Anda di halaman 1dari 6

2013 27th International Conference on Advanced Information Networking and Applications Workshops

Effects of Signaling Attacks on LTE Networks


Ramzi Bassil Imad H. Elhajj Ali Chehab Ayman Kayssi
Department of Electrical and Computer Engineering
American University of Beirut
Beirut 1107 2020, Lebanon
{rtb01, ie05, chehab, ayman}@aub.edu.lb

Abstract Attacks on the signaling plane have been well amplified and exploited by malicious users. Thus, a signaling
documented for different generations of cellular networks. The attack would consist of malicious users issuing a large number
effects of these attacks vary from a decrease in the quality of of dedicated bearer requests that are initiated simultaneously
service (QoS) all the way to a denial of service (DoS). Long Term causing the network entities to go through the signaling
Evolution (LTE) is the next generation cellular network that is
procedure to setup dedicated bearers. After obtaining the
primarily designed based on the IP protocol and is expected to
achieve wide scale adoption worldwide. LTE employs a different dedicated bearers, the malicious UEs would not use them or
network architecture than its predecessors that should allow for use them very scarcely, and then, the inactive bearer timeout
more efficient processing of signaling and data packets. In this expires and as a result, the bearer will be deactivated causing
paper, we investigate the effects of signaling attacks against LTE the network entities to go through the signaling procedure to
networks. An attack consists of malicious users who take tear down the dedicated bearers. After that, the malicious UEs
advantage of the signaling overhead required to setup and release will repeat the same procedure over and over again to amplify
dedicated bearers in order to overload the signaling plane by the attack. We study the effects of such an attack by
repeatedly triggering dedicated bearers requests. The attack is simulating multiple scenarios and analyzing their effects on
simulated in OPNET under diverse scenarios in order to assess
different network metrics.
the effects of the increased signaling on the different LTE
network entities. The results show that the increased signaling The rest of the paper is organized as follows: In section 2
traffic causes higher processing loads at the Enhanced Node-B we present a literature review of signaling-based attacks
(eNB) as well as the Evolved Packet Core. We also present a against cellular networks. In section 3, all parameters related
comparison of the signaling requirements in LTE and UMTS. to signaling attacks will be thoroughly described. In section 4,
the simulation of the described attack is implemented in
Keywords: LTE, LTE security, signaling attacks, bearer. OPNET under different scenarios and the results are analyzed.
Section 5 presents an analysis of LTE and a comparison with
I. INTRODUCTION UMTS network signaling requirements. Conclusions are
As the borderline between cellular networks and the Internet presented in section 6.
is becoming more blurred, the seamless integration and
convergence of these two technologies is imminent. With the II. SURVEY OF SIGNALING ATTACKS
advent of smart phones and their market proliferation, phones In this section a literature review of the signaling attacks
are no longer limited to voice communication but are used as a against the different cellular network generations is presented.
platform to perform virtually any computing task their users
require. Supporting these advanced features can become a A. GSM/GPRS Signaling Attacks
daunting task for telecom operators as they are required to In [1], Traynor et al. describe an attack on GSM networks.
provide a new set of supplementary services that will surely The authors explore the possibility of having a cellular
create an additional burden on their resources and botnet and its devastating effects on the network core. The
infrastructure. The additional burden is mainly due to the attack is mounted on the HLR which has a crucial role in
drastic increase of data and signaling traffic to accommodate providing the services required for normal network operation.
the services offered by various applications. Signaling traffic The authors explore the different types of interactions that
includes all the control and setup messages generated by the users have with the HLR database, and deduce that call-
mobile phone and the cellular network prior to the initiation of forwarding requests are the most costly requests on this
a data session. The explosion of traffic has become a major database as they require the highest number of signaling
concern for telecom operators and hence, coming up with messages to be exchanged. So, if an attacker is able to form a
solutions to resolve possible stresses and failures, is of botnet of 2% of the mobile phones served by a certain HLR,
paramount importance. he would be able to flood the HLR with call-forwarding
Since the dominant next generation network will be LTE, requests and thus achieve excessive service degradation in the
this paper studies the different signaling interactions that take network which might lead to a network-wide DoS.
place between the user equipment (UE) and the network In [2], Traynor et al. identify vulnerabilities that expose the
infrastructure and identifies the UE dedicated bearer request weakness in access control, resource management and QoS
procedure as the most signaling-heavy interaction that can be mechanisms of the mobile phones operating systems. For

