zoukankan      html  css  js  c++  java
  • 信令风暴问题根因分析

    A SURVEY ON THREATS, VULNERABILITIES AND SECURITY
    SOLUTIONS FOR CELLULAR NETWORK 文章里提到

    4GSystem (LTE) Security
    Modern LTE cellular networks provide advanced services for billions of users, which exceed
    traditional voice and short messaging traffic. The coming attack in LTE is Distributed Denial of
    Service (DDoS) attacks. The availability of communication systems, explains the importance of
    strengthening the flexibility of mobility networks against Denial of Service (DoS) and DDoS threats
    to ensure the LTE network availability against security attacks.
    Examples of threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
    interception and cryptanalysis of IP traffic

    There are interfaces in the LTE system which are exposed to different attacks such as Radio access
    network, Core evolved packet system (EPC) and Packet data network (PDN). DoS and DDoS
    attacks in LTE mobility networks can be classified based on the traffic load maliciously generated
    into one single attacker or low traffic volume (DoS) and a large set of multiple simultaneous
    attackers or high traffic volume (DDoS).
    Denial of Service attacks (DoS)
    Radio jamming is the intended transmission of radio signals which disrupt communications by
    decreasing the signal to noise ratio. The way of blocking an attack is to locate and stop the jamming
    device where that the large amount of power required reduces the effectiveness of the attack.——无线电干扰设备!!!是Dos恶意攻击的源头之一。

    Smart jamming consists of attacks that aim to locally disrupt the communications of an LTE
    network without sending alerts. It can be implemented by saturating one or more of the important
    control channels which required by all mobile devices to access the spectrum(仅仅控制某些重要信道来发起攻击). Saturation of these
    channels causes the network unresponsive. In addition to, this attack requires low transmitted power
    and requires no authentication, detection and reduction. This type of attack can be started against
    essential control channels in both the downlink and the uplink. This attack concentrates on the much
    narrower control channels instead of saturating the entire channel and so it consumes less power.
    Classic computer vulnerabilities that cellular equipment and the software running on mobile
    networks are the same as any other computer system, so it can be affected by the same
    vulnerabilities. [21]
    Distributed Denial of Service attacks (DDoS)
    Botnet of mobile devices——当然僵尸网络设备也是导致Dos的一个可能因素: a smartphone botnet presents a new and very powerful attack vector
    against mobility networks. So, a new set of DDoS attacks is affected when large volumes of traffic
    and signaling messages can be generated from within the network.
    Signaling amplification attacks: A botnet of infected mobile devices can be used to generate a
    signaling amplification attack by forcing each terminal to continually establish and release IP
    connections to an external server. Such saturation of the EPC could occur legitimately due to the
    large amount of traffic.
    HSS saturation: The HSS is a key node of the EPC which stores information(攻击HSS节点) for every subscriber in
    the network. The stored parameters per user or the phone number, international mobile subscriber
    identity (IMSI), billing and account information, cryptographic primitives, keys which perform
    authentication of subscribers and the last known location of the user. A DDoS attack against this
    node could prevent the network from being operated.
    DDoS against external nodes/networks: The attacks are generated from a number of servers which
    are remotely controlled by an attacker and have been able to inject large traffic loads into the
    network. The high volume of traffic aimed at a specific target during a DDoS attack which could
    generate at a botnet of mobile phones, so it could impact the performance of the mobile network.
    [21]

    3G WCDMA Mobile Network DoS Attack and Detection Technology 这个文章里

    说的是使用GTP echo消息来发起DoS攻击

    also released a DoS attack on the 3G
    mobile network, using the GTP Echo scan message [9][10].

    当然,也可以发送其他信令

    A.GTP-in-GTP based DoS Attack 第一种方式使用GTP消息(信令???应该不是)

    If the GTP-C message for 3G WCDMA mobile network
    control, such as IP address allocation for the 3G mobile
    network, sends the GGSN’s IP address to the destination via the
    terminal, the IP address resource can be allocated abnormally.
    This type of GTP-in-GTP packet processing vulnerability can
    be exploited in most GGSNs installed in the domestic
    commercial service environment, and the P-GATEWAT
    equipment in the 4G LTE network that performs a similar
    function to the 3G network’s GGSN as well.
    If the terminal creates many “GTP-C Create PDP Context”
    messages and sends them to the GGSN’s IP address, the TEID
    and IP address of the GGSN are allocated abnormally.
    Likewise, a DoS attack can be launched against normal users
    that use the 3G mobile Internet service, if the TEID and IP
    address of the GGSN are exhausted by exploiting the GGSN’s
    GTP-in-GTP packet processing vulnerability. 

    google翻译就是:

    如果GTP-C消息为3G WCDMA移动网络
    控制,如3G手机的IP地址分配
    网络,通过发送GGSN的IP地址到目的地
    终端,IP地址资源可以异常分配。
    这种类型的GTP-in-GTP数据包处理漏洞可以
    在国内安装的大多数GGSN中被利用
    商业服务环境和P-GATEWAT
    执行类似的4G LTE网络中的设备
    也适用于3G网络的GGSN。
    如果终端创建了许多“GTP-C创建PDP上下文”
    消息并将它们发送到GGSN的IP地址TEID
    GGSN的IP地址异常分配。
    同样,可以针对普通用户启动DoS攻击
    使用3G移动互联网服务,如果是TEID和IP
    通过利用GGSN,GGSN的地址已经耗尽
    GTP-in-GTP数据包处理漏洞。

    看原文的图就知道确实可能。

    B. Signaling DoS Attack
    The 3G mobile network releases the allocated wireless
    resource, if the mobile terminal doesn’t transmit the data for a
    certain period of time, in order to use the limited wireless
    resource efficiently. By taking advantage of this architecture, a
    DoS attack that causes RNC and SGSN overload using multiple
    signaling messages can be launched.
    The signal message can be created by maliciously and
    abnormally repeating wireless resource re-allocation right after
    resource release [5].

    这里说的就应该RRC导致的信令风暴。

    As shown in Fig.3, if the active terminal doesn’t establish the
    data communication for a certain period of time, a wireless
    resource release request message will be sent to the SGSN to
    switch to the dormant mode. In addition, if the terminal in a
    dormant mode transmits the data, the terminal can be switched
    to an active mode again by sending a wireless resource
    allocation message to the SGSN. Using this mode switching
    method, the 3G mobile network manages the limited wireless
    resource efficiently. When the wireless resource is maliciously
    and abnormally allocated/released, small traffic is sent at a
    particular interval to switch the dormant mode of the terminal
    to the active mode, and many signaling messages are created,
    which results in a DoS attack by causing overload on the RNC
    and SGSN.

    说的就是3G状态切换导致的信令风暴。不进行数据传输。

  • 相关阅读:
    OpenCASCADE DataExchange DWG
    OpenCASCADE Conic to BSpline Curves-Circle
    OpenCASCADE Conic to BSpline Curves-Hyperbola
    Java中通过命令行启动jar包时指定编码
    VSCode来绘制流程图真是得心应手
    若依微服务版新建业务模块后提示找不到mapper的解决方法
    若依微服务版怎样实现不同业务模块下实体和mapper互相调用
    GitLab怎样实现新建仓库并允许开发者推送代码实现协同开发
    RuoYi-Process多模块activity工作流项目快速搭建
    若依微服务版手把手教你本地搭建环境并运行前后端项目
  • 原文地址:https://www.cnblogs.com/bonelee/p/9528881.html
Copyright © 2011-2022 走看看