1 Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks Abstract— The evolution of phone networks from isolated eliminate the damage caused by targeted SMS attacks. Becausevoice carriers to Internet-enabled multipurpose data and voice this work addresses issues caused by the interconnection ofnetworks has introduced exceptionally dangerous vulnerabilities. the Internet and telecommunications networks, we seek toFor example, a recent report showed that a carefully craftedDOS attack on text-messaging could incapacitate all cell phone solve these problems through a combination of techniquescommunications in Manhattan with little more than a cable from both domains. Our work begins by challenging themodem. This attack highlights a critical vulnerability of the effectiveness of so-called “edge solutions” including per-evolving phone network infrastructure: cellular network control user rate limitation and spam ﬁltering. We then apply well-channels are exposed to adversaries in the phone network and the known queueing techniques including variants of Weightedwider Internet. In this paper, we consider novel countermeasuresto attacks on the control channel interfaces of the cellular Fair Queueing (WFQ) and Weighted Random Early Detectionnetworks. We adapt existing network admission control control (WRED), which are well tested for addressing trafﬁc overloadtechniques and develop novel channel allocation strategies in in the Internet. Our work then focuses on the alleviation ofaddressing these threats. The costs and tradeoffs associated with congestion by reapportioning the wireless medium throughthe mitigation strategies are analytically quantiﬁed. We further novel methods including Strict Resource Provisioning (SRP),introduce X, a extensive GSM simulator that characterizes thequeuing and air interface behavior in cell phone to base-station Dynamic Resource Provisioning (DRP) and Direct Channelcommunication. Our analysis and simulation shows that we can Allocation (DCA). We ﬁnish by exploring the effects ofsustain legitimate communications in the presence of highly combining multiple countermeasures.targeted and intense attacks. (rewrite this part numbers?) We At the current time, an adversary is able to deny voiceconclude by considering how these techniques can be appliednot only to preventing SMS trafﬁc misuse, but to the range of service to cities the size of Washington D.C and Manhattanmedia forms emerging in current and next generation networks. with the bandwidth available to a cable modem. Through the application of the above techniques, we allow cellular networks to operate safely even when the signaling links de- I. I NTRODUCTION livering voice and SMS trafﬁc reach maximum capacity. More Cellular networks are an increasingly essential means of importantly, the implementation of these mechanisms allowscommunication. In addition to traditional voice telephony, providers to securely offer Internet-coupled services withoutthese systems now offer a wide variety of data and text/short necessitating a signiﬁcant and expensive re-engineering ofmessaging services (SMS). As a means of increasing the their networks.adoption of such services, cellular providers have increasingly In this paper, we make the following contributions:created gateways between their own networks and the Internet.This heightened usability and utility are responsible for soaring • Simulator Design and Development: Using publicallyusage statistics. In the United States alone, some ﬁve billion available GSM standards, we have designed and imple-text messages are sent each month . Indeed, for signiﬁcant mented a tool to simulate the GSM air interface.numbers of users, text messaging has become as or more • Network/Attack Characterization: Through mathemat-popular a means of communication than traditional voice ical modeling and simulation, we create detailed charac-telephony . terizations of system behavior for networks experiencing While a great deal of beneﬁcial new functionality is now targeted SMS attacks. Previous work in this area waspossible, the interconnection of these systems inherently ex- limited to a more coarse-grained description of messagingposes cellular networks to many of the problems prevalent in volume.the Internet. Because these systems were designed to operate • Mechanism Development and Evaluation: Using vari-in the absence of inﬂuence from external networks, many ations on well established and novel new approaches, weof these exploits violate core assumptions upon which these characterize the ability of a number of trafﬁc engineeringsystems were built. Enck, et al.  present one such example. techniques from the Internet and telecommunicationsGiven a list of phone numbers for a metropolitan area, an domains to mitigate such attacks. These mechanismsadversary can use Internet gateways to inject a relatively small range in complexity and effectiveness and offer a rangenumber of text messages per second into a cellular network. of solutions to service providers.In so doing, the attacker is able to deny voice service to the The remainder of this paper is organized as follows: Sec-targeted area. In events such as September 11th, when the use tion II discusses pertinent related work; Section III providesof communication systems is absolutely critical, the cost of an overview of cellular signaling networks and characterizessuch a vulnerability becomes decidedly human. targeted SMS attacks; Section IV offers a number of solutions This paper creates and develops a number of trafﬁc engi- and mathematical measures of their ability to mitigate theseneering techniques and evaluates their ability to mitigate or attacks; Section V details simulations of the above solutions;
