Warnings of Botnets: Overwhelming Multiple HLR’s
Cole Keever
Columbus State University
School of Computer Science
Columbus State University
Columbus, GA
Abstract— The degradation of cellular networks, with the ability
of a botnet to accomplish large scale malicious attacks, has
become a rising concern in the realm of mobile networking. In
this manuscript we examine the techniques used in the paper, On
Cellular Botnets: Measuring the Impact of Malicious Devices on a
Cellular Network Core, to demonstrate the impact of an attack on
a cellular network and the capability of a botnet to degrade a
large portion of the network under threat. Through recent
studies and careful comparison we present new ideas and
problems associated with the use of malicious software agents on
a targeted network. In contrast to the work presented by the
paper, we discuss an alternative approach that is deemed more
viable in regards to the future and the real world. We conclude
this manuscript with the idea that protection against the network
starts at the user level. For this reason, the individual mobile
device will serve as the first line of defense by preventing the
execution of a large number of network service requests.
I.
INTRODUCTION
Individuals and groups writing malicious software seem to
prevail in their ability to overcome network security measures.
People increasingly rely on mobile devices to perform activities
over a cellular network. The author suggests that these cellular
networks are less likely to withstand the maliciousness that the
core infrastructure of the internet has sustained over the years.
The emerging threat that botnets introduce to a network may be
characterized by their ability to degrade a network core.
Traditionally, there has been little motive for the creation of
these botnets in a cellular network. Malware writers are more
focused on crimes that involve identity theft. However, the
recent popularity of new technology such as smartphones and
iPhones have motivated cybercriminals to turn to mobile
networking. As more personal information is stored on devices
over a cellular network the greater the incentive to create
malicious attacks on the network. Even though there are many
forms of attacks on a cellular network, this paper focuses on the
overloading of the network core. The author explains that these
attacks may be accomplished through the execution of network
service request. Specifically, the attacks involve the use of
selected service request types on the main database for a
mobile network. This database, known as the Home Location
Register (HLR), contains important information about the
mobile subscriber. The author suggests that the HLR is the core
of the attack and is presented as so throughout the course of the
paper.
The author proves the significance of his experiment;
explaining that experimental results show that botnets as small
as 11,750 phones can cause a reduction of throughput of more
than 90% to area-code sized regions supported by most
currently deployed systems [1]. These results justify the
author’s concerns regarding the vulnerability of the mobile
network. The paper is in fact relevant to the issues that
surround mobile security today. For instance, researchers
recently wrote an application for Android’s smartphone that
builds a mobile botnet. The application, which poses as a
whether application, gathers information on the users that
download it [2]. The researchers involved in the weather app
experiment estimated that nearly 8,000 iPhones and Android
smartphones were infected; over 65% of the estimated 11,750
needed to bring down an HLR. Even though the author’s
experiment was reduced to an area-code sized region; this
research strengthens the possibility to achieve the minimum
botnet size used to significantly reduce the throughput on a
single HLR.
While the paper offers a convincing warning message; it is
obvious that author’s approach is only applicable to a single
HLR consisting of a large number of malicious devices. For
this reason, the approach is limited to future popularity and
expansion of highly-capable devices such as the iPhone and
smartphone. For instance, the author states while such numbers
may appear large, they typically represent less than 2% and
15% of phones assigned to a single HLR. However, the botnet
only contains devices that have advanced features such as
Bluetooth or web connectivity. Therefore, the malware may
only spread through these types of phones. We should neglect
the total number of phones assigned to a single HLR and focus
on the number of highly-capable devices assigned to the HLR.
Even though paper highlights a potential problem, the
author never presents a definite solution to the problem. The
author explains that this is not the intent of the paper when
he/she states that the work in this paper should be viewed as a
warning of the increasingly sophisticated attacks possible in
telecommunications infrastructure. Even so, the paper offers
some suggestions that may lessen the likely of an attack such as
Database replication, filtering, and shedding. While these
techniques are serve as excellent methods for attack mitigation;
the real threat to the network core exists in the in the network
of bots that send the Denial of Service request. This could be
controlled by advanced security mechanisms that reside on
phones. It may be cheaper for manufacturers and service
providers to demand antiviral alternatives rather than change
the network architecture.
