**** 1 - leemgs
advertisement
www.kandroid.org
Android Network Stack and Enhancement
(3G/WiFi, IPV4/IPV6, SIP/VoIP)
Mar-11-2011 (Fri)
Geunsik Lim (Nick:인베인)
leemgs.at.gmail.com
blog.naver.com/invain
본 문서는 비상업적 용도에 한해서 자유롭게 수정 및 재배포 가능하며, 자료출처를 명시해야만 합니다.
CONTENTS
Android Network Technology Session
1.
Computer Network
2.
Understanding Linux Network Internals
3.
Network Terminology (3G/WiFi, IPV4/IPV6, SIP/VoIP)
4.
Differences Between IPv4 and IPv6
5.
Network Information Management on Android Phone
6.
Traffic Monitoring using tcpdump/netstat (including DNS Resolver)
7.
Android Phone Attack using structural vulnerability
8.
Connections between Network Instruments and Android Platform
9.
References
10. Conclusion
11. Appendix: Network Scheduler for QoS, Network App for Study
What is Computer Network?
A computer network, often simply referred to as a network, is
a collection of computers and devices interconnected by
communications channels that facilitate communications
among users and allows users to share resources.
A computer network allows sharing of resources and
information among interconnected devices.
* Source: wikipedia
7th Korea Android Technical Conference (www.kandroid.org)
3/38
Overlay Network
An overlay network is a virtual
computer network that is built on
top of another network. Nodes in
the overlay are connected by virtual
or logical links, each of which
corresponds to a path, perhaps
through many physical links, in the
underlying network.
For example, many peer-to-peer
networks are overlay networks
because they are organized as
nodes of a virtual system of links
run on top of the Internet. The
Internet was initially built as an
overlay on the telephone network .
IP Layer
SONET/SDH
Layer
Optical
Layer
Site
Layer
7th Korea Android Technical Conference (www.kandroid.org)
4/38
Overview of Network Stack
The OSI model remains an important reference point for networking discussions
even though it never took off for a variety of reasons. The TCP/IP model covers
most of the protocols used by computers today.
OSI Model (7Layer)
Data unit
data
Layers
Host
Layers
data
Presentation
Data Representation & Encryption
Session
Internet Communication
segments
Media
packets
frames
Data unit
Application
Network Process to Application
data
TCP/IP Models (4Layer)
Transport
End-to-End Connections a&
Reliability
Network
Path Determination & Logical
Addressing(IP)
Data link
Application
7
6
Message
Layers
Physical
Media, Signal and Binary
Transmission
(SIP, HTTP, FTP, DNS, DHCP,
IMAP, SMTP, SSH, XMPP, RTP,
RTSP, H323)
4
5
4
Segment
3
Datagram/
Packet
2
1
Transport
3
(TCP/UDP)
Physical Addressing (MAC & LLC)
bits
Layers
Frame
7th Korea Android Technical Conference (www.kandroid.org)
Internetwork
(IPv4,IPv6, ICMP, IGMP, ARP)
Link Layer or Host-tonetwork
(Ethernet,Token Ring)
2
1
5/38
Understanding Linux Network Internals
Combination of each layer by kernel functions
As we have seen, each layer provides a variety of protocols. Each protocol is handled
by a different set of kernel functions. Thus, as the packet travels back up the stack,
each protocol must figure out which protocol is being used by the next-higher layer,
and invoke the proper kernel function to handle the packet.
Message
Transport Header
/web/site1.html
A
Transport Layer Payload
Network Header
Link Layer Header
Src port=5000
Dst port=80
/web/site1.html
B
Network Layer Payload
Src IP=100.100.100.100
Dst IP=101.101.101.011
Transport Protocol=TCP
Src port=5000
Dst port=80
/web/site1.html
C
Link Layer Payload
Src IP=00:20:e1:77:00:02
Dst IP=00:21:e6:32:00:01
Internet Protocol
Src IP=100.100.100.100
Dst IP=101.101.101.011
Transport Protocol=TCP
Src port=5000
Dst port=80
/web/site1.html
D
Headers compiled by layers: (a...d) on Host X as we travel down the stack; on Router RT X .
7th Korea Android Technical Conference (www.kandroid.org)
6/38
Understanding Linux Network Internals
Android Linux Networking Architecture
tcpdump
Application Layer(INET)
PF_INET
TELNET
PING
Application
User space
BSD Socket Interface
Kernel space
User space
tftp
PF_INET
PF_PACKET
PF_INET
Kernel space
Berkeley Socket Interface
UDP
TCP
.....