978-0-7695-4952-1/13 $26.00 2013 IEEE 499


DOI 10.1109/WAINA.2013.136
example, the vulnerability in Bluetooth technology allows Channel (DCH) which is given exclusively to an MS when the
attackers to issue Attention commands to nearby phones packet arrival rate becomes high enough and is released after a
causing the initiation of phone calls or sending text messages certain timeout period. The attacker in this scenario would try
without the knowledge of the phones owner. The network to maximize the transition frequency between FACH and
impact of the above attack is that it may be used to block GSM DCH, as this involves considerable signaling to take place, or
control channels. to prevent a DCH from being released, thus maliciously
In [3], Traynor shifts the attention to vulnerabilities that overloading the DCHs.
occur in GPRS networks. Devices operating in GPRS The work in [8] presents signaling DoS attacks in the
networks have three states: IDLE, STANDBY, and READY. UMTS network. According to the authors, UMTS is
Upon establishing a connection, the device enters the READY susceptible to security threats and attacks due to the use of
state and a 5-bit temporary flow identifier (TFI) is used as a some lightweight security techniques and the fact that it is
unique MAC address. Because the connection setup is an designed to maintain backward compatibility with GSM. The
expensive operation that requires extensive signaling DoS attacks occur when an attacker modifies some of the
exchange, devices remain in the READY state expecting the unprotected initial control messages to manipulate specific
arrival of more packets. Thus, if an attacker initiates 32 procedures or make them repeat leading to a decrease in QoS
messages to the same sector, the TFI space will be saturated all the way to a massive DoS.
and hence preventing legitimate users from receiving traffic.
III. LTE SIGNALING ATTACK
B. SMS-based Attacks An LTE bearer is responsible for carrying information in the
Traynor et al. address the feasibility of targeted text network and there are three kinds of bearers: radio bearers, S1
messaging attacks in [4]. The authors indicate that an SMS bearers, and EPS bearers [9]. The radio bearers are responsible
based DoS attack may disable voice communications in a for the UE-Enhanced NodeB (eNB) interface, the S1 bearers
metropolitan area. Given the fact that sending an SMS is quite for the interface between the eNB and Mobility Management
demanding on the network resources, the increase in SMS Entity (MME) interface, and the EPS bearers for the MME-
traffic might lead to conquering all the standalone dedicated Serving Gateway (SGW) interface. Each radio bearer is
control channels (SDCCHs), which will inhibit legitimate mapped to one S1 bearer which is in turn is mapped to one
users from making voice calls and sending text messages. To EPS bearer. An important feature of using bearers is that it
overcome this issue, the authors propose to have a becomes possible to differentiate between payloads according
differentiated service whereby voice calls have a higher to the type of traffic they carry through the traffic flow
priority than SMS. template (TFT) field. According to the users contract with the
In [5], Mulliner et al. explore techniques that allow SMS operator and the type of data being sent, a certain TFT will be
injection. The authors state that from a security standpoint, assigned, and this data will be mapped to a certain bearer.
SMS is the worst possible attack vector since it is always on as Upon initial attachment to network, each UE will be
long as the phone is connected to the network. On an iPhone, assigned a default bearer that remains active throughout the
an attack was able to crash SpringBoard thus interrupting UEs presence in the Radio Resource Control (RRC)
any running application and then locked the phone. Another connected state. When the UE sends or receives traffic, a
SMS attack led to crashing the CommCenter process making dedicated bearer would be assigned according to the type of
the phone lose all network connectivity. These two attacks traffic requested. A dedicated bearer can be either a
cause serious DoS whereby the user is no longer able to use guaranteed bit rate (GBR) bearer if there are dedicated
their iPhone. Similar analysis showed an identical attack on network resources reserved for it, or a non-GBR bearer if it is
Android phones is feasible whereby the device was provided as best effort service.
disconnected from network without the users knowledge. In order to setup a dedicated bearer, signaling messages are
C. 3G Signaling Attacks exchange among the different LTE network entities, namely
In [6], the authors present a signaling-oriented DoS attack UE, eNB, MME, SGW, and Packet Data Network Gateway
that makes use of the large number of signaling messages (PDN GW). Twelve messages are required for the activation
required to setup and terminate sessions in UMTS and procedure, six of which are processed by the eNB.
CDMA2000 networks. According to the authors, 15 signaling Furthermore, to deactivate this bearer similar signaling
messages are required for session setup and an additional 12 exchange takes place, also requiring 12 messages. Such
messages are required to release the resources, which makes signaling exchange imposes significant overhead and it can be
low-rate, low-volume DoS attacks feasible by repeatedly amplified due to the fact that the maximum number of data
initiating bogus setup requests at specifically timed periods. bearers that a UE can establish is eight. Thus, a well-timed
In [7], the authors investigated the weaknesses and causes of attack by a group of malicious users may cause a substantial
attacks in current 3G networks, thus allowing the design and strain on network resources. The attack would consist of a
standardization of 4G networks to be more robust. In 3G large number of dedicated bearer requests that are initiated
networks, attacks can be based on dedicated channel simultaneously forcing setup and then teardown repeatedly.
assignment, whereby there are two channels over which data The downlink physical channel, over which the signaling for
packets can be forwarded: the Forward Access Channel bearers takes place, is the Physical Downlink Shared Channel
(FACH) which is a shared channel used when the packet (PDSCH) while in the uplink it is the Physical Uplink Shared
arrival rate is below a certain threshold, and the Dedicated Channel (PUSCH). Thus, to monitor the effects of this attack,