Although the author offers a unique approach to a potential
problem; a real world experiment might include the use of an
unpublished phone application to demonstrate the spread of
malcode. In this case, one might also consider the effects of
such an attack on a larger scale. This approach would analyze
the growth rate of the unpublished application and the ability of
multiple HLR’s to handle an aggressively high volume of
denial of service requests.
The remainder of the paper is structured as follows: In
Section 2 we discuss related work, recent and past research that
supports the significance of the paper. Section 3 presents our
proposed solution to the problem. Section 4 concludes the
paper.
II.
RELATED WORK
As the author states, denial of service attacks have been
studied in a wide variety of systems. Targets including DNS
roots [3, 4], software vendors [6, 7], news services [8], search
engines [9] and online casinos [10] have all been
overwhelmed by malicious traffic. Such attacks have even
impacted resources and processes in the physical world, and
caused significant outages in areas such as banking,
emergency and even postal services [11, 12]. The research
community has responded with significant attempts to both
categorize [13] and mitigate [14, 15, 16, 18, 19, 22, 21, 17,
20] such problems. Unfortunately, such attacks are only
beginning to be understood in the context of cellular networks.
In contrast to past research, the use of these attacks to overload
mobile network HLR’s have never been demonstrated and
explored via experimentation. In the past researchers have
focused entirely on the wireless domain.
Also, the use of a botnet to attack a mobile network has
been studied before. As more personal information is stored on
mobile devices the more incentive there is for an attacker to
harvest data [28]. However, the ability to use these attacks for
the purpose of overloading a cellular network is a new
approach to understanding the vulnerabilities of a cellular
network. The only work that demonstrates the ability of a
botnet to overwhelm an HLR was proposed by Trayner [1].
Our approach adds to the current idea by attempting to
simulate an attack on multiple HLR’s.
III.
SOLUTION
The manuscript takes a hybrid approach to
demonstrate an attack on the core of a cellular network. We
combine the efforts made by Traynor [1] and the experimental
results performed by Fleizach [5] as a way to strengthen the
theory that an attack on the core of a network is possible on a
nationwide level. Testing performed by Traynor [1] provides
evidence that a cellular botnet is capable of delivering an
attack that would overwhelm a single HLR. While the
Fleizach [5] offers the best means of spreading the malcode
capable of delivering such an attack. Traynor admits that the
attack is more likely implemented on a nation-wide scale.
Therefore, we must predict the propagation of malware to a
large portion of mobile a mobile community. Traynor states
that less than 2% and 15% of phones assigned to a single HLR
is capable of overloading the HLR. However, a local attack on
an HLR suggests using self propagating malware such as
Bluetooth. Previous studies have indicated that Bluetooth is
not the best means of spreading malware on a nation-wide
scale. The authors of Can you infect me now?: malware
propagation in mobile phone networks state:
Most previous work on mobile phone malware
propagation has focused on Bluetooth worms, such as Cabir
[23] and CommWarrior [24], in which infected devices
discover and infect victim devices based on physical
proximity. Su et al. [25] went to various locations and
measured Bluetooth usage and duration of contact, finding
that half of the phones encountered were in suf_ciently long
contact for malware to transfer itself. Kostakos et al. [23]
deployed Bluetooth monitoring equipment in downtown Bath,
England, and found that only 8% of their users had
discoverable Bluetooth devices, greatly limiting infection
possibilities. Mickens and Noble [26] modified traditional
analytic models to create a probabilistic queuing technique
that accounted for movement and traffic patterns over various
time durations. Zheng et al. [27] focused on modeling
population distribution density, Bluetooth radius, and node
velocity. Their results point to a variety of quarantine methods
that could greatly reduce the virulence potential. In contrast to
proximity-based contact worms, malware propagating through
the communication network has the potential to spread more
quickly, infect more devices, and cause more substantial
disruption of the network infrastructure.
From this information we look toward a better means
of creating a botnet large enough to deliver such an attack.