Transport
L4
Protocol Layer
ARP
IPV4
Network Device Driver Interface/
queuing Discipline
L3(ptype_base)
…
Network
Neighboring
Physical Device Driver
dev_queue_xmit
Physical Device and Media
Device Drivers
7th Korea Android Technical Conference (www.kandroid.org)
Link
7/38
Understanding Linux Network Internals
/proc files used by the IPv4 routing subsystem
/
proc
net
sys
route
rt_acct
rt_cache
ip_mr_cache
ip_mr_vif
net
stat
rt_cache
Ipv4/v6
route
error_burst
error_cost
flush
gc_elasticity
gc_interval
gc_min_interval_ms
gc_thresh
gc_timeout
min_delay
max_delay
max_size
min_adv_mss
min_pmtu
mtu_expires
redirect_load
redirect_number
redirect_silence
secret_interval
inet_init
ip_rt_init
ip_mr_init
fib_proc_init
ip_forward
icmp_echo_ignore_boradcasts
conf
all
accept_redirects
accept_source_route
forwarding
mc_forwarding
rp_filter
secure_redirects
send_redirects
log_martians
default
devinet_init
wlan0
lo
rmnet0
inetdev_init
7th Korea Android Technical Conference (www.kandroid.org)
8/38
Understanding Linux Network Internals
CPU's ingress queues
The device driver stores in the net_device structure the time its most recent
frame was received, and netif_rx stores the time the frame was received in
the buffer itself. The local CPU ID is needed to retrieve the data structure
associated with that CPU in a per-CPU vector, such as the following code in
netif_rx: queue = &_ _get_cpu_var(softnet_data);
rmnet0
rmnet1
. . .
RxComplete
. . .
Rmnet n
DMADone
softnet_data
. . .
. . .
completion_queue
. . .
input_pkt_queue
CPU 1
completion_queue
. . .
input_pkt_queue
net_dev_max_backlog
(300)
CPU 0
softnet_data
7th Korea Android Technical Conference (www.kandroid.org)
9/38
3G/WiFi, IPV4/IPV6, SIP/VoIP
• 3G: 3 세대 이동통신 기술 (아날로그 셀룰러폰이 1세대, 디지털 PCS가 2세대이다.)을 위한 ITU 규격이다.
3G는 장치가 정지해 있거나 또는 걷는 정도의 속도로 움직일 때에는 최고 384 Kbps까지, 그리고 차에서는
128 Kbps, 그리고 고정 장착되어 있는 경우에는 2Mbps까지 전송 속도를 높일 수 있다.
• Wi-Fi: 무선 이더넷 호환성 협회 즉, WECA에서 802.11b 무선 이더넷 표준에 대해 제공하고 있는 로고이
다. 호환성을 가진 PC 카드 및 컴퓨터는 Wi-Fi 로고를 사용할 수 있다. WECA의 임무는 Wi-Fi 제품의 상호
운용성을 보증하고, Wi-Fi가 전 세계의 무선랜 표준이 되도록 추진하는데 있다. (/system/etc/apns-conf.xml
)
• IPv4(Internet Protocol version 4): Internet Protocol 4번째 판이며, 전 세계적으로 사용된 첫 번째 인터
넷 프로토콜이다. IETF RFC 791(1981년 9월)에 기술되어 있다. IPv4는 패킷 교환 네트워크 상에서 데이터
를 교환하기 위한 프로토콜이다.
• IPv6(Internet Protocol version 6): Internet Protocol 스택 중 네트워크 계층의 프로토콜로써 version 6
Internet Protocol로 제정된 차세대 인터넷 프로토콜 을 말한다. IPv6와 기존 IPv4 사이의 가장 큰 차이점은
바로 IP 주소의 길이가 128비트로 늘어 났다는 점이다.
• VoIP (Voice over IP): IP를 사용하여 음성정보를 전달하는 일련의 설비들을 위한 IP 전화기술이다. 기존
IP 네트웍을 그대로 활용해 전화서비스를 통합 구현함으로써 전화 사용자들이 시내전화 요금만으로
인터넷, 인트라넷 환경에서 시외 및 국제전화 서비스를 받을 수 있음. (H.323, SIP, RTP, SDP, IMS, MGCP)
• SIP(Session Initiation Protocol): IETF에서 정의한 시그널링 프로토콜로 음성과 화상 통화 같은
멀티미디어 세션을 제어하기 위해 널리 사용되며, 하나 이상의 참가자들이 함께 세션을 만들고, 수정하고
종료할 수 있게 한다. (2002년 7월 RFC 3261 표준)
7th Korea Android Technical Conference (www.kandroid.org)
10/38
Differences Between IPv4 and IPv6 1/2
The IPv4 address space is 2^32, or 4,294,967,296, possible addresses (a little
over 4 billion). In contrast, the IPv6 address space is 2^128,
or 340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 × 10^38) possible
addresses.
IPv6
Internet
Native IPv6
IPv6
host
IPv6
host
6to4
Server/relay
6to4
Server/relay
IPv4
Internet
6to4 tunnel
6to4 router
6to4 router
IPv6 island
IPv6 island
7th Korea Android Technical Conference (www.kandroid.org)
11/38
Differences Between IPv4 and IPv6 2/2
* IHL: internet header length
Version
Type of
Service
IHL
Total Length
Flags
Identification
Protocol
Source
Fragment Offset
Payload Length
Next
Header
Source
Address
Destination
Address
Hop
Limit
Header Checksum
Address
Destination Address
Options
40 Octets
20 Octets
Time to Live
Traffic Class
Version
* Details: RFC3697
Flow Label
Padding
LEGEND
Field’s name kept from IPv4 to Ipv6
Field not kept in IPv6
Name and position changed in IPv6
New field in IPv6
CPU
Process the
Hop-by-Hop EH
Network Scheduler
Payload
Upper Layer
Hop by Hop
Main header
IN
H/W
Engine
Out
Router
7th Korea Android Technical Conference (www.kandroid.org)
12/38
Android Manifest.{permission | permission_group} for Network
Android Manifest.permission_group for Network
Type
Name
Description
String
NETWORK
Used for permissions that provide access to networking ser
vices.