2Section VI offers concluding remarks and discusses future ESME SMSC HLR MSC VLR BS MHwork. Obtain Submit SM Routing Information II. R ELATED W ORK Forward SM Obtain Subscriber Information Physical disconnection from external networks has long Forward SMbeen one of the most effective means of providing security Page Hostfor communication systems. From small internal corporate Host Replynetworks to global telecommunications systems, “air-gap” ACK Deliver SMseparation has simpliﬁed the job of protecting networks from ACKthe majority of potential adversaries. Accordingly, the focus of ACKsecurity in these networks has typically centered around fraud-ulent access and billing. The authentication control messages Fig. 1. A high level description of SMS delivery in an SS7 network.between SS7 core network components, for example, wasnot available before 2002 . The changing needs of users,however, have forced the gradual erosion of such well deﬁned adversary would be able to cause the same congestion inborders. Whether due to new access patterns (e.g. wireless targeted metropolitan areas by injecting a relatively smallaccess points, traveling users, etc) or the advent of new amount of trafﬁc. While a number of solutions were proposedservices (e.g. data networking in cellular telecommunications), in that work, none have yet been measured and compared.many of the systems that once relied upon isolation as amajor portion of their defenses are no longer able to doso. Security measures addressing new classes of threats are III. S YSTEM /ATTACK C HARACTERIZATIONtherefore essentially. A. Message Delivery Overview Telecommunications networks are not the only systems tosuffer from vulnerabilities related to expanded connectivity. In the following subsection, we provide a high-level, sim-Systems including Bank of America’s ATMs and 911 emer- pliﬁed tutorial on text message delivery in cellular networks.gency services for Bellevue, Washington were both made 1) Message Insertion: An Internet-originated SMS messageinaccessible by the Slammer worm . Although neither can be generated by any one of a number of External Shortsystem was the target of this attack, simply being connected Messaging Entities (ESMEs). ESMEs include devices and in-to the Internet made them experience signiﬁcant collateral terfaces ranging from email and web-based messaging portalsdamage. Systems less directly connected to the Internet have to service provider websites and voice mail services and can bealso been subject to attack. Byers, et al.  demonstrated attached to telecommunications networks either by dedicatedone such attack using simple automated scripts and webforms. connection or the Internet. When a message is injected into theImmense volumes of junk postal mail could then be used to network, it is delivered to the Short Messaging Service Centerlaunch denial of service (DoS) attacks on individuals. (SMSC). These servers are responsible for the execution of The typical targets of DoS attacks, however, are more a “store-and-forward” protocol that eventually delivers texttraditional online resources service. In 2000, for example, messages to their intended destination.users were unable to reach Amazon, eBay and Yahoo! as When a message is received from an ESME, it is exam-their servers were bombarded with over a gigabit per second ined by an SMSC. The contents and destination informationof trafﬁc . Since that time, sites ranging from software from the message are then copied into a properly formattedvendors  and news services  to online casinos  have packet. At this point, messages originating in the Internet andall fallen victim to such attacks. While signiﬁcant research those created in the network itself become indistinguishable.has been dedicated to categorizing , mitigating ,  Formatted text messages are then placed in an egress queueand eliminating  such attacks, no solutions have seen in the SMSC and await service.widespread implementation. Because of the various transfor- 2) Message Routing: Before an SMSC can forward a textmations of data transiting between the Internet and telecom- message to a targeted mobile device, it must ﬁrst determinemunications networks, the direct application of the above the location of that device. To accomplish this, the SMSCtechniques would be ineffective. queries a database known Home Location Register (HLR). Whether accidental or the result of malicious behavior, The HLR is responsible for storing subscriber data includingdenial of service incidents have been studied and documented availability, billing information, available services and currentin telecommunications networks. The National Communica- location. With the help of other elements in the network,tions System published a study on the effects of text mes- the HLR determines the routing information for the targetedsages during emergency situations. Given realistic scenarios device. If the desired phone is not available, the SMSC storesfor usage, this technical bulletin argued that SMS resources the message until a later time for subsequent retransmission.needed to be increased 100-fold in order to operate under Otherwise, the SMSC receives the address of the Mobilesuch conditions . Operators have also reported problems Switching Center (MSC) providing it service. Through itswith connectivity during holidays due to increased volumes attached base stations (BS), the MSC wirelessly delivers theof SMS trafﬁc . Enck, et al.  demonstrated that an text message. Figure 1 illustrates the path described above.