Even though Bluetooth propagation is an insufficient way to
develop the botnet; there is other self-propagating malware
that may be more suited for this approach. For instance, prior
experimentation suggests that VoIP service is the optimum
way to spread self-propagating malware [5]. Also, user
interaction propagating malware such as Multimedia
Messaging Service is suggested as well. Using this technique,
two users do not need their phones powered on at the same
time. In this approach we will use this data, along with
statistical data of current users on multiple networks, to
determine if the means of propagation will support a botnet
large enough to deploy an attack on the cellular network core.
To simulate the attack we would use the most recent
version of Telcom One benchmarking suite. We would take
into consideration operational protocols, industry standards,
and statistical results from the current network population. In
contrast to the Trayner’s approach we would simulate the
network’s reaction to the attack on multiple HLR’s. These
changes would provide more realistic data. Next, the attack
would be simulated using statistical data and predictability.
We would consider the optimum time to time issue an attack
on the network and the best suited meta-command to attack an
HLR.
There is no permanent solution to the vulnerabilities
of a cellular network. Even so, the author suggests several
defenses that could mitigate the attacks performed by a botnet
on the core of a cellular network. Initially, the author proposes
database replication. However, the paper explains to us that
the effectiveness of database replication is based on the
assumption that an additional HLR can handle the additional
load. Next, the author describes filtering and shedding as an
additional
approach.
The
paper
suggests
that
insert_call_forwarding, the request used in the experiment due
to its effectiveness in attacking an HLR; is not critical to the
basic functioning of the network, such filters could be
aggressively tuned without much worry of the impact of false
positives. Thus, the network would handle the increasing
volume of insert_call_forwarding requests. However, the
paper warns that heightened traffic conditions may be
mistaken as an attack. Although the author’s suggestions are
valid, they do not offer a real solution to the problem. It is our
solution, in this manuscript, that the device will serve as the
first line of defense by preventing the execution of a large
number of network service requests.
IV.
CONCLUSION
The rapid growth and development of cellular networks
creates a new playing field for both cybercriminals and
network security researchers. The use of a botnet to attack a
cellular network core should be considered in developmental
techniques used to prevent wide spread outages. More
importantly, the impact of our proposal will serve as support to
the possibilities of a carefully deployed botnet attack against
the cellular network core. Also, though statistical analysis of
the population and experimental results, we will define a
vulnerable network state. The results of this data may be used
as benchmarking for further advancements in network security.
Even so, a great portion of the data will be built on
assumptions. This means that a real network may deviate from
the results. Our research does not identify a propagation
technique that would achieve 100% success in developing a
large botnet. We predict that a successful attack on the core of
a network must propagate through many different means.
Although researchers have suggested many ideas for
preventing such an attack; most of these suggestions fail to
completely resolve this issue without causing an inconvenience
to subscribers. For this reason we propose attacking the
propagation of malware rather than the execution of an attack.
This work demonstrates that an attempt to overwhelm an HLR
is solely dependent on a large botnet. Therefore, if we attenuate
the potential size of a botnet we decrease the chance that the
attack will succeed. We recommend that security platforms
become standard on all mobile devices. The second alternative
is Rate Limiting; in which the network limits the user m phone
calls every n minute(s) [5]. This may satisfy subscribers
enough during the event of an attack.
ACKNOWLEDGMENT
We would like to thank Dr. Mohamed Chouchane and the
Columbus State Computer Science Department. Any opinions,
conclusions, or recommendations are those of the authors and
do not reflect the views of the Columbus State Computer
Science Department.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent
Jaeger, Patrick Drew McDaniel, and Thomas F. La Porta. On cellular
botnets: measuring the impact of malicious devices on a cellular network
core. In Ehab Al-Shaer, Somesh Jha, and Angelos D. Keromytis, editors,
ACM Conference on Computer and Communications Security, pages
223–234. ACM, 2009.
Higgins, Kelly Jackson. “Smartphone Weather App Bulids A Mobile
Botnet”.DarkReading.March5,2010.
http://www.darkreading.com/insiderthreat/security/client/showArticle.jht
ml?articleID=223200001
R. Farrow. DNS Root Servers: Protecting the Internet. Network
Magazine, 2003.
RIPE Network Coordination Centre. RIPE NCC DNS Monitoring
Services.
http://dnsmon.ripe.net/dnsservmon/domain/plot?domain=root&day=5&
month=2&year=2007&hour=16&period= 48h&plot%2F=SHOW, 2007.