Android Manifest.permission for Network
Type
Name
Description
String
ACCESS_NETWORK_STATE
Allows applications to access information about networks
String
ACCESS_WIFI_STATE
Allows applications to access information about Wi-Fi networks
String
CHANGE_NETWORK_STATE
Allows applications to change network connectivity state
String
CHANGE_WIFI_MULTICAST_ST
ATE
Allows applications to enter Wi-Fi Multicast mode
String
CHANGE_WIFI_STATE
Allows applications to change Wi-Fi connectivity state
String
INTERNET
Allows applications to open network sockets.
String
USE_SIP
Allows an application to use SIP service
String
RECORD_AUDIO
Allows an application to record audio
* Source: http://developer.android.com/reference/android/Manifest.permission.html
7th Korea Android Technical Conference (www.kandroid.org)
13/38
How to Get Network Information ( 1/3)
http://developer.android.com/reference/android/net/ConnectivityManager.html
• Collect network information with Connectiovity Manager
(android.net.ConnectivityManager)
• Permission - manifest.xml
<uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE” />
<uses-permission android:name=“android.permission.ACCESS_WIFI_STATE” />
<uses-permission android:name=“android.permission.CHANGE_WIFI_STATE” />
• Method to get Network Info
public int getNetworkInfo() {
int result = 3;
ConnectivityManager connectivityManager;
NetworkInfo networkInfo;
connectivityManager = (ConnectivityManager) this.getSystemService(Context.CONNECTIVITY_SERVICE);
networkInfo = connectivityManager.getActiveNetworkInfo();
if (networkInfo == null) {
result = 2;
} else {
if (networkInfo.getType() == 0) result = 0; // 3G MOBILE
else result = 1;
// WIFI NETWORK
}
return result;
}
7th Korea Android Technical Conference (www.kandroid.org)
14/38
How to Get Network Information ( 2/3)
• Method to get WiFi Information
public void getWifiInfo() {
WifiManager wifimanager;
wifimanager = (WifiManager) getSystemService(Context.WIFI_SERVICE);
WifiInfo info = wifimanager.getConnectionInfo();
String ssid = info.getSSID();
tvWifi.setText("SSID : " + ssid );
}
currwifi = "SSID : " + ssid;
if (!currwifi.equals(prevwifi))
{
strwifi = strwifi + "SSID : " + ssid + "\n";
prevwifi = currwifi;
}
tvWifi.setText(strwifi);
* SSID: Service Set IDentifier
* WiFiManager wifi = (WifiManager) getSystemService(WIFI_SERVICE);
* DhcpInfo info
= wifi.getDhcpInfo();
7th Korea Android Technical Conference (www.kandroid.org)
15/38
How to Get Network Information ( 3/3)
Permission - manifest.xml
<uses-permission android:name=“android.permission.USE_SIP” />
<uses-permission android:name=“android.permission.RECORD_AUDIO” />
<uses-permission android:name=“android.permission.MODIFY_AUDIO_SETTING” />
• Method to get SIP/VoIP Information according to SipManager (on Gingerbread)
public static SipManager newInstance(Context context) {
return (isApiSupported(context) ? new SipManager(context) : null);
}
private SipManager(Context context) {
mContext = context;
createSipService();
}
private void createSipService() {
IBinder b = ServiceManager.getService(Context.SIP_SERVICE);
mSipService = ISipService.Stub.asInterface(b);
* SipManagerCreation
public SipAudioCall makeAudioCall (SipProfile localProfile, SipProfile peerProfile,
SipAudioCall.Listener listener, int timeout) throws
SipException {
SipAudioCall call = new SipAudioCall(mContext, localProfile);
* SipAudioCall
call.setListener(listener);
SipSession s = createSipSession(localProfile, null);
…
call.makeCall(peerProfile, s, timeout);
return call;
7th Korea Android Technical Conference (www.kandroid.org)
}
16/38
Hidden Secret Code
-
*#*#4636#*#* for general settings like GSM/CDMA
IMEI (International Mobile Equipment Identity)
Phone number (if known)
Current network
Ping test
Signal strength
Location (signal latency & Cell ID)
Neighboring Cell IDs
Roaming state
GSM service status
GPRS service status
IMEI
Current network type
Message waiting status
Call redirect status
Call status
-