500
we observe the CPU percentage utilization of eNBs and EPCs,
the percentage utilization of the Physical Downlink Control
Channel (PDCCH), PDSCH, PUSCH, and the traffic on the
different bearers.
IV. IMPLEMENTATION
The attack scenario described in Section III was
implemented in OPNET [11] to verify its feasibility and its
effect on the signaling plane. The simulations are done for one
LTE cell containing 75 UEs. Multiple applications were
defined for the UEs and different applications were mapped to
different bearers according to the standardized QCI table. One
bearer was assigned to the voice application; another bearer
for video traffic, one for FTP traffic, and one for HTTP traffic.
These bearers are properly assigned TFT values so that proper
traffic-to-bearer mapping would occur. Note that the scale of
the attack could be increased by defining more bearers per UE
as this would enable the malicious user to generate additional
signaling traffic. Figure 1: Traffic on the Different Bearers for a Malicious UE.
The eNB serves multiple UEs some of which may be
malicious. A malicious UE requests a bearer, uses it for a short Figure 2 shows the percentage utilization of the different eNB
time, allows it to expire, and then immediately requests physical channels and we can see that the physical channels
another bearer. Such behavior would be continuously repeated are almost completely used up, with the exception of PDSCH
for the four different bearers hence forcing the different LTE which utilization drops below 80% when the malicious UEs
network entities to go through attach and detach procedures are not utilizing the bearers. This shows that the 75 UEs are
for each bearer multiple times. In order to isolate the effect of completely using up the resources at the eNB. The eNB and
the signaling traffic on the network resources, several EPC CPU percentage utilizations are shown in Figure 3. The
experiments were devised where the following parameters maximum eNB CPU load required to serve the 75 UEs
were varied: number of malicious UEs, Processing Speed reaches 8% when the UEs are using their bearers, and drops to
Multiplier (PSM) at the eNB and EPC, eNB inactive bearer just 1% when the UEs deactivate their bearers. The average
timeout, and synchronization between UEs. CPU utilization between 100 and 500 sec is 2.85% and the
standard deviation is at 2.54%, which is a high value
A. Number of Malicious UEs indicating the high fluctuations in the CPU load. The same
The simulated LTE network contains 75 UEs that are analysis for the EPC where the maximum utilization reaches
seeking data connections. We perform two simulations: one in 10.5% and the minimum utilization goes down to 3%.
which all UEs are malicious and another in which all UEs are
non-malicious. The eNB inactive bearer timeout in this case
was kept at its default value of 20 sec. Furthermore, in this
scenario we vary the PSM for both the eNB and EPC in order
Utilization %

to analyze the attack effects for different CPU capabilities.