3 submission of messages is in fact more likely to overwhelm Paging (PCH) gateways between the Internet and telecommunications net- Response (RACH) works than to disrupt cellular service. An adversary must SDCCH Assignment (AGCH) SMS Delivery (SDCCH) efﬁciently blanket only the targeted area with messages so as to reduce the probability of less effective collateral damage. The information to achieve such a goal, however, is read-Fig. 2. An overview of SMS message delivery on the wireless or air interface. ily available. Using tools including NPA-NXX Area CodeIncoming voice calls would follow a similar procedure except that they would Databases, Internet search engines and even feedback fromreceive a TCH after using the SDCCH. service provider websites, an attacker can easily construct a “hit-list” of potential targets. Armed with this information, an adversary can then begin exploiting the bandwidth vulnerabil- 3) Wireless Delivery: The air interface, or radio portion ity.of the network, is traditionally divided into two main logicalcategories - the Control Channels (CCHs) and Trafﬁc Channels The exploit itself involves saturating base station towers to(TCH). TCHs carry voice trafﬁc after call setup has occurred. their SDCCH capacity for some period of time. In so doing,CCHs, which provide information about the network and assist the majority of attempts to establish voice calls are blocked.in call setup/SMS delivery, are subclassiﬁed further. In order to For all of Manhattan, a perfectly executed attack (against 12alert a targeted device that a call or text message is available, SDCCCHs) would require the injection of only 165 messagesa message is broadcast of the Paging Channel (PCH). Note per second. Because downtime in telecommunications net-that multiple base stations broadcast this page in an attempt to works has historically proven expensive , we more fullyquickly determine the sector in which the targeted recipient is characterize these attacks such that effective solutions can belocated. Upon hearing its temporary identiﬁer on the PCH, developed.available devices inform the network of their readiness toaccept incoming communications using the slotted aloha- C. Attack Characterizationbased Random Access Channel (RACH). A device is thenassigned a Standalone Dedicated Control Channel (SDCCH) In order to judge the efﬁcacy of any countermeasure againstby listening to the Access Grant Channel (AGCH). If a text targeted SMS attacks, it is necessary to fully characterize suchmessage is available, the base station authenticates the device, an event. We seek to understand the observed conditions andenables encryption, supplys a new temporary identiﬁer (to the subtle interplay of network components given a wide rangepreserve future anonymity) and then delivers the contents of of inputs. For example, because text messages injected as partthe message over the assigned SDCCH. If instead a call is of an attack potentially deviate from the traditionally assumedincoming for the device, the SDCCH is used to authenticate Poisson interarrival behavior, we look at attacks exhibiting athe device and negoriate a TCH for voice communications. number of different ﬂow characteristics. To achieve these ends, Figure 2 offers an overview of the wireless portion of we have developed a detailed GSM simulator. The designmessage delivery. considerations and veriﬁcation of its accuracy are discussed in the Appendix. A cellular deployment similar to that found in Manhat-B. System Vulnerability tan , in which each of the 55 sectors in the city has 12 SD- All large scale attacks, whether targeting the digital or CCHs, is used in the base scenario 1 . In our simulations, callphysical domain, evolve in the following phases: recognition and SMS requests arrive throughout the city with a Poisson(identiﬁcation of a vulnerability), reconnaisance (characteri- distribution with an average rate of λcall = 50K call/hourzation of the conditions necessary to attack the vulnerability), and λSM S = 138.6K msg/hour (where λ represents anexploit (attacking the vulnerability) and recovery (cleanup and arrival rate). Voice calls occupy TCHs for an average 120 sec-foresensics). We therefore approach targeted SMS attacks in onds and are exponentially distributed around this mean. Textthe same fashion. messages and voice calls use SDCCHs for 4  and 1.5  The vulnerability in GSM cellular networks that allows seconds, respectively. Such values are well within standardfor targeted text message DoS attacks to occur is the result operating conditions , , . An area is observed forof bandwidth allocation on the air interface. Under normal a total of 60 minutes, in which the middle 30 minutes areoperating conditions, the small ratio of bandwidth allocated to exposed to a targeted SMS attack during which SMS arrivalcontrol versus trafﬁc data is sufﬁcient to deliver all messages rates are increased by approximately 4-13 times their normalwith a low probability of blocking. However, because text rates (λSM S = 165 msg/sec (3 messages/second/sector)messages use the same control channels as voice calls for to λSM S = 495 msg/sec (9 messages/second/sector))2 Alldelivery (SDCCHs), contention for resources occurs when results are the average of 1000 runs, each using randomlySMS trafﬁc is elevated. Given a sufﬁcient number of SMS generated trafﬁc patterns consistent with the above parameters.messages, each of which require on average four seconds for 1 In reality, only the highest capacity sectors would be so overprovi-delivery , arriving voice calls will be blocked for lack ofavailable resources. sioned , making this a conservative estimate for every sector in a city. 2 Because DoS attacks on the Internet frequently exhibit increases of Sending text messages to every possible phone number is more than 1000 times normal trafﬁc rates , such an increase is relativelynot an effective means of attacking a network. The haphazard insigniﬁcant.