*#*#8255#*#* for Gtalk service monitor
Google Talk host address & port
Your Google JID (presumably Jabber ID, as GTalk is based on Jabber IRC)
Your Device ID (presumably hashed from something)
GTalk connection status
GTalk heartbeat status
7th Korea Android Technical Conference (www.kandroid.org)
17/38
Network Protocols for Android
protocol
size
HIDP
344
BNEP
344
RFCOMM
352
SCO
352
L2CAP
560
KEY
360
PACKET
392
RAWv6
616
UDPLITEv6 600
UDPv6
600
TCPv6
1,184
PPPOPNS
416
PPPOLAC
416
PPPOL2TP 416
PPPOE
416
UNIX
368
UDP-Lite
472
RAW
456
UDP
472
TCP
1,056
HCI
368
NETLINK
384
sockets
0
0
0
0
0
0
0
0
0
0
4
0
0
0
0
59
0
0
2
0
0
8
memory press
-1
-1
-1
-1
-1
-1
-1
-1
-1
0
5
-1
-1
-1
-1
-1
-1
-1
0
5
-1
-1
NI
NI
NI
NI
NI
NI
NI
NI
NI
NI
no
NI
NI
NI
NI
NI
NI
NI
NI
no
NI
NI
maxhdr
0
0
0
0
0
0
0
0
0
0
292
0
0
0
0
0
0
0
0
292
0
0
slab
no
no
no
no
no
no
no
yes
yes
yes
yes
no
no
no
no
yes
yes
yes
yes
yes
no
no
module
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
kernel
cl
co
n
n
n
n
n
n
n
y
y
y
y
n
n
n
n
n
y
y
y
y
n
n
di
n
n
n
n
n
n
n
y
y
y
y
n
n
n
n
n
y
y
y
y
n
n
ac
n
n
n
n
n
n
n
y
y
y
y
n
n
n
n
n
y
y
y
y
n
n
n
n
n
n
n
n
n
n
n
n
y
n
n
n
n
n
n
n
n
y
n
n
* RAW protocol: This protocol is one of the common computer languages that documents are translated into and
th Korea Android Technical Conference (www.kandroid.org)
18/38
then sent to a networked printer. 7The
printer interprets the protocol and prints the document.
Traffic Monitoring using tcpdump 1/2
Cross Compiling tcpdump source on Linux Distribution
Get the latest source for libpcap and tcpdump from http://www.tcpdump.org
1. Compile libpcap source
rhel6$> tar zxvf libpcap-1.1.1.tar.gz
rhel6$> cd libpcap-1.1.1/
rhel6$> CC=arm-kandroid-gcc ac_cv_linux_vers=2 ./configure --host=arm-linux -with-pcap=linux
rhel6$> make
2. Compile tcpdump source
rhel6$> cd ..
rhel6$> tar zxvf tcpdump-4.1.1.tar.gz
rhel6$> cd tcpdump-4.1.1/
rhel6$> CC=arm-kandroid-gcc ac_cv_linux_vers=2 ./configure --host=arm-linux -with-pcap=linux
rhel6$> vi ./Makefile
a. remove the -O2 flag and add the -static flag to the linker (LD_FLAGS += -static)
b. If you get the following error: undefined reference to `__isoc99_sscanf‘ , add #define _GNU_SOURCE
in the faulty .c files.
rhel6$> make
7th Korea Android Technical Conference (www.kandroid.org)
19/38
Traffic Monitoring using tcpdump 2/2
3. Copy to the android-rootfs based on NFS
rhel6$> sudo cp tcpdump /opt/android-rootfs/
4. Run tcpdump
rhel6#us> sudo ./adb devices
???????????? no permissions
rhel6#us> sudo ./adb kill-server
rhel6#us> sudo ./adb shell
android#> cd /data/local
android#> chmod 777 tcpdump-arm
android#> ./tcpdump-arm -i rmnet0 not port 23
(ignoring telnet traffic on port 23)
7th Korea Android Technical Conference (www.kandroid.org)
20/38
Tcpdump source in Android Official Repository
Git Repository
http://android.git.kernel.org/platform/external/tcpdump.git
manifest
#> vi ./mydroid-froyo/.repo/manifest.xml
<project path="external/tcpdump" name="android/platform/external/tcpdump" />
Binary Files
./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/tcpdump
./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/LINKED/tcpdump
./out/target/product/harmony/symbols/system/bin/tcpdump
./out/target/product/harmony/system/xbin/tcpdump
Android App
Android market - Search – Download “Shark for Root (native)” software
7th Korea Android Technical Conference (www.kandroid.org)
21/38
Network Monitoring with wireshark on Host PC 1/3
rhel6$> adb shell tcpdump -i any -p -s 0 -w /sdcard/data.pcap
Option
-i any
-p
Description
listen on any network interface
disable promiscuous mode (doesn't work anyway)
-s 0
capture the entire packet
-w
write packets to a file (rather than printing to stdout)
... do whatever you want to capture, then “Ctrl+C” to stop it ...
rhel6$> adb pull /sdcard/data.pcap .
rhel6$> sudo yum install wireshark # or ethereal, if you're still old version
rhel6$> wireshark ./capture.pcap
# or ethereal
... look at your packets and be wise ...