1) Processing Speed Multiplier = 1
For the case where all UEs are malicious, the traffic on the  
dedicated bearers for a UE is shown in Figure 1 where we  
have 5 bearers from the top: bronze, default, gold,  
platinum, and the silver bearer at the bottom.
The platinum bearer carries HTTP traffic, the gold carries Time (seconds)

video traffic, the silver carries FTP traffic, and the bronze
carries voice traffic. An additional file print application was Figure 2: Percentage Physical Channel Utilization at the eNB (Malicious UE)
defined on the UEs without mapping it to any specific bearer, A similar simulation was performed for the case where all the
and thus its traffic uses the default bearer. Moreover, the UEs are non-malicious. The traffic on the different dedicated
applications on all the different bearers will function for 5 sec, bearers is shown in Figure 4 where we can see that once a UE
then go idle for the duration of the inactive bearer timeout establishes a bearer, it will be used throughout the session, and
which is 20 sec, and then repeat the process again. This will there are no periodic requests that cause additional signaling
lead to the initiation of an activation request procedure exchanges within the network. The resultant physical channel
followed by a deactivation request for the 4 bearers of all the consumption is shown in Figure 5 where we see that the
UEs at exactly the same time since, the data traffic on the utilization of both the uplink and the downlink shared
different bearers is synchronized and hence leading to an channels (PUSCH and PDSCH) is 100%, meaning that all the
increase in the network signaling traffic. physical resources at the eNB are used up.

501
For the case where all the UEs are non-malicious, the CPU
utilizations for both the eNB and EPC are almost constant

after the UEs obtain network access, at 14.5% and 20%

Utilization %

respectively. These values are lower than the peak CPU load

encountered in the malicious case, further establishing the fact
that the signaling attack is leading to higher transient CPU
loads at eNB and EPC.


Utilization %
Time (seconds)
 

Figure 3: Percentage Utilization of the eNB and EPC CPU (PSM=1)
 

 


Time (seconds)
Figure 5: Percentage Utilization of Physical Channels at the eNB




Utilization %






Time (seconds)

Figure 4: Traffic on the Different Bearers for a Non-Malicious UE Figure 6: CPU Percentage Utilization of eNB and EPC

Next, the eNB and EPC CPU utilizations are shown in 3) Processing Speed Multiplier = 0.1
Figure 6. It can be seen that the CPU utilization at the eNB is For this scenario, the bearer traffic and the percentage
constant at 7% after all the UEs access the network and this is utilization of physical channels by the UEs are the same as
slightly lower than the peak value in the case of malicious shown in Figure 1 and 2.
UEs. However, both values are relatively low indicating that Concerning the percentage CPU utilization, the maximum
the eNB can handle further signaling packets; the bottleneck in eNB CPU load reaches 93% during activation and drops to
this case is the fact that the physical channels are completely just 1% during deactivation of bearers. The average utilization
used up due to the data traffic. The same analysis presented is 28.67%, and the standard deviation is 27.47%. This means
above applies to the EPC CPU utilization percentage, where that the average is relatively low due to the low loads
for the non-malicious case it remains constant at around 9.3%, encountered when all the UEs detach, and the standard
while for the malicious case it goes up to 10.5%. Thus, for the deviation is very high reflecting the high fluctuations seen
case when the PSM = 1, the additional CPU load incurred due between peak load and minimum load. For the EPC, the
to this attack is small and the major bottleneck is the maximum utilization reaches 100% and the minimum
availability of the physical channels. utilization goes down to around 1%.
For the case of non-malicious UEs, the CPU utilization at
2) Processing Speed Multiplier = 0.5 the eNB is almost constant after all the UEs access the
This scenario corresponds to a slower CPU. The bearer network at a value of 78% which is lower than the peak value
traffic sent and the percentage utilization of physical channels of 93% for the malicious case. The signaling attack is causing
by the UEs is the same as shown previously in Figure 1. The a 15% transient increase in the maximum eNB CPU
maximum eNB CPU utilization reaches around 17% during processing, which is a significant value. Hence, users who are
the times where the malicious UEs are using their bearers, and trying to obtain network access during the attack would have
drops to 0% when the UEs deactivate their bearers. The fewer resources to work with and thus they would suffer from
average CPU utilization is 5.34% and the standard deviation is momentary service degradation. The same analysis presented
around 5.33%, which is a high value indicating the high above applies to the EPC CPU utilization percentage, where
fluctuations in the CPU load. For the EPC, the maximum for the non-malicious case it remains constant at around 97%,
utilization reaches 24% and the minimum utilization goes while for the all-malicious case it goes up to 100%.
down to 0%.