4 1 1 Uniform (SDCCH) SDCCH Utilization Poisson (SDCCH) TCH Utilization Average Percent Blocking During Attack Burst 12 (SDCCH) 0.8 0.8 0.6 0.6 Utilization 0.4 0.4 0.2 0.2 0 0 3 4 5 6 7 8 9 0 500 1000 1500 2000 2500 3000 3500 4000 SMS Attack Messages per Second Time (seconds)Fig. 3. The blocking probability for trafﬁc exhibiting uniform and Pois- Fig. 4. The utilization of SDCCHs and TCHs for an attack exhibiting ason interarrival characteristics over varying attack strengths. Note that 3 Poisson interarrival at a rate of 495 messages/second.messages/second/sector corresponds to an attack of 165 messages/second onManhattan. dominant means by which people interact via these networks, Figure 3 shows the blocking probability for a number of providers allow for the degredation of other services in ordertrafﬁc patterns and network condition. The most effective to achieve high availability for the voice services on theseattack, which replicates the attack proposed in Enck, et al , networks. There are, however, an increasing set of scenariossends a burst of 12 SMS messages in sequential frames once in which the priority of services begins to change.every four seconds. Whereas telecommunications networks are On September 11th, 2001, service providers experiencedtraditionally designed to experience blocking probabilities of signiﬁcant surges in usage. Verizon Wireless reported theless than 1% , , , this attack is able to prevent number of calls made increased by more than 100% aboveapproximately 90.14% of all calls from being completed. average levels. Cingular Wireless experienced an increase Because variability within the network is possible, we of over 1000% for calls bound for the greater Washingtonexamined a number of attack ﬂow types for which the perfect D.C area . Although telecommunications networks arealignment of messages is virtually unachievable. For example, designed to operate in the presence of elevated trafﬁc levels,instead of holding an SDCCH for a constant period of time, these spikes were signiﬁcantly above the capacity of evenincoming SMS and voice calls occupy their SDCCH for an av- the best provisioned systems. In spite of the increased callerage of 4 and 1.5 seconds, respectively, and are exponentially volume, SMS messages were still received in even the mostdistributed around this mean. Figure 3 shows the probability inundated areas because the control channels used for theirof blocking for a sector under SMS attacks exhibiting uniform, delivery remained uncongested. In both emergency and day-to-Poisson and bursty interarrival characteristics. Notice that, day situations, the utility of text messaging has increased to thedue to the addition of variability, bursty attacks are the least same level as voice communications for signiﬁcant portions ofsuccessful of the three. This is because the next burst of the population.incoming messages almost certainly experiences blocking on For this reason, attractive mitigation solutions must not onlyapproximately half of the SDCCHs. Accordingly, some portion protect voice services from the direct SMS attack, but alsoof SDCCHs are almost always available to legitimate trafﬁc. allow SMS service to continue. In particular, differentiatedThe attack in which SMS messages are delivered at a uniform service for SMS delivery based upon the source of the SMSrate may also be difﬁcult to achieve due to variability. In trafﬁc is desireable. For instance, authenticated messagesorder to perform a more accurate study of these attacks, we originated by emergency responders should be given highertherefore assume Poisson interarrival behavior for the rest of priority than messages submitted by unauthenticated sources.this research. There are three traditional approaches to combating con- In our remaining experiments, we will use an attack of 495 gestion. Typically, the most effective is to limit the rate of themessages/second, which is equal to 9 message/second/sector trafﬁc source, in this case the interfaces on which messages areand yields a blocking probability of 71.34%. Figure ?? offers submitted. Because this is not always effective, it is importantadditional characterization of channel utilization. Notice that for elements to protect the network by perhaps shedding trafﬁcthis rate is not signiﬁcantly larger than that suggested in or using scheduling mechanisms. Finally, resources may beEnck, et al  and would only occupy less than 22% of reallocated to alleviate the network bottleneck. We examinethe bandwidth of a single 56Kb SS7 signaling link. these solutions below. IV. T RAFFIC M ANAGEMENT T ECHNIQUES A. Current Solutions Voice communications have traditionally received priority Cellular providers have introduced a number of mitigationin telecommunications networks. Because voice has been the solutions into phone networks to combat the SMS-based DOS