7th Korea Android Technical Conference (www.kandroid.org)
22/38
Network Monitoring with wireshark on Host PC 2/3
7th Korea Android Technical Conference (www.kandroid.org)
23/38
Network Monitoring with wireshark on Host PC 3/3
Utilize Shark for Root / Shark Reader software locally on Android Phone.
7th Korea Android Technical Conference (www.kandroid.org)
24/38
Unix Socket Connection Information
* Active UNIX domain sockets (servers and established)
Proto RefCnt Flags
Type
State
I-Node PID/Program name
unix 2
[ ACC ]
STREAM
LISTENING
966
1328/qmuxd
unix 2
[ ACC ]
STREAM
LISTENING
194631 26528/com.kt.iwlan
unix 2
[ ]
DGRAM
1194
1341/lgospd
unix 2
[ ]
DGRAM
446966 19994/com.kt.wifisv
unix 2
[ ]
DGRAM
427196 19052/com.lge.osp
unix 2
[ ]
DGRAM
427197 19052/com.lge.osp
unix 2
[ ]
DGRAM
1199
1341/lgospd
unix 2
[ ]
DGRAM
427199 19052/com.lge.osp
* * * * * Middle Omission * * * * *
unix 2
[ ]
STREAM
194614 23815/app_process
unix 3
[ ]
STREAM
CONNECTED
13410 5792/adbd
unix 3
[ ]
STREAM
CONNECTED
13409 5792/adbd
unix 3
[ ]
STREAM
CONNECTED
2300
1330/rild
unix 3
[ ]
STREAM
CONNECTED
2299
1536/com.android.ph
unix 3
[ ]
STREAM
CONNECTED
2014
1331/zygote
unix 3
[ ]
STREAM
CONNECTED
2013
1435/system_server
unix 3
[ ]
STREAM
CONNECTED
1227
1329/lgesystemd
unix 3
[ ]
STREAM
CONNECTED
1994
1435/system_server
unix 3
[ ]
STREAM
CONNECTED
1926
1325/vold
unix 3
[ ]
STREAM
CONNECTED
1925
1435/system_server
unix 3
[ ]
STREAM
CONNECTED
1915
1326/netd
unix 3
[ ]
STREAM
CONNECTED
1914
1435/system_server
unix 3
[ ]
STREAM
CONNECTED
1900
1336/dbus-daemon
unix 3
[ ]
STREAM
CONNECTED
1899
1435/system_server
unix 3
[ ]
STREAM
CONNECTED
1165
1338/installd
unix 3
[ ]
STREAM
CONNECTED
1400
1435/system_server
unix 2
[ ]
DGRAM
1367
1435/system_server
unix 3
[ ]
STREAM
CONNECTED
1261
1328/qmuxd
unix 3
[ ]
STREAM
CONNECTED
1229
1336/dbus-daemon
unix 3
[ ]
STREAM
CONNECTED
1228
1336/dbus-daemon
unix 2
[ ]
DGRAM
1200
1341/lgospd
unix 2
[ ]
DGRAM
1196
1341/lgospd
unix 2
[ ]
DGRAM
1195
1341/lgospd
unix 3
[ ]
STREAM
CONNECTED
924
1/init
unix 3
[ ]
STREAM
CONNECTED
923
1/init
Path
/data/radio/qmux_connect_socket
/data/data/com.kt.iwlan/sock_kaf
/data/misc/lgosp/ipc_diag
/data/misc/wifi/kaf/kafif_svr
/data/misc/lgosp/ipc_usbctrl
/data/misc/lgosp/ipc_usbdata
/data/misc/lgosp/ipc_fs_access
/data/misc/lgosp/ipc_gr
/dev/socket/rild
/dev/socket/zygote
/dev/socket/lgesystemd
/dev/socket/vold
/dev/socket/netd
/dev/socket/dbus
/dev/socket/installd
/data/radio/qmux_connect_socket
7th Korea Android Technical Conference (www.kandroid.org)
25/38
Network Monitoring with netstat command 1/2
RMNET(Mobile network interface in Linux kernel-speak) is what Google use for Android to
connect to the internet to transmit the message to the MMSC server . The interface names
"rmnet0”correspond respectively to EDGE/3G and Wi-Fi.