502
4) Processing Speed Multiplier = 0.01 Concerning CPU utilization of eNB, it reaches 100% during
A PSM value of 0.01 is intended to see the effects of the the attack, while the EPC utilization remains at 100% at all
attack on CPU constrained devices (cheaper hardware). Figure times indicating that both eNB and EPC CPUs are not able to
7 shows the bearer traffic received by the UE for its different respond to the incoming requests from the UEs which explains
bearers in the malicious case. the fact that the downlink channels are not congested.
The same conclusions can be drawn after running the
simulations for the non-malicious case. The PUSCH is
completely saturated indicating that the UEs are sending a lot
of application traffic on the uplink to the eNB, while on the
other hand the PDSCHs utilization is less than 10% indicating
that due to the limited CPU capabilities, the application
requests are not being served and thus the downlink channels
are not congested. The results for the CPU utilization show
that both eNB and EPC CPU are 100%.
B. Inactive Bearer Timeout
In this scenario, the PSM is set to 0.1 because at this value
the effects of the attack can be seen the most. The results
presented in the previous section correspond to the case where
the inactive bearer timeout is set at 20 sec. In this section,
simulations are done for a timeout of 5 sec. The results (Figure
9) show that eNB and EPC percentage CPU utilizations are
fluctuating at a higher frequency. For the timeout case of 20
sec, the minimum CPU load is at 1% while for a timeout of 5
sec, the minimum CPU load increases to 15% indicating
increased processing. However, the maximum load in both
cases is the same at 93%. The average CPU utilization in this
scenario is at 47.8%, which is significantly higher than the
case of 20-sec timeout. This result is expected since the eNB
is being interrupted more often and thus it will perform more
Figure 7: Bearer Traffic Received (PSM=0.01) processing. The same analysis applies for the EPC CPU,
which makes them both more vulnerable to such attack.
As it can be seen, most of the bearers do not carry any
traffic showing that the eNB is unable to respond to the

incoming requests due to its limited processing power. This 
can be further assured by looking at the utilization of the
Utilization %

physical channels in Figure 8.



 
 
 


Utilization %

Time (seconds)
Figure 9: Utilization of eNB and EPCC PU for timeout 5 seconds(PSM=0.1)
C. Synchronisation between Malicious UEs
In this section, we show the results for the case when there
is no complete synchronization between the malicious UEs;
Time (seconds)
the bearer activation and deactivation requests occur at
slightly different times, with a PSM value of 0.1. The eNB
Figure 8: Percentage Utilization of Physical Channels (PSM=0.01)
CPU utilization is shown in Figure 10 where it is seen that the
The utilization of all the physical channels drops maximum CPU load does not exceed 80% while the minimum
significantly in this case for all the channels, especially for the load does not drop below 28%. The average CPU load for this
downlink channels where the maximum utilization reaches case is 52%, which is almost double the synchronized case,
40%. Furthermore, the PDSCH is not congested meaning that but the standard deviation is much lower at 12.86%. The same
the applications are not being properly served. It can be analysis also applies to the EPC CPU load. So it is more
inferred that due to the severe limitation in the CPU resources advantageous for an attacker to have synchronization between
of the eNB and EPC, the LTE network is not able to respond the different UEs as this would require higher peak processing
to the incoming requests. at the eNB, thus causing transient stresses on it and leading to
unreliable operation.