5attacks. These solutions focus on rate limiting the source of the SMS requests, respectively. The size of the call queue is 6 andmessages and are ineffective against all but the least sophisti- the size of the SMS queue is 12. We give a weight of two tocated adversary. To illustrate, the primary countermeasure dis- the call queue.covered by the authors of the original study was a per-source We provide a simplﬁed analysis to characterize the perfor-volume restriction at the SMS gateway . Such restrictions mance of WFQ in this scenario. To determine the relativewould, for example, allow only 50 messages from a single blocking probability and utilization of the voice and SMSIP address. The ability to spoof IP addresses, the existence ﬂows, we begin by assuming the conditions set forth in Sec-of botnets, and wide availability of IP addresses renders this tion III-C. WFQ can be approximated as a general processersolution impotent. Another popular deployed solution ﬁlters sharing system (GPS) . The average service rate of suchSMS trafﬁc based on the textual content. Similar to SPAM systems is the weighted average of the service rates of allﬁltering, this approach is effective in eliminating undesirable classes of service requests. In our case we have two typestrafﬁc only if the content is predictable. However, an adversary of request: voice requests with µ−1 = 1.5 seconds and voicecan bypass this countermeasure by generating legitimate look- λvoice = 0.2525/second, and SMS requests with µ−1 S = 4 SMing SMS trafﬁc from randomly generated simple texts, e.g. “I seconds and λSM S = 9.7/second. Therefore, for our system,will meet you at Trader Joe’s at 5:00pm. -Alice” µ−1 = 3.94/second. Note that these and the overwhelming majority of other Although our system has multiple servers (SDDCHs), andsolutions deployed in response to the SMS vulnerability can be is thus an M/M/m system, because it is operating at high loadsclassiﬁed as edge solutions. Ineffective by construction, such during an attack, it may be approximated by an M/M/1 systemsolutions try to regulate the trafﬁc ﬂowing from the Internet with its µ = mµ‘ , where µ is the service rate calculatedinto the provider network at its edge. Provider networks cover above. Using these values, and accounting for the weightinghuge geographic areas and consist of hundreds of thousands of 2:1 for servicing call requests, the call request utilizationof network elements. Any compromised element can be a ρcall−queue = 0.04, and the expected queue occupancy isconduit for malicious trafﬁc. Moreover, if left unregulated, the about 1%. Because the ρSM S−queue is much greater than 1, itsconnections between provider networks can also be exploited queue utilization is approximately 100%. When combined, theto inject SMS trafﬁc. total queue occupancy is approximately 67%. These numbers Rate limitation is largely unattractive even within the core indicate that the WFQ-based approach would sufﬁciently pro-network. The distributed nature of Short Messaging Service tect voice calls from targeted SMS attacks. Section V offersCenters (SMSCs), through which all text messages ﬂow, makes additional insight through simulation.it difﬁcult to coordinate real-time ﬁltering in response to 2) Weighted Random Early Detection: Active queue man-targeted attacks. agement has received a great deal of attention as a congestion Therefore, for the purposes of this discussion, we assume avoidance mechanism in the Internet domain. Random Earlythat an adversary is able to successfully submit a large number Detection (RED) , , one of the better known techniquesof text messages into a cellular network. The defenses below from this ﬁeld, is a particularly effective means of copingare dedicated to protecting the resource that is being exploited with potentially damaging quantites of text messages. Whilein the SMS attack – the bandwidth constrained SDCCHs. Note traditionally used to address TCP congestion, RED helps tothat the Internet faces a similar conundrum: once dominant prevent queue lockout and was therefore investigated. REDperimeter defenses are failing in the face of dissolving network drops packets arriving to a queue with a probability that is aborders, e.g., as caused by wireless connectivity and larger function of the weighted queue occupancy average. Packetsand more geographically distributed networks . As is true arriving to a queue capacity below a threshold, tmin , arein the Internet, we must look to other methods to protect never dropped. Packets arriving to a queue capacity abovetelecommunications networks. some value tmax are always