RMNet
slow, broken data but reliable connection
PPP(point-to-point protocol)
fast, high speed data but somewhat unstable connection
/proc/net/dev
http://freshmeat.net/projects/net-tools/
http://code.google.com/p/android-group-korea/downloads/list
/sys/class/net/<rmnet0>/address
/sys/class/net/<rmnet0>/statistics/{rx|tx}_packets
7th Korea Android Technical Conference (www.kandroid.org)
26/38
Network Monitoring with netstat command 2/2
Under the Hood of App Inventor for Android
http://aschillings.co.uk/html/under_the_hood.html
cat /proc/devices
cat /proc/meminfo
cat /proc/mounts
cat /proc/net/arp
cat /proc/net/if_inet6
cat /proc/net/ipv6_route
cat /proc/net/route
cat /proc/net/wireless
cat /proc/version
df -ah
getprop dalvik.vm.execution-mode
getprop dalvik.vm.heapsize
getprop gsm.version.baseband
getprop ro.build.fingerprint
getprop ro.product.version
getprop ro.sf.lcd_density
ifconfig -a
ip -f inet6 addr
ip -f inet6 route show
ip addr
ip route show
lsmod
netcfg
netstat -apnW
netstat -rpnW
ps
route -A inet6 -n
route -n
uname -a
7th Korea Android Technical Conference (www.kandroid.org)
27/38
DNS Resolver (RFC 3484 ) 2/2
* RFC 3484 - http://tools.ietf.org/html/rfc3484
* ANDROID-RFC3484 - "RFC 3484 support for Android", 2010,
Bionic uses a NetBSD-derived resolver library which has been modified in the following ways:
1. don't implement the name-server-switch feature (a.k.a. <nsswitch.h>)
2. read /system/etc/resolv.conf instead of /etc/resolv.conf ( ./bionic/libc/netbsd/net/getaddrinfo.c)
3. read the list of servers from system properties(getprop/setprop). the code looks for 'net.dns1',
'net.dns2', etc.. Each property should contain the IP address of a DNS server. These properties
are set/modified by other parts of the Android system (e.g. the dhcpd daemon). The
implementation also supports per-process DNS server list, using the properties 'net.dns1.<pid>',
'net.dns2.<pid>', etc... Where <pid> stands for the numerical ID of the current process.
4. when performing a query, use a properly randomized Query ID (instead of a incremented
one), for increased security.
5. when performing a query, bind the local client socket to a random port for increased security.
6. get rid of *many* unfortunate thread-safety issues in the original code
* Sources: Android Official Repository
7th Korea Android Technical Conference (www.kandroid.org)
28/38
DNS Resolver (RFC 3484 ) 2/2
# getprop
[ro.secure]: [1]
[ro.allow.mock.location]: [0]
[ro.debuggable]: [0]
[persist.service.adb.enable]: [1]
[ro.factorytest]: [0]
. . . . . Middle Omission . . . . . .
[net.dns1]: [8.8.8.8]
[net.dns2]: [8.8.4.4]
[gsm.current.phone-type]: [1]
[gsm.operator.numeric]: [22110]
[gsm.operator.alpha]: [Kandroid Broadband IT]
[gsm.operator.iso-country]: [it]
[gsm.operator.isroaming]: [false]
[gsm.version.baseband]: [11.23.35.13H_3.35.03.20]
[EXTERNAL_STORAGE_STATE]: [mounted]
[gsm.network.type]: [UMTS]
[gsm.data.network.type]: [UMTS]
[gsm.sim.change]: [false]
[gsm.cb.max.channel]: [15]
7th Korea Android Technical Conference (www.kandroid.org)
29/38
Case Study: Android Phone Attack with DDoS 1/2
# for CPU Load 100%
49.56.XXX.XXX
(rmnet0)
KRNIC /APNIC.
[ ISP Organization Information ]
Org Name
: Korea Android Freetel Corp.
Service Name 7THWING
Org Address : seoul-city kandroid-dong
while true; do ping -l 100000 -s 10 -f Org Detail Address: 306
PING-based Distributed
Denial of Service (DDoS)
attacks
49.56.xx.xx & ; sleep 2; done &
05:26:14.396126 IP 211.100.100.100 >
49.56.20.158: ICMP echo request, id
51001, seq 45, length 64
05:26:14.396281 IP 49.56.20.158 >
211.100.100.100: ICMP echo reply, id
51001, seq 45, length 64
05:26:15.406084 IP 211.100.100.100 >
49.56.20.158: ICMP echo request, id
51001, seq 46, length 64
05:26:15.406349 IP 49.56.20.158 >
211.100.100.100: ICMP echo reply, id
51001, seq 46, length 64
05:26:16.396119 IP 211.100.100.100 >
49.56.20.158: ICMP echo request, id
51001, seq 47, length 64
...............