C. Fleizach, M. Liljenstam, P. Johansson, G.M. Voelker, and A. Mehes.
Can you infect me now?: malware propagation in mobile phone
networks.
Proceedings of the 2007 ACM workshop on Recurring malcode.
C. Haney. NAI is latest DoS victim. http://security.itworld.com/
4339/NWW116617_02-05-2001/page_1.html, February 5 2001.
D. Ilett. Symantec website under DDoS attack. http://software.
silicon.com/malware/0,3800003100,39150478,00.htm,
2005.
P. Roberts. Al-Jazeera Sites Hit With Denial-of-Service Attacks.
PCWorld Magazine, March 26 2003.
M. Richtel. Yahoo Attributes a Lengthy Service Failure to an Attack.
The New York Times, February 8 2000.
S. Berinato. Online Extortion – How a Bookmaker and a Whiz Kid Took
On an Extortionist and Won. CSO Online, May 2005.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N.
Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4),
July 2003.
S. Byers, A. Rubin, and D. Kormann. Defending Against an Internetbased Attack on the Physical World. ACM Transactions on Internet
Technology (TOIT), 4(3):239–254, August 2004.
J. Mirkovic and P. Reiher. A Taxonomy of DDoS Attacks and DDoS
Defense Mechanisms. ACM SIGCOMM Computer Communication
Review, 34(2):39–53, 2004
S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network
support for IP traceback. In Proceedings of ACM SIGCOMM, pages
295–306,October 2000.
J. Ioannidis and S. Bellovin. Implementing Pushback: Router-Based
Defense Against DDoS Attacks. In Proceedings of Network and
Distributed System Security Symposium (NDSS), February 2002.
A. Juels and J. G. Brainard. Client Puzzles: A Cryptographic
Countermeasure Against Connection Depletion Attacks. In Proceedings
of Network and Distributed System Security Symposium (NDSS), 1999.
A. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay
Services. In Proceedings of ACM SIGCOMM, 2002.
L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using
hard AI problems for security. In Proceedings of Eurocrypt, pages 294–
311, 2003.
L. von Ahn, M. Blum, and J. Langford. Telling humans and computers
apart automatically. Communications of the ACM, 47(2):56–60, 2004.
J. Wang, X. Liu, and A. A. Chien. Empirical Study of Tolerating
Denial-of-Service Attacks with a Proxy Network. In Proceedings of the
USENIX Security Symposium, 2005.
A. Stavrou, D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and
D. Rubenstein. WebSOS: An Overlay-based System For Protecting Web
[22]
[23]
[24]
[25]
[26]
[27]
Servers From Denial of Service Attacks. Journal of Computer Networks,
48(5), 2005.
A. Stavrou, A. Keromytis, J. Nieh, V. Misra, and D. Rubenstein.
MOVE: An End-to-End Solution To Network Denial of Service. In
Proceedings of Network and Distributed System Security Symposium
(NDSS), 2005.
F-SECURE. F-Secure Virus Information Pages: Cabir.
http://www.f-secure.com/v-descs/cabir.shtml.
KOSTAKOS, V. Experiences with urban deployment of
Bluetooth (given at UCSD), Mar. 2007.
http://www.cs.bath.ac.uk/~vk/files/pres_ucsd.pdf.
MICKENS, J. W., AND NOBLE, B. D. Modeling epidemic
spreading in mobile environments. In Proc. of ACM WiSe'05
(Nov. 2005).
SU, J., CHAN, K. K. W., MIKLAS, A. G., PO, K.,
AKHAVAN, A., SAROIU, S., DE LARA, E., AND GOEL, A.
A preliminary investigation of worm infections in a
Bluetooth environment. In Proc. of ACM WORM'06 (Nov.2006).
ZHENG, H., LI, D., AND GAO, Z. An epidemic model of
mobile phone virus. In Proc. of Internat'l SPCA'06 (Jan.2006).
[28] J. Oberheide, F. Jahanian. When mobile is harder than fixed (and vice
versa): demystifying security challenges in mobile environments.
Proceedings of the Eleventh Workshop on Mobile Computing Systems &
Applications table of contents, 2010.