on the radio
interface by any third party. The home operator is required to know the legal identity of the
subscriber.
Location confidentiality and identity confidentiality are provided by the existing systems but no
authoritative solution is yet provided for the current 2G/3G/4G systems. The issue is tied to identity
management to solve the problem of the mobile cellular and network identity management with
authentication at the link layer level.
The intruder may not able to derive the name or network address of the subscriber, but could
successfully trace the subscriber based on radio transmission properties. This arises the concepts of
untraceability and transaction confidentiality privacy.
3. THREATS/ INTRUDERS
Two main motivations for attackers are theft of service and interception of data. Theft of service
comes in many forms, but the most technically interesting is the cloning of a phone. When
“cloning” a phone, attackers steal the identifying information from a legitimate phonetic and load it
to another phone.
Data interception of mobile phone networks is a similar threat to other wireless networks. Using
relatively unsophisticated tools can listen to the transmissions of the phone and the base station in
an effort to eavesdrop on the voice and data transmissions occurring. The largest defense to this
type of attack is encryption of the data in the air.
An intruder may be attempted to eavesdrop on user traffic, signaling data and control data, or
disappear in many forms such as a legitimate party in the use and saving or management of cellular
network services.
The role of the intruders attempts to violate the confidentiality, integrity, availability of Cellular
network, their services or fraud users, home environments or serving networks or any other party.
蜂窩網絡世代 1G 2G 3G。。。
遭受了許多威脅,如竊聽和電話克隆,冒充用戶,Man
在中間,妥協網絡中的身份驗證向量,欺騙,露營假
BTS,拒絕服務(DoS),被動身份緩存,加密抑制,抑制
目標用戶和入侵者之間的加密,通過抑制來竊聽用戶數據
加密,在禁用加密的網絡中劫持撥出呼叫。
UMTS系統遭受竊聽信令或控制數據,偽裝成用戶,
偽裝成服務網絡,干擾用戶的流量和拒絕服務(DoS)。
LTE中的常見攻擊是分布式拒絕服務(DDoS)和拒絕服務(DoS)
攻擊。其他威脅包括VoIP上的垃圾郵件,欺騙和誤導,SIP注冊劫持和
IP流量的攔截和密碼分析。
蜂窩網絡中最關鍵的問題是涉及的個人隱私要求
安全和隱私服務。由於移動商務的數量不斷增加,安全服務將會得到
在未來的蜂窩系統中更為關鍵。這些服務包括實體認證
主體實體,數據機密性,數據完整性,消息來源和目的地認證,
匿名,位置保密和身份保密,無法追蹤,交易
保密和隱私。
其中關於3G的威脅說到:
威脅安全的分類可以分為幾類。以下部分
描述了威脅安全的分類。
未經授權訪問敏感數據
竊聽:入侵者攔截消息而不進行檢測。偽裝:入侵者
欺騙授權用戶相信他們是獲得機密的合法系統
來自用戶的信息。流量分析:入侵者觀察時間,速率,長度,來源和
消息的目的地以確定用戶的位置。瀏覽:入侵者搜索數據存儲
敏感信息。泄漏:入侵者通過利用獲取敏感信息
合法訪問數據的進程。推論:一個入侵者看到一個反應
系統通過向系統發送查詢或信號。
未經授權操縱入侵者可能修改,插入,重放或刪除的敏感數據
消息。
令人不安或誤用網絡的服務包括以下威脅:干預:入侵者可能
使用干擾用戶的流量,信令或控制數據來阻止授權用戶使用
服務。資源耗盡:入侵者可能會使用超載服務來阻止授權
用戶使用服務。濫用權限:用戶或服務網絡想要獲取
未經授權的服務或信息利用他們的特權。濫用服務:入侵者
可能會濫用某些特殊服務來獲取優勢或導致網絡中斷。
拒絕:用戶或網絡拒絕發生的行為。
未經授權的訪問服務會暴露給入侵者,入侵者可以通過訪問獲得服務
偽裝成用戶或網絡實體和用戶或網絡實體,可能會被未經授權
濫用訪問權限訪問服務。
空口側的威脅包含:
無線電接口受到不同的攻擊,例如:
竊聽:入侵者竊聽用戶流量的用戶流量。
竊聽信令或控制數據,入侵者竊聽信令數據或控制數據
用於訪問安全管理數據或其他信息並將其傳遞給活動
攻擊系統。
偽裝成通信,參與者:入侵者偽裝成網絡元素
攔截用戶流量,信令數據或控制。
被動流量分析,入侵者觀察時間,速率,長度,來源或目的地
消息獲得對信息的訪問。
拒絕服務(DoS)攻擊有幾種類型,例如:
·物理干預:入侵者可能會阻止用戶流量,信令數據和控制數據
通過物理手段在無線電接口上傳輸。
·協議干預:入侵者可能會阻止用戶流量,信令數據或控制數據
通過誘導特定的協議故障在無線電接口上傳輸。
·偽裝成通信的拒絕服務(DoS),參與者:入侵者可以
通過阻止用戶流量,信令數據或控制數據來拒絕向合法用戶提供服務
通過偽裝成網絡元素在無線電接口上傳輸。
4G的安全問題——核心還是Dos攻擊
4GSystem(LTE)安全
現代LTE蜂窩網絡為超過數十億用戶提供高級服務
傳統語音和短消息流量。 即將到來的LTE攻擊是分布式拒絕
服務(DDoS)攻擊。 通信系統的可用性解釋了重要性
增強移動網絡抵御拒絕服務(DoS)和DDoS威脅的靈活性
確保LTE網絡可用性免受安全攻擊。
威脅的例子包括VoIP上的垃圾郵件,欺騙和誤導,SIP注冊劫持和
IP流量的攔截和密碼分析。
文中一幅圖說明很好:
3G WCDMA Mobile Network DoS Attack and Detection Technology
說了數據面的DoS風暴和信令面的dos攻擊。
關於DTP協議,查了下,GTP協議承載在TCP或UDP協議之上,分為信令平面和傳輸平面,其信令平面定義了多種消息,涉及到GPRS許多重要方面,傳輸平面則提供了GSN之間數據包傳送的隧道。