[ ISP IPv4 Admin Contact Information ]
Name
: HONG, GILDONG
Phone
: +82-2-7127-1473
E-Mail
: superuser@kandroid.com
[ ISP IPv4 Tech Contact Information ]
Name
: HONG, GILDONG
Phone
: +82-2-7127-147
E-mail
: network@kandroid.com
[ ISP Network Abuse Contact Information ]
Name
: YANG, DEOLPOOL
Phone
: +82-2-210-9765
E-mail
: admin@kandroid.com
Demo: http://www.youtube.com/watch?v=kQwXJfQmoSk
7th Korea Android Technical Conference (www.kandroid.org)
PORT
STATE SERVICE
21/tcp rcvbuf
filtered ftpis not enough to
22/tcp filtered ssh
OOM
23/tcp hold
filteredpreload
telnet
79/tcp filtered finger
80/tcp filtered http
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
707/tcp filtered unknown
903/tcp filtered iss-console-mgr
1025/tcp filtered NFS-or-IIS
1433/tcp filtered ms-sql-s
1521/tcp filtered oracle
3306/tcp filtered mysql
3389/tcp filtered ms-term-serv
4444/tcp filtered krb524
5000/tcp filtered UPnP
5900/tcp filtered vnc
6101/tcp filtered VeritasBackupExec
6667/tcp filtered irc
8080/tcp filtered http-proxy
17300/tcp filtered kuang2
30/38
Case Study: Android Phone Attack with DDoS 2/2
DDoS Attacks (Distributed Denial-of-Service Attack): 분산되어 있는 다수의
시스템들이 하나의 표적 시스템을 공격하여 DoS [e.g :crash, halt, freeze]를
발생시키는 공격기법
1. Buffer OverFlow(BOF) Attack:컴퓨터의 한정된 메모리 공간과 처리속도 문제를 이용한
OverFlow 공격 기법
2. SYN Flooding: Three-Way Hand Shaking 연결에서 표적시스템의 응답에 침묵을 하는 방법
3. UDP Flooding: 공격자가 서비스를 수신할 IP주소를 표적 시스템의 IP주소로 변경하여
Traffic 과부하 방법
4. Smurf Attack : 공격자가 Src IP주소를 표적시스템의 IP주소로 바꾸어 ICMP Echo
broadcast하여 Traffic 과부하 발생시키는 방법
5. Teardrop Attack: 눈물방울공격으로 불리며, 대량의 패킷을 아주 작은 조각으로 분리하여
전송하여 수신측에서 패킷을 재조립하는 과정에서 패킷 순서정보에 대한 결합 로드를 주어
시스템 다운 공격 방법 (http://www.ietf.org/rfc/rfc3128.txt)
7th Korea Android Technical Conference (www.kandroid.org)
31/38
Connections between Network and Android
Network Instruments-based Android Diagram
Application
/com/android/settings/
Setting
(WiFi/VPN)
/com/android/phone/sip
Phone APK
Application Framework
(framework/base/voip/java/android/net)
SIP
Phone App
(Setting/Receiver/Caller)
Telephony.SIP Package
(com.android.internal.telephony.sip)
Network
WiFi
package
(android.n
et.wifi)
Dialer
Audio/Video
VPN
Package
(android.n
et.vpn)
SIP Package
(android.net.sip)
SIP Stack
(NIST-SIP)
external/nist-sip/*
System/Functional Libraries
bionic
RTP Package
(android.net.rtp)
JNI
RTP(C++)
(arpa/inet)
7th Korea Android Technical Conference (www.kandroid.org)
32/38
Connections between Network and Android
SIP Architecture
PBX
SIP proxy/registrar
(private branch exchange)
IPBX
PSTN
Directory
(OpenLDAP)
RADIUS Server
(FreeRADIUS)
kandroid’s
network
Phone
SIP-PSTN
Gateway
Phone
SIP Phone
Access router
internet
SoftPhone User
7th Korea Android Technical Conference (www.kandroid.org)
33/38
Connections between Network and Android
SIP Connection Flow
IP Phone
SIP Phone A
IP Phone
SIP Phone B
SIP Proxy
SIP/SDP INVITE
SIP/SDP INVITE
Status: 100 Trying
Status: 183 Session Progress
Status: 183 Session Progress
Status: 200OK
Status: 200OK
LAN
SIP ACK
IP Phone
SIP ACK
Signaling
Voice Stream
RTP/RTSP Stream
IP PBX
SIP: BYE
SIP: BYE
Status: 200OK
Status: 200OK
IP Phone
IP Phone
7th Korea Android Technical Conference (www.kandroid.org)
34/38
Connections between Network and Android
Session and Audio Control
SipBroadCase
Receiver
SIP Manager
SIP Object Creation & Call API
SIP
AUDIO Call
SDP
Audio
control
Simple Session
Description
Registering with
a SIP Server
PhoneFactory
SipPhoneFactory
SIP Session
Management
SIP
Session
Service
action_sip_ad
d_profile
Creating a SIP
Manager
SIP
Manager
SipPhone
SipService
SipSessionGroup
SipCall
SipHelper
SipConnection
Classes and Interfaces
Making an Audio Call
Audio Stream
SipStack
(RTP Stream Inheritance)
SipAudioCall
SipSession
Receiving Calls
Audio Group
RTP
SipAudioCallLi
stener
Audio Codec
android.net.sip
android.net.rtp
SimpleSession
Descriptioin
•Initiating SIP sessions.
•Initiating and receiving calls.
•Registering and unregistering
with a SIP provider.
•Verifying session connectivity.
• http://developer.android.com/resources/samples/SipDemo/index.html
7th Korea Android Technical Conference (www.kandroid.org)
35/38
Conclusion
1. Many peer-to-peer networks are overlay networks because they are organized as nodes of
a virtual system of links run on top of the Internet.
2. The device driver stores in the ‘net_device’ structure the time its most recent frame was
received, and ‘netif_rx’ stores the time the frame was received in the buffer itself.
3. We can manipulate to understand a lot of packets among the android mobile phone with
tcpdump / wireshark. Utilize Shark for Root / Shark Reader software locally on Android
Phone.