dropped. Between tmin and tmax , packets are dropped with a linearly increasing probability. This probability, pdrop , is calculated as follows3 :B. Queue Management Techniques 1) Weighted Fair Queueing: Because we cannot rely on pdrop = pdrop−max ∗ (Qavg − tmin )/(tmax − tmin ) (1)rate limitation at the source of messages, we now explore The advantages to this approach are twofold: ﬁrst, lockoutnetwork-based solutions. Fair Queueing  is a scheduling becomes more difﬁcult as packets are purposefully droppedalgorithm which separates ﬂows into individual queues and with greater frequency; secondly, because the capacity of busythen apportions bandwidth equally between them. Designed to queues stays closer to a moving average and not capacity,emulate bit-wise interleaving, Fair Queueing services queues space typically exists to accomodate sudden bursts of trafﬁc.in a round-robin fashion. Packets are transmitted when their However, one of the chief difﬁculties with traditional RED iscalculated interleaved ﬁnishing time is the shortest. Build- that it eliminates the ability of a provider to offer quality ofing priority into such a system is a simple task of assign- service (QoS) guarantees. Because all trafﬁc entering a queueing weights to ﬂows. Known as Weighted Fair Queueing is dropped with equal probability, ensuring that the most time(WFQ) , this technique can be used to give incoming voice sensative messages arrive quickly becomes difﬁcult. Weightedcalls priority over SMS. We apply WFQ to the service queues of the SDDCH. We 3 Some variants of RED additionally incorporate a count variable. Equa-create two waiting queues, one for voice requests and one for tion 1 is the simplest version of RED deﬁned by RFC 2309 .
6Random Early Detection (WRED) solves this problem by bas- Pdrop can be calculated from the dropping probabilties ofing the probability a given incoming messages is dropped on the individaul classes of messages byan attribute such as its contents, source or destination. Arriving Pdrop·1 · λ1 + Pdrop·2 · λ2 + Pdrop·3 · λ3messages not meeting some priority are therefore subject to Pdrop = (7) λtotalincreased probability of drop. The dropping probability foreach class of message is tuned by setting tmin and tmax for Because we desire to deliver all messages of priroty 1 andeach class. 2, we set Pdrop·1 = Pdrop·2 = 0. Using equation 7, we We consider the use of authentication as a means of ﬁnd Pdrop·3 = 0.746339. This value can then be used increating messaging priority classes. For example, during a conjunction with Equation 1 to determine tmin and tmax .crisis, messages injected to a network from the Internet by an The desired average queue occupancy, Qave , is 3. Fromauthenticated municipality or from emergency personel could equation 1, tmin must be an integer less than the averagereceive priority over all other SMS messages. A number of mu- queue occupancy. This leaves three possible values for tmin :nicipalities already use such systems for emergency  and 0, 1, and 2. The best ﬁt is found when tmin = 0 and tmax = 4,trafﬁc updates . Messages from authenticated users within resulting in 75% dropping of priority 3 trafﬁc.the network itself receive secondary priority. Unauthenticated Using this method it is possible to set thresholds to meetmessages originating from the Internet are delivered with the delivery targets. Of course, depending on the intensity of anlowest priority. Such a system would allow the informative attack, it may not be possible to meet desired targets accordingmessages (i.e. evacuation plans, additional warnings, etc) to to equation 7, i.e., it may not be possible to limit blockingbe quickly distributed amongst the population. The remaining to only low priorty trafﬁc. While the method outlined heremessages would then be delivered at ratios corresponding to provides just an approximate solution, given the quantizationtheir priority level. We assume that packet priority marking oc- error in setting tmin and tmax (they must be integers), wecurs at the SMSCs such that additional computational burden beleive the method is sufﬁcient. We provide more insight intois not placed on base stations. the performance of WRED in Section V. Here we show how using WRED, we can provide differenti-ated service to different classed of SMS trafﬁc using the attack C. Air Interface Provisioningscenario described in Section III-C. In this example we assume The difﬁculty with the above methods is that they do notmessages arrive with the following distribution: 10% priority deal with the system bottleneck directly; rather, they sacriﬁce1, 10% priority 2, and 80% priority 3. To accomodate sudden the quality of service for one type of ﬂow over another.burts of high priority trafