Modeling and Analysis of RRC-Based Signalling Storms in 3G Networks 还是使用状态机模型来做恶意UE识别 https://san.ee.ic.ac.uk/publications/ggorbil_gelenbe_TETC_15_final.pdf
看他的仿真:In the simulations, we have 1,000 UEs in an area of 2x2 km, which is covered by seven
Node-Bs connected to a single RNC. The CN consists of the
SGSN and the GGSN, and the GGSN is connected to ten
Internet hosts acting as web servers. All UEs attach to the
mobile network at the start of the simulation, (此时,UE已经有临时ID了,在没有临时ID前怎么检测呢?因为attach过程本身有大量信令) and remain
attached. We simulate a high level of web browsing activity
in a two and a half hour period. Our web browsing model
is based on 3GPP recommendations
DETECTING NETWORK-UNFRIENDLY MOBILES WITH THE RANDOM NEURAL NETWORK——使用RNN检测恶意UE,RNN模型适用于我们区分正常行为和不正常行为的问题的移动设备。【补充:RNN在文中是指随机神经网络:随机神经网络(英语:Stochastic Neural Networks)是一种人工神经网络,并作为人工智能的工具。它们向神经网络引进随机变化,一类是在神经元之间分配随机过程传递函数,一类是给神经元随机权重。这使得随机神经网络在优化(Optimization)问题中非常有用,因为随机的变换避免了局部最优(local minima)。由随机传递函数建立的随机神经网络通常被称为波茨曼机(Boltzmann machine)。】
the present approach intercepts packets at the edge of the mobile network using standard
monitoring technologies. This offers the advantages of not requiring to decode lower radio
related layers, lack of network encryption, and fewer number of nodes to monitor [60].
Moreover, the algorithm relies mainly on timestamps and packet header information to
classify users, and does not require knowledge of the application generating a packet nor
its service type, thus eliminating the need to use a commercial deep packet inspection
tool which may result in considerable overhead. It also interacts with existing network
management systems to reduce computational overhead, storage requirements and false
alarm rate.使用在移动端截获报文header,timestamp,不需要解包。本质上是一个分类问题。
里面提到了3G和4G的状态切换问题:
One can observe that promotions from idle to connected are
quite expensive in terms of signaling, thus motivating the introduction of sub-states in
the connected mode. In UMTS, there are usually three sub-states: a low-energy cell
PCH
state which allows the UE to stay in the connected mode without being able to transfer
data, a low bandwidth cell
FACH state, and a high bandwidth cell
DCH state. In LTE,
the UE has the ability to go into short and long discontinuous reception (DRX) states
while in the connected mode, where it sleeps most of the time and periodically wakes up
to check if there is data to be transferred, with longer sleep periods in long DRX than in
short DRX. 看下面的图,就非常清楚了。
Large-scale mobile malware infections may
also trigger a storm, if the malware exhibit frequent communications as in premium SMS
diallers, spammers and adware which are among the top encountered threats on smart
devices [48]. This is confirmed by a recent analysis of mobile subscribers’ traffic in China [46]which indicated a positive correlation between the frequency of signaling-intensive traffic
and malicious activities such as private data upload and billing fraud.
这个例子说了大规模的僵尸网络UE活动也会导致信令风暴,例如发送SMS信息,发送垃圾邮件,广告等。
然后看其(针对3G)解决方案:
但是有一个致命问题:RRC的报文在核心网是拿不到的!!!所以,仅仅能够检测RRC接入成功以后的恶意UE报文。之前看那个文章,说是拿到信令的时间序列,明显也会遇到同样的问题!!!
从这个图看,它是在做HSS的信令风暴检测哈!!!这样就没有逻辑问题了。——不对!!!本质上是恶意UE利用app群发消息,迫使基站来寻呼达到信令风暴攻击效果。见后面论文。
因为文章中说到:which intercepts packets directed to/from the network gateway; in
3GPP standards, the user data transported over this interface are encapsulated in GTP-U
(a simple IP-based tunneling protocol) packets. The detector also utilizes information from
the OSS to reduce search space and optimize performance, and periodically produces a list of
anomalous users to the OSS for root cause analysis and mitigation.
模型提取的数据特征:
describe various characteristics of the users’ behavior. Time is divided into slots, each of duration Δ seconds, in which
summary statistics of several quantities related to the IP traffic of each user are collected。。。
【【【补充:
GTP是GPRS核心网中使用的主要协议。它使得GSM或UMTS网络的终端能够在网络中移动位置,同时能持续的通过同一个GGSN连接到因特网。为了实现这一功能,GTP协议总是将用户面数据从用户位置所属的SGSN传输到它开户信息所对应的GGSN。
GPRS核心网使用三种 GTP协议。
- GTP-U用于为每个PDP上下文提供一个或多个隧道,用以传输用户数据
- GTP-C用于控制目的,包括:
- GTP'用于从各个GSN传送计费数据到计费网关功能(CGF,英语:Charging Gateway Function)。
GGSN和SGSN(合称为“GSN”)在UDP端口2123上监听GTP-C消息,在端口2152上监听GTP-U消息。GTP协议通信可以通过GPRS漫游交换(英语:GPRS Roaming Exchange)发生在不同运营商之间。
计费网关功能(CGF,英文:Charging Gateway Function)在TCP/UDP端口3386上监听发送自GSN的GTP'消息。核心网发送计费信息到CGF,计费信息至少包含PDP上下文激活次数以及终端用户传送的数据量。与GTP-C和GTP-U不同,GTP'协议承载的报文通常只在单个运营商网络内部使用,因此并不那么标准化。运营商可以做特殊的配置,使用特别的编码,甚至使用完全不同的系统来完成计费。】】】
特征:
(1)间隔时间 Inter-arrival Time.——为啥还有RRC呢???
RRC signaling occurs whenever the UE sends or receives packets following an inactivity period that exceeds an RRC timer. Thus, the volume of traffic exchanged by a UE does not map directly into signaling load which is more influenced by the frequency of intermittent transmissions. To capture this coupling between the data and RRC signaling planes, we define a burst as a collection of packets whose inter-arrival times are less than δ seconds, where δ is smaller than the RRC timers, typically in the order of few seconds. Thus, for a sequence of packets whose arrival instants are {t1,t2。。。会用它计算熵值特征和均值等。
(2)Packet Size.
The packet size distribution for a normal device can be markedly
different from that of a device that runs a misbehaving application. For example, when
signaling storms occur due to unexpected events in the Internet such as cloud outages
(3)Burst Rate.
Another obvious characteristic of signaling storms is the sudden
sustained rate acceleration of potentially harmful bursts generated by a misbehaving user.
Moving average of the burst rate per slot and entropy of the rates across the observation
window are used as features in order to capture, respectively, the frequent and repetitive
nature of nuisance transmissions.。。。
(4)Destination Address.
The number of destination IP addresses for a normally
functioning mobile device can be very different from that of an attacker [42], whether the
attack originates from the mobile network due to a misbehaving application, or from the
Internet as in the case of unwanted traffic reaching the mobile network [56]. In the former,
the number of destination IP addresses will be very small compared to the frequency of
bursts, while in the latter this number is high. Thus, we calculate the percentage of
unique destination IP addresses contacted within each time slot, and use the average of the most
recent w values as a feature.
检测效果:
The results indicate an accuracy between 88% and 98% with an average of 93% over the 50 test cases. This fluctuation can be attributed to the fact that our algorithm does not classify an attack as such until few time slots have passed (depending on the number of slots w within the window), and therefore misbehaving UEs with many silent periods will produce higher false positives; fortunately, these less aggres-sive UEs will generate lower signaling load.——如果有很多恶意UE执行恶意操作后,进行slient操作就容易产生误报。
Distribution-based anomaly detection via generalized likelihood ratio test: A general Maximum Entropy approach 提到的信令风暴检测方法也是去检测UE的信令时间序列,计算熵值特征来判断恶意UE。和之前看的那个文章类似。
Detecting MS Initiated Signaling DDoS Attacks in 3G/4G Wireless Networks ——使用监督方式做,是使用数据面的报文进行分类???貌似是的。里面有句话是核心:examine IP packets to infer the presence of a malicious signaling attack application.就是通过检查数据报文,看这个UE是不是在其他不同UE发送网络数据(可能导致其他UE的寻呼),所以这个文章里才会有目的IP熵值特征啥的东西来检测。(all IP packets generated by a MS(UE) to infer the presence of a signaling attack application.)
considered the detection of mobile-initiated signaling attacks via
a supervised learning approach, which monitors transmissions that trigger a radio access
bearer setup procedure, and extracts from the corresponding packets features relating to
destination IP and port numbers, packet size and response-request ratio
摘要摘录:propose
a new detector that examines a subset of IP packets transmitted
by a mobile station (MS) to determine its infection status. Service
providers can install this detector anywhere in the data path, i.e.,
MS, Base Station (BS), gateway, etc., to detect and quarantine
infected terminals. The proposed algorithm was trained using one
week of IP packet traces generated by 62 different smartphones.