4. RMNET is what Google use for Android to connect to the internet to transmit the message.
RMNet
slow, broken data but reliable connection
PPP(point-to-point protocol)
fast , high speed data but somewhat unstable connection
5. Bionic uses a NetBSD-derived resolver(RFC3484) library which has been modified for
mobile platform.
6. Android 2.3(API level 9) Provides access to Session Initiation Protocol (SIP) functionality,
such as making and answering VOIP calls using SIP. To control how Android Market filters
your application from devices that do not support SIP, remember to add the following to the
application's manifest. <uses-feature android:name="android.hardware.sip.voip" />
7th Korea Android Technical Conference (www.kandroid.org)
36/38
Think Time for Healthy Network Traffic
• How to reduce Google mail content ?
Actually Google mail client of android phone read too many network
packet ( e.g: imap header, imap body, images, linked contents)
To reduce the contents of packet ASAP for good network traffic, We have
to consider lighet-weight mail client directly with only imap header ).
• Whenever we find new wireless network address(APN) because of
movement of the users, Why do we always repeat load/unload sequence
of wireless kernel module for WiFi?
Think best behavior of kernel functions for effective battery saving and
performance improvement.
• Our phone acquired too many network protocols, For example, We
don't need unnecessary network protocol like RAW.
• Do we always wait for the connection completion of WiFi over
5seconds at New street? We have to find improved approach for the fast
connection with tiny DNS resolver and Weighted based APN sorting
7th Korea Android Technical Conference (www.kandroid.org)
37/38
References
1. TCP/IP Illustrated Book
- Volume 1: The Protocols, Addison-Wesley, 1994.
- Volume 2: The Implementation, Addison-Wesley, 1995.
- Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols, Addison-Wesley, 1996.
2. UNIX Network Programming Book
- Volume 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall, 1998.
- Volume 2, Second Edition: Interprocess Communications, Prentice Hall, 1999
3. Android Developers Google Groups , http://groups.google.com/group/android-developers
4. D. Andersen, H. Balakrishnan, M. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proc.
ACM SOSP, Oct. 2001.
5. "Basic Components of a Local Area Network (LAN)". NetworkBits.net. Retrieved 2008-04-08.
6. Android Developer Document , http://developer.android.com
- android.net
- android.net.sip
- android.net.wifi
- SIP Demo
http://developer.android.com/reference/android/net/package-summary.html
http://developer.android.com/reference/android/net/sip/package-summary.html
http://developer.android.com/reference/android/net/wifi/package-summary.html
http://developer.android.com/resources/samples/SipDemo/index.html
7. Understanding Linux Network Internals. Author: Christian Benvenuti. Publisher: O'Reilly.
8. XDA Forums, http://forum.xda-developers.com/
7th Korea Android Technical Conference (www.kandroid.org)
38/38
Any Questions?
7th Korea Android Technical Conference (www.kandroid.org)
39/38
Appendix: The WRR network scheduler for Linux
WRR(Weighted Round Robin) is a network scheduling module for Linux written
by Christian Worm Mortensen. It has the ability to shape an internet connection
without buying some expensive QoS solution from the ISP. It can even run on
the firewall; thus making more efficient use of the firewall machine.
WRR worked on 2.4 kernels from 2.4.17 and newer and on most (if not all) 2.6
kernels until 2.6.28. If you need similar traffic shaping for 2.6.29 or later, consider
using DRR (Deficit Round Robin) which has similar (but not identical)
functionality. I have not yet myself switched to DRR so I will not (currently)
provide any guidelines.
☞ 080820 release
This release is for 2.6.27 (tested). It will not work for older kernels. If you need
support for older kernels, please use an older release below. It contains no new
features but contains a one-line fix for an API change in 2.6.27. Please do not try
2.6.28 unless you are brave as it seems to have compatibility issues.
Jabber: moffe@zz9.dk
IRC: M0ffe at freenode, Undernet and Slashnet.
7th Korea Android Technical Conference (www.kandroid.org)
40/38
Appendix: Open Source based Applications 1/2
http://www.jaqpot.net/netcounter/
NetCounter is a network traffic counter
for the Android platform. GPLv3 license
http://code.google.com/p/androidlabs/wiki/NetMeter
NetMeter allows to trouble-shoot
performance problems by letting the user
see network and CPU usage over time.
# for Proxy-based network users
invain$sl6> vi ~/.subversion/servers
[global]
http-proxy-host = 200.200.200.200
http-proxy-port = 8080
7th Korea Android Technical Conference (www.kandroid.org)
41/38
Appendix: Open Source based Applications 2/2
Android network tester
http://code.google.com/p/androidnetworkt
ester/
Fast Network Tester for Android
Free SIP/VoIP client for Android (GPLV3)
http://code.google.com/p/sipdroid/
http://serweb.iptel.org/user/reg/
•
•
•
•
•
•
•
•
Autorization Username : your-iptel-ID
Password : your-iptel-pass
Server of Proxy : sip.iptel.org
Domain : iptel.org
Port
: 5060(default)
Protocol : UDP(default)
sip: 162595@iptel.org
sip: leemgs@iptel.org
7th Korea Android Technical Conference (www.kandroid.org)
42/38
