You Can Run, but You Cant Hide: Exposing Network Location forTargeted DoS Attacks in Cellular Networks
Zhiyun Qian1 Zhaoguang Wang1 Qiang Xu1 Z. Morley Mao1 Ming Zhang2 Yi-Min Wang21 University of Michigan 2 Microsoft Research
An important class of attacks against cellularnetwork infrastructures, i.e., signaling DoS attack,paging channel overload, and channel exhaustionattack, operates by sending low rate data traffic to alarge number of mobile devices at a particular location toexhaust bottleneck resources such as radio resource andradio resource controller. We term this class of attacktargeted DoS attack on cellular networks, given thefocus on a specific location. The success of such attacksdepends on an important but unvalidated assumptionthat it is possible to create a relatively accurate hit listof mobile devices associated with the target networklocation to which attackers can direct traffic. In thisstudy, we take an important first step to validate thisassumption by performing a large-scale study on thefeasibility of these attacks. In addition, we proposeaccurate and efficient techniques for generating IPaddress to network location association in real time forexisting commercial UMTS networks.
Our technique relies on developing and measuringnetwork signatures consisting of both static and dynamicfeatures of key network elements such as Radio NetworkControllers (RNCs) that are stable within the samelocation but distinct across locations. We find that asingle feature in some cases is unique enough to locatea city such as NYC. With as little as 800kbps probe rate,we can identify a sufficient number of IPs to accuratelytarget a network location, after scanning millions of IPswithin 1.2 hours to effectively impose 2.5 to 3.5 times thenormal load on the network.
Data cellular networks are perennially constrainedby limited radio resources due to ever-increasing userdemand. To enable efficient resource reuse, thereexists built-in support for intelligently allocating radioresources among multiple users and releasing themwhen they are perceived no longer actively in use.
However, the mechanism for implementing the radioresource management primitives requires complex andheavy signaling procedures, rendering cellular networksvulnerable to a variety of low-rate targeted DoSattacks [25, 35, 32]. Due to the low bandwidth property,they can be launched from merely one or more externalInternet hosts and can deny service to a large numberof legitimate users in a particular area. In Figure 1,this class of attacks is illustrated at the bottom left side.Different from another class of attacks such as HLRattack  (on the top right of the figure) that requiresaccess to cellular botnets, the low-rate targeted DoSattacks are considered much more realistic given theweaker requirements.
Although targeted DoS attacks are seemingly seriousthreats, they are still hypothetical. In particular, animportant requirement, i.e., locating a sufficient numberof mobile devices in the same area (the so-called hit-list) is not fully investigated. Previous work on exploiting SMS functionality to overload cellularvoice service proposed using phone numbers underspecific area codes to generate the hit-list. However,phone numbers cannot be directly translated into IPaddresses needed for launching targeted DoS attacks oncellular data services and have limited location accuracy(detailed in 5.3).
To bridge this gap, we develop localizationtechniques to identify IP addresses under a givenarea via active probing and fingerprinting. It worksby controlling a probe phone under the target areato measure the baseline signature of that location,then searching for other devices with sufficientlysimilar signature to the baseline. Our observation isthat it is possible to actively measure characteristicsand configuration parameters associated with networkelements that are similar at the same location anddistinct across locations. We empirically evaluatethis approach on two large UMTS carriers in theU.S. (anonymized as Carrier 1 and Carrier 2 forprivacy concerns). We find the approach promisingin identifying a set of near-by mobile IPs with highaccuracy. This is particularly true for big cities that often
have unique configurations or features to satisfy theirload requirement. In certain cases, it is even possibleto uniquely identify a big city such as NYC with onlya single feature. Thus, our work demonstrates that thethreat of targeted DoS attacks is real.
Besides exposing the potential abuse of networkinformation to enable this class of targeted attackagainst cellular networks, our technique can alsosupport legitimate privacy-preserving applications thatrely to the knowledge of the number of nearbyusers to determine whether a user should sendhis location information while ensuring k-anonymousproperties . More generally, our techniqueopens up a new direction in understanding howcritical infrastructures like cellular networks can leakinformation about their networks which leads to privacyimplications, e.g., in the form of location exposure.
In this work, we make the following contributions: We conduct the first large-scale empirical study onthe feasibility of targeted DoS attack against commercialcellular data networks (with overview shown in Table 1),using data collected through our deployed mobile appon major smartphone platforms (with details of the appcovered in 3). We show that 80% of the devices keeptheir device IPs for more than 4 hours, leaving ampletime for attack reconnaissance. We develop novel techniques to map IP addressesof mobile devices to a geographic area, usinga combination of network features including staticconfiguration settings, topological properties, anddynamic features. Using the proposed network signatures, weempirically validate the evidence of diverse networksignatures across Radio Network Controllers (RNCs).We show that in big cities, the signature is typicallyunique enough to allow an attacker to locate enoughIPs to impose 2.5 to 3.5 times the normal load on thenetwork.
The rest of the paper is organized as follows. 2presents the background on UMTS network as wellas the attack overview, followed by the IP-relatedfeasibility analysis in 3. 4 describes the methodologyfor localization, and 5 discusses the evaluation results.Possible defense solutions are described in 6. Finallywe cover the related work in 7 and conclude in 8.
2 Background and Overview
In this section, we first describe the UMTSbackground with a focus on the measurable parameterswhich can be configured differently across networklocations. We then discuss the intuition of the techniqueand the detailed steps of the attack.
2.1 UMTS Background
UMTS architecture. A UMTS network consists ofthree subsystems: Devices, Radio Access Network andCore Network . They form a hierarchical structurewhere the lowest layer is the device, followed by radioaccess network consisting of base-stations and RadioNetwork Controllers (RNCs). At the highest level is theCore Network which has Serving GPRS Support Node(SGSN) and Gateway GPRS Support Node (GGSN).The latter connects to the Internet. Our focus is on theradio access networkthe DoS target.Radio Resource Control and State Machine. InUMTS, to efficiently utilize the limited radio resources(i.e., physical communication channels), the radioresource control (RRC) protocol uses a state machine(shown in Figure 2) associated with each devicetypically with three RRC statesIDLE, CELL DCH(or DCH) and CELL FACH (or FACH). Different stateshave different amount of radio resource assigned. IDLEhas no radio resource allocated. To send or receive anytraffic, it has to promote to DCH where a dedicatedchannel is assigned to the device. In FACH, devicesare assigned a shared channel which only provideslimited throughput (less than 20kbps). It is designedfor applications requiring a very low data rate. Thereare several configurable static parameters associatedwith state transitions. For example, Downlink/Uplink(DL/UL) Radio Link Controller (RLC) buffer size isused to determine when the FACH DCH transitionoccurs (we refer to it as queue size thresholdthereafter). If the number of bytes sent or receivedexceeds the threshold, the state transition will betriggered. Another example is the inactivity timerwhich determines when the DCH FACH transitionoccurs. They are all configured at the RNC and maydiffer across RNCs in different locations, making themgood candidates to construct the network signatures.Note that different RNC implementations may alsoemploy slightly different state machines due to vendordifferences. For instance, there could be a IDLE FACH transition instead of IDLE DCH. In somecases, new states (e.g., CELL PCH) are introduced tofurther optimize radio resource. These differences canalso be part of the signatures.
It is worth mentioning that in the next generationLTE networks, similar resource control mechanism andcontrol parameters also exist .
2.2 Attack Outline
RNC-level Localization. At a high level, ourintuition is that network elements (e.g., RNC) indifferent locations may be configured differently,