Results indicate that this method can detect most types of
signaling attacks with more than 0.9 detection probability and
less than 0.1 false alarm probability.
看看文章里的样本收集:都是收集的移动端UE的IP报文,然后自己写恶意app来迫使寻呼导致信令风暴。就像文章说的:The attack
program sends small sized IP packets from the Internet host to
a large number of MS, causing many of them to transition from
STANDBY to READY mode. This can dramatically increase
the core network signaling load resulting in network wide
service degradation.
The classifier was trained using one week long IP traffic
traces collected from 62 different smartphones (23 Android,
6 Nokia, 5 iPhone, 2 Windows Mobile, 5 Samsung Bada
1 Blackberry, 20 unidentified) that belong to undergraduate
university students. These traces were used to form labeled
training samples of normal MS. For malicious MS, since our
search for an existing signaling attack application did not yield
any results, we were compelled to generate our own attacks.
We generated 7 different types of attacks to train and test our
system and the results were very encouraging in most cases.
The detector when trained using a particular type of attack
was tested using both the same type of attack and a different
type of attack for which it had no prior training.
特征:基本上就是网络流量检测的常用手段啦!!
文中使用SVM来做分类!!!
攻击手法:
When in a state, the
probability of staying in that state is 0.95 and the probability
of transitioning to the other state is 0.05. As another example,
attack 2 was a TCP SYN attack, where the TCP packets had
fixed source and destination ports, the payload length was
0, and inter-arrival times were random (from markov chain
model). The destination IPs were randomly drawn from a set
of ten responsive IPs (e.g., google.com). Attack 5 consisted of
IP packets with destination UDP port 53 (DNS) sent to one
of the commonly used DNS servers (e.g., google DNS).
In another type of attack (A6), our malicious program
established a TCP connection with a web server and retrieved
the webpage using linux wget. The inter wget time was
Countering mobile signaling storms with counters 就是那个状态跃迁模型的文章,针对3G做的。使用的是阈值模型。
mitigating signal-ing based attacks on smartphones 直接去修改android底层来缓解心灵风暴的。。。也是醉了,完全不可行啊!!!——在这项工作中,我们提出了一个驻留在手机上的保护系统。我们的解决方案是将手机软件堆栈划分为应用程序操作系统和通信分区。应用程序系统是标准的全功能Android系统。另一方面,与蜂窝网络的通信由在通信分区上运行的灵活监视和执行系统调解。我们在真正的智能手机上实施和评估了我们的保护系统我们的评估表明,它可以缓解所有当前已知的基于信令的攻击
Security Attacks Against the Availability of LTE Mobility Networks: Overview and Research Directions
探讨了ddos攻击的原因:见图,写得比较好。尤其是对ddos的攻击原因进行了分类分析:
分布式拒绝服务(DDoS)攻击最近影响通信系统可用性的趋势说明了增强移动网络抵御拒绝服务(DoS)和DDoS威胁的弹性的重要性,从而确保这种方式可以完全满足LTE网络对安全攻击的可用性。与此同时,高级持续威胁(APT)的出现已经破坏了有关攻击者和威胁的常见假设。当谈到计划周密且资金充足的网络攻击时,威胁的规模不再是关键因素。相反,例如针对大公司总部或证券交易所周围的小区服务的本地DoS攻击等场景变得非常重要。因此,传统上忽视的低范围威胁,例如无线电干扰(radio jamming),不应该在安全研究中被排除优先级。
补充:无线电干扰是各种无线网络的常见威胁。除了设计干扰缓解和阻塞技术之外,重要的是确保移动网络的主要控制和广播信道免受无线电干扰。这可以防止智能干扰攻击,通过该攻击,攻击者可以通过低功率和低带宽信号阻止对整个小区的访问。 [8]中提出了解决这一问题的安全解决方案的初步建议。
例如,随着当前移动恶意软件的爆发,被感染的手机僵尸网络发起攻击蜂窝网络的可能性更接近现实。由于应用程序编程不当导致蜂窝载体严重服务降级,因此在野外已经观察到这种情况的实际较温和版本。
New research directions are proposed to tackle the major security concerns and architectural challenges of LTE, cover- ing all the network layers. For example, the Physical Layer (PHY) should be revisited to address the growing threat of new sophisticated radio jamming attacks [8], [9]. Moreover, the mobility network architecture should be flattened and distributed to prevent large loads of signaling traffic in the LTE EPC as a result of common NAS (Non-Access Stratum) operations, such as idle-to-connected and connected-to-idle Radio Resource Control (RRC) state transitions. Such signal- ing overloads are known to be a potential way to attack a mobility network [10]. Note that this challenge becomes highly important with the expected rapid increase of the number of connected devices.
就提到了从idle到connected态的转换会导致大量的信令。
放大攻击:与此同时,一些理论研究指出了放大攻击对EPC的潜在风险。具体地,众所周知,电话侧的单个简单事件(RRC状态机中的状态转换)需要在若干EPC节点之间交换大量消息。从理论上讲,这可以被用来成为DDoS攻击[10],[19]。由于安装在许多智能手机上的即时通讯应用程序更新,美国一家主要的移动运营商的部分网络高度饱和 - 经常使用服务器进行检查[4]。这导致EPC的RRC引擎处的大量连接/断开事件,结果在EPC上产生非常大的负载。
其中,文献10(On the Detection of Signaling DoS Attacks on 3G Wireless Networks)里关键部分:其实就是rrc连接和释放!!!
要做到这一点,一个
攻击者首先向移动设备发送低容量数据包突发。
如果移动设备当前没有无线电频道,那么
网络将分配一个新的来完成数据传输。
在不活动超时后,无线电信道被拆除为
回收它以供其他人使用并帮助保护移动设备
否则将浪费在保持能量上的能量
渠道。 通道发布后,攻击者立即发起攻击
发送另一个低容量数据包突发到移动设备,以便
触发另一个无线电信道建立。 通过反复
在适当的时间段这样做,这可以产生
相当多的信令操作。
文章举例:就是类似微信的心跳机制。
Thus, the signaling attack can effectively evade
detection by today’s intrusion detection/prevention systems,
which are effective mostly against flooding-based DoS attacks.
To understand the damage caused by the signaling attack,
suppose that a 3G wireless network has inactivity timeout set
to 5 s1 and that an attacker generates a 40-byte packet burst.
By sending packet bursts periodically at a time slightly larger
than 5 s, the attacker generates only 64bps attack traffic, which
is invisible to volume-based detection systems. If the attacker
is using a cable modem with 1Mbps uplink bandwidth, then
it can simultaneously attack approximately 160K mobiles, a
number potentially sufficient to bring down a wireless network
infrastructure that serves a large metropolitan area
2)信令放大攻击:移动网络没有足够的无线电资源来同时为每个客户提供服务。通常,部署资源以便能够维持峰值流量时间,并且在已知先验的负载峰值的情况下,可以临时部署额外容量[27]。
带宽的稀缺需要先进的技术以有效的方式重用空闲资源。当连接空闲几秒钟时,网络的RRC引擎重新分配来自给定用户的无线电资源。当不活动定时器到期时,移动设备和核心网络之间的无线承载被关闭,并且那些资源变得可用于被重新分配给另一个UE。在此阶段,UE从连接状态移动到空闲状态。
承载断开和建立的每个实例涉及在EPC内的节点之间交换的大量控制消息。如果管理不当,这种信令负载可能导致网络的大规模饱和,这可能在DDoS攻击的背景下被利用[10]。这种影响已经在..看到了。设计糟糕的即时消息应用程序经常检查服务器上的新消息,并淹没了美国主要提供商之一的蜂窝网络部分[4]。
通过强制每个终端不断建立和释放与外部服务器的IP连接,可以使用受感染移动设备的僵尸网络来产生信令放大攻击[19]。一段恶意软件也可能同时触发移动电话重启,因此一旦重新启动,可能会使注册过载的EPC过载。由于数量庞大的流量和频繁重新连接数十亿M2M节点,EPC的这种饱和可能也会合法地发生[16]。
In the context of the signaling attack detection, for each
remote host, the CUSUM test monitors a set of n inter-setup
time samples {t1, t2, ··· , tn}。。。
Upon the arrival of a packet P (either inbound or outbound), the This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2007 proceedings. 1294 detection algorithm first determines the corresponding flow F, which identifies mobile M and remote host R
他是采用(信令)报文采集思路做的,这个在工业应用里不可行啊,有巨大的性能问题。
提出了非参数CUSUM
测试基于周期性检测基于洪水的DoS攻击
采样。在本文中,我们提出了一种不同的基于CUSUM的方法
适用于检测低速信令的方法
攻击并确保没有攻击者可以智能地逃脱
我们的检测机制。
论文里还提到了一些DoS攻击的相关工作——TODO待看:
Other forms of DoS attacks
that specifically target wireless networks include packetforwarding
disruption [3], [10], base-station impersonation
[19], control-channel congestion via a sufficient number of
SMS messages [7], and depletion of mobile batteries [21]. In
particular, the DoS attack in [7] saturates the control channels
for SMS communication, while that in [21] keeps a mobile in
a high-battery-consumption state. Both of the attacks, similar
to ours, can be achieved with low-volume attack traffic. On
the other hand, the signaling attack considered in this paper
exploits the heavy signaling overhead in 3G wireless networks.
