On Cellular Botnets:
Measuring the Impact of Malicious
Devices on a Cellular Network Core
Patrick Traynor @Gatech
Michael Lin, Machigar Ongtang,
Vikhyath Rao, Trent Jaeger, Patrick
McDaniel and Thomas La Porta @Psu
ACM CCS 2009
.... We have background knowledge !
Background Knowledge
• Core Network in GSM
• Reference:
http://www.mobile01.com/topicdetail.php?f=18&t=1753
Background Knowledge (cont.)
• Glossary
▫ MSC: Mobile Switching Center
 Act as telephony switch and deliver circuit-switched
traffic in a GSM network
 Handoff (handover) / Roaming
 Update information with HLR
Background Knowledge (cont.)
▫ HLR: Home Location Register
 Users are assigned to specific HLR’s based on their
phone number
 The central repository of user profile data
▫ VLR: Visitor Location Register
 Each MSC has a VLR
 VLRs save all information of the cellphones in this
Location Area
Outline
•
•
•
•
•
•
•
•
•
Introduction
Overview of Cellular Systems
Attack Overview
Charactering HLR Performance
Profiling Network Behavior
Attack Characterization
Avoiding Wireless Bottlenecks
Attack Mitigation
Conclusion
Introduction
• Denial of Service attacks on HLR
• Botnets as small as 11750 phones can cause a
reduction of throughput of more than 90%
• Contributions:
▫ Attack Characterization and Quantification
▫ Reduce Adversary’s Workload
▫ Provide Intelligent Control Mechanisms
Overview of Cellular Systems
• Mobile Phone Architecture
▫ Application Processor
 Support normal OS functionality
▫ Baseband Processor
 Establish telephony and data links
 Invoke network supported services
• When a process needs to use the network, the
Application Processor passes an AT command to
the Baseband Processor
Overview of Cellular Systems(cont.)
• Mobile OS
▫ Windows Mobile, Android, Mobile OS X…
▫ Just begin to implement basic security
mechanisms
 Memory protection and separation of privilege
• 10% of cellular users downloaded games at least
once a month in 2007
Attack Overview
Attacker
Legitimate User
Attack Overview (cont.)
• Different from DoS on the Internet
▫ Mobile devices cannot transmit entirely arbitrary
requests to HLR
▫ Such requests must be made in a manner such
that unnecessary traffic or side effects are not
generated
Characterizing HLR Performance
• Telecom One (TM1) Benchmarking Suite
▫ MQTh: Maximum Qualified Throughput
• Setting:
▫ HLR:
 Xeon 2.3 GHz * 2 + 8 GB RAM
 Linux 2.6.22
 MySQL 5.0.45 or SolidDB v6.0
Characterizing HLR Performance
• Normal HLR Behavior
▫ The number of subscribers per HLR
 Reality: 100000 ~ five million
▫ The rate and type of service requests
Characterizing HLR Performance
• MQTh vs Numbers of subscribers
Characterizing HLR Performance
• MySQL
▫ Only caching data and indexes are stored in
memory
• SolidDB
▫ All in memory
Characterizing HLR Performance
• Different commands on MySQL
Characterizing HLR Performance
• Different commands vs Number of subscribers
Profiling Network Behavior
• Setting:
▫
▫
▫
▫
Nokia 9500 with Symbian S80
Motorola A1200 with Linux kernel 2.4.20
Live cellular network
AT command + 2 sec delay
 Repeat 200 times during low traffic hours
 Some phones caused extended delays as immediate
execution
Profiling Network Behavior (cont.)
• GPRS Attach: update_location
Profiling Network Behavior (cont.)
• Avg: 2.5 sec // Peak: 3 sec
Profiling Network Behavior (cont.)
• Comparsion: GPRS Detach
Profiling Network Behavior (cont.)
• GPRS Attach
▫ Turnaround time:




3 sec response time + 2 sec command delay
0.2 commands per second
But.. Only one in five commands reach the HLR
0.2/5 = 0.04 commands per second
Profiling Network Behavior (cont.)
• Call Waiting: update_subscriber_data
Profiling Network Behavior (cont.)
• Avg: 2.5 sec
Profiling Network Behavior (cont.)
• Call Waiting
▫ Turnaround time:
 2.5 sec + 2 sec
 0.22 commands per second
 Better than update_location
Profiling Network Behavior (cont.)
• Insert/Delete Call Forwarding
▫ insert_call_forwarding / delete_call_forwarding
Profiling Network Behavior (cont.)
• Avg: 2.7 sec (insert) / 2.5 sec (delete)
Profiling Network Behavior (cont.)
• Insert Call Forwarding
▫ 0.21 commands per second
▫ Extra database read
• Delete Call Forwarding
▫ 0.19 commands per second
▫ Only can be sent if call forwarding is enabled
• Choose insert_call_forwarding
Attack Characterization
• The effect of an attack on HLR with 1 million
users (MySQL)
Attack Characterization
• With SolidDB
Attack Characterization
• MySQL:
▫ Normal condition: 11750 infected mobile phones
 1.2%
▫ High traffic: 23500 infected mobile phones
 2.4%
• SolidDB:
▫ 141000 infected mobile phones
 14.1%
Avoiding Wireless Bottlenecks
• Random Access Channel (RACH) Capacity
▫ TDMA
 Timeslot: 0.577 ms
 A frame: 8 timeslots = 4.615 ms
▫ Slotted ALOHA protocol
Avoiding Wireless Bottlenecks
• Max throughput S
S  Ge
G
▫ S is maximized at 37% when G=1
▫ G is the number of transmission attempts per
timeslot
Avoiding Wireless Bottlenecks
• The offered load, G, also known as ρ, is defined
as:
 


▫ λ is the arrival rate in commands per second
▫ 1/μ is the channel hold time (4.615 ms)
▫ ρ = 1/0.004615 * 0.37 = 80 transmission per sec
Avoiding Wireless Bottlenecks
• The attack would need to be distributed over α
base stations:
 
5000 messages/s
ec
3 sectors/ce ll * 80 RACH transmiss
  21 base stations
.
ions/sec
Avoiding Wireless Bottlenecks
• Standalone Dedicated Control Channels
(SDDCH)
▫ Sectors in GSM allocate 8 or 12 SDCCHs
▫ We hold SDCCH for 2.7 sec (insert_call_forwarding)
 SDCCH  1
 
 
2 .7
 0 . 37
msgs/sec
sectors * SDCCHs *  SDCCH
5000
3 * 12 * 0 . 37
 375 base stations
Command and Control
• Internet Coordination
▫ 3G
• Local Wireless Coordination
▫ Bluetooth / WiFi
• Indirect Local Coordination
▫ Via RACH
Attack Mitigation
• HLR Replication?
• Filtering
• Call gapping
Conclusion
• Small botnets composed entirely of mobile
phones pose significant threats to the availability
of these network
• C & C channel is more challenging in this
environment