503
V. ANALYSIS AND COMPARISON TO UMTS the LTE network entities through continuous bearer activation
The results obtained show that the signaling load imposes and deactivation requests. The attack was implemented in
additional burden on the LTE infrastructure in the form of an OPNET to verify its feasibility and its effects. The results
increase in the peak processing loads at both the eNB and EPC showed that increasing the signaling volume leads to higher
and it makes the CPU saturate in an intermittent fashion. Thus processing loads at both the eNB and EPC. Moreover, when
users trying to obtain network access during the attack will get the eNB and EPC CPUs are completely saturated, incoming
a degraded service or may even be denied service altogether. application requests would no longer be served and as a result
These results demonstrate that LTE networks are still traffic on the downlink channels will significantly decrease.
vulnerable to signaling attacks and may not be able to handle Lowering the inactive bearer timeout at the eNB increases the
high signaling loads although they were designed to provide signaling volume in the network and thus leads to a higher
robustness against such attacks. In [7], the authors reviewed processing load at both the eNB and the EPC. The results also
the main reasons for the success of attacks against 3G showed that a synchronized attack is more effective than an
networks and proposed some approaches that should be unsynchronized one because the sudden burst in the signaling
followed towards a more robust design for next generation traffic leads to sudden load peaks at the eNB and EPC CPUs.
cellular networks, and those included removing the concept of Also, we presented a comparison between signaling
dedicated channels (the recommendation was actually adopted requirements in 3G and LTE networks.
in LTE). The fact that LTE employs a flatter architecture than ACKNOWLEDGMENTS
what was used in 3G systems implies that fewer messages
traverse the network entities. Despite this fact, signaling The authors would like to acknowledge TELUS Corporation
attacks lead to transient increases in CPU loads for both the and the Lebanese NCSR for their support of this research
eNB and EPC making them closer to saturation. work.
The major signaling attacks described for 3G networks are REFERENCES
those that take advantage of the signaling required to move [1] Traynor P., Lin M., Ongtang M., Rao V., Jaeger T., McDaniel P., La
among the RRC states. The RRC state machine in 3G Porta T., On Cellular Botnets: Measuring the Impact of Malicious
Devices on a Cellular Network Core, Computer and Communications
networks is quite complex and numerous transitions among Security (CCS), Illinois, November 2009.
these states are expected. In LTE, the RRC state machine is [2] Traynor P., Amrutkar C., Rao V., Jaeger T., McDaniel P. and La Porta
highly simplified to avoid the signaling overhead and the state T., From mobile phones to responsible devices, Security and
transition complexity incurred in the RRC state machine of Communication Networks, Wiley Online Library, 2010.
3G, and it actually comprises only two states: idle and [3] Traynor P., McDaniel, P., La Porta T., On Attack Causality in Internet-
connected. Comparing the RRC states between 3G networks Connected Cellular Networks, Proceedings of the 16th USENIX
Security Symposium, Boston, August 2007.
and LTE it can be clearly concluded that the state machine
[4] Patrick Traynor, Enck, W., McDaniel, P., La Porta, T., "Mitigating
was optimized in LTE to overcome the control and signaling Attacks on Open Functionality in SMS-Capable Cellular Networks,"
overheads incurred by the numerous state transitions in 3G. Transactions on Networking, IEEE/ACM, vol.17, no.1, pp.40-53, Feb.
But on the other hand, the fact that each UE has the ability to 2009.
initiate up to eight dedicated bearers leads to increasing the [5] C. Mulliner and C. Miller, Fuzzing the Phone in Your Phone,
presentation at Black Hat 2009; www.blackhat.com/presentations/ bh-
signaling overhead due to the signaling exchanges required to usa-09/MILLER/ BHUSA09 -Miller-FuzzingPhone-PAPER.
initiate and deactivate dedicated bearers. This fact is used in [6] Lee P.C.; Bu T.; Woo T., On the Detection of Signaling DoS
the signaling attack described in this paper. Attacks on 3G/WiMax Wireless Networks, Computer
Networks, April 2009.
[7] Ricciato F.; Coluccia A.; DAlconzo A., A review of DoS
 attack models for 3G cellular networks from a system-design

perspective, Elsevier Computer Communications, November
Utilization %

2009.
[8] Georgios Kambourakis; Constantinos Kolias; Stefanos Gritzalis;
Jong Hyuk Park, Signaling-Oriented DoS Attacks in UMTS
Networks ISA 2009: 280-289.
[9] Arunabha Ghosh, Jun Zhang, Jeffrey G. Adrews, and Rias
Muhamed, Fundamentals of LTE Prentice Hall.
[10] Najah Abu Ali; Abd-Elhamid M. Taha; Hossam S. Hassanein,
Time (seconds) Lte, Lte-Advanced and Wimax: Towards Imt-Advanced
Figure 10: eNB CPU Utilization for timeout 5 sec and un-synched UEs Networks, Wiley, 2012.
[11] OPNET Technologies Inc., http://www.opnet.com
VI. CONCLUSIONS
In this paper, we described a signaling attack that aims at
increasing the volume of signaling traffic exchanged between

504