Statistical online detection schemes have been studied by
[14], [27] for countering DoS attacks. Specifically, [14] focuses
on detecting malicious connection attempts based on
Wald’s test [26]. However, this detection scheme requires a
priori probability distributions for the benign and malicious
behaviors. In contrast, [27] propose a non-parametric CUSUM
test to detect flooding-based DoS attacks based on periodic
sampling. In this paper, we propose a different CUSUM-based
method that is suitable for detecting the low-rate signaling
attack and ensure that no attacker can intelligently escape from
our detection mechanism.
Detection of malicious base station attacks through the carrier analysis——伪基站,降维攻击
Cellular networks generations have suffered many threats such as eavesdropping and phone cloning, impersonation of a user, Man
in the middle, compromising authentication vectors in the network, spoofing, camping on a false
BTS, Denial of Service (DoS), passive identity caching, encryption suppression, suppressing
encryption between the target user and the intruder, eavesdropping on user data by suppressing
encryption, hijacking outgoing calls in networks with encryption disabled.
UMTS systems suffer from Eavesdropping signaling or control data, Masquerading as a user,
Masquerading as a serving network, jamming the user’s traffic and Denial of Service (DoS).
The common attacks in LTE are Distributed Denial of Service (DDoS) and Denial of Service (DoS)
attacks. Other threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
interception and cryptanalysis of IP traffic.
2. SECURITY AND PRIVACY SERVICES
The most critical issue in cellular network is personal privacy requirements which would involve
security and privacy services. Due to the increasing number of m-business, security services will get
more critical in the future cellular system. Such services include entity authentication of the
principal entities, data confidentiality, data integrity, message origin and destination authentication,
anonymity, location confidentiality and identity confidentiality, untraceability, transaction
confidentiality and privacy.
Principal entities have identity structures to be authenticated. The main entities may have multiple
identities. Some of these identities may be public while others may be unknown. The identities may
be long lived or they may be short lived.
Data confidentiality protects the data against eavesdrop attack. Data integrity protects the data
against unlawful modification. Message origin and destination authentication provide corroboration
of the transmitter/receiver identities or more the associated routing addresses. These services are
provided by symmetric and asymmetric cryptographic methods.
The subscriber may not want to publish his/her identity. The subscriber identity that it may be the
system identity and international mobile subscriber identity (IMSI) is known for both the home
operator and the serving network. So it should be protected against eavesdropping on the radio
interface by any third party. The home operator is required to know the legal identity of the
subscriber.
Location confidentiality and identity confidentiality are provided by the existing systems but no
authoritative solution is yet provided for the current 2G/3G/4G systems. The issue is tied to identity
management to solve the problem of the mobile cellular and network identity management with
authentication at the link layer level.
The intruder may not able to derive the name or network address of the subscriber, but could
successfully trace the subscriber based on radio transmission properties. This arises the concepts of
untraceability and transaction confidentiality privacy.
3. THREATS/ INTRUDERS
Two main motivations for attackers are theft of service and interception of data. Theft of service
comes in many forms, but the most technically interesting is the cloning of a phone. When
“cloning” a phone, attackers steal the identifying information from a legitimate phonetic and load it
to another phone.
Data interception of mobile phone networks is a similar threat to other wireless networks. Using
relatively unsophisticated tools can listen to the transmissions of the phone and the base station in
an effort to eavesdrop on the voice and data transmissions occurring. The largest defense to this
type of attack is encryption of the data in the air.
An intruder may be attempted to eavesdrop on user traffic, signaling data and control data, or
disappear in many forms such as a legitimate party in the use and saving or management of cellular
network services.
The role of the intruders attempts to violate the confidentiality, integrity, availability of Cellular
network, their services or fraud users, home environments or serving networks or any other party.
蜂窝网络世代 1G 2G 3G。。。
遭受了许多威胁,如窃听和电话克隆,冒充用户,Man
在中间,妥协网络中的身份验证向量,欺骗,露营假
BTS,拒绝服务(DoS),被动身份缓存,加密抑制,抑制
目标用户和入侵者之间的加密,通过抑制来窃听用户数据
加密,在禁用加密的网络中劫持拨出呼叫。
UMTS系统遭受窃听信令或控制数据,伪装成用户,
伪装成服务网络,干扰用户的流量和拒绝服务(DoS)。
LTE中的常见攻击是分布式拒绝服务(DDoS)和拒绝服务(DoS)
攻击。其他威胁包括VoIP上的垃圾邮件,欺骗和误导,SIP注册劫持和
IP流量的拦截和密码分析。
蜂窝网络中最关键的问题是涉及的个人隐私要求
安全和隐私服务。由于移动商务的数量不断增加,安全服务将会得到
在未来的蜂窝系统中更为关键。这些服务包括实体认证
主体实体,数据机密性,数据完整性,消息来源和目的地认证,
匿名,位置保密和身份保密,无法追踪,交易
保密和隐私。
其中关于3G的威胁说到:
威胁安全的分类可以分为几类。以下部分
描述了威胁安全的分类。
未经授权访问敏感数据
窃听:入侵者拦截消息而不进行检测。伪装:入侵者
欺骗授权用户相信他们是获得机密的合法系统
来自用户的信息。流量分析:入侵者观察时间,速率,长度,来源和
消息的目的地以确定用户的位置。浏览:入侵者搜索数据存储
敏感信息。泄漏:入侵者通过利用获取敏感信息
合法访问数据的进程。推论:一个入侵者看到一个反应
系统通过向系统发送查询或信号。
未经授权操纵入侵者可能修改,插入,重放或删除的敏感数据
消息。
令人不安或误用网络的服务包括以下威胁:干预:入侵者可能
使用干扰用户的流量,信令或控制数据来阻止授权用户使用
服务。资源耗尽:入侵者可能会使用超载服务来阻止授权
用户使用服务。滥用权限:用户或服务网络想要获取
未经授权的服务或信息利用他们的特权。滥用服务:入侵者
可能会滥用某些特殊服务来获取优势或导致网络中断。
拒绝:用户或网络拒绝发生的行为。
未经授权的访问服务会暴露给入侵者,入侵者可以通过访问获得服务
伪装成用户或网络实体和用户或网络实体,可能会被未经授权
滥用访问权限访问服务。
空口侧的威胁包含:
无线电接口受到不同的攻击,例如:
窃听:入侵者窃听用户流量的用户流量。
窃听信令或控制数据,入侵者窃听信令数据或控制数据
用于访问安全管理数据或其他信息并将其传递给活动
攻击系统。
伪装成通信,参与者:入侵者伪装成网络元素
拦截用户流量,信令数据或控制。
被动流量分析,入侵者观察时间,速率,长度,来源或目的地
消息获得对信息的访问。
拒绝服务(DoS)攻击有几种类型,例如:
·物理干预:入侵者可能会阻止用户流量,信令数据和控制数据
通过物理手段在无线电接口上传输。
·协议干预:入侵者可能会阻止用户流量,信令数据或控制数据
通过诱导特定的协议故障在无线电接口上传输。
·伪装成通信的拒绝服务(DoS),参与者:入侵者可以
通过阻止用户流量,信令数据或控制数据来拒绝向合法用户提供服务
通过伪装成网络元素在无线电接口上传输。
4G的安全问题——核心还是Dos攻击
4GSystem(LTE)安全
现代LTE蜂窝网络为超过数十亿用户提供高级服务
传统语音和短消息流量。 即将到来的LTE攻击是分布式拒绝
服务(DDoS)攻击。 通信系统的可用性解释了重要性
增强移动网络抵御拒绝服务(DoS)和DDoS威胁的灵活性
确保LTE网络可用性免受安全攻击。
威胁的例子包括VoIP上的垃圾邮件,欺骗和误导,SIP注册劫持和
IP流量的拦截和密码分析。
文中一幅图说明很好:
3G WCDMA Mobile Network DoS Attack and Detection Technology
说了数据面的DoS风暴和信令面的dos攻击。
关于DTP协议,查了下,GTP协议承载在TCP或UDP协议之上,分为信令平面和传输平面,其信令平面定义了多种消息,涉及到GPRS许多重要方面,传输平面则提供了GSN之间数据包传送的隧道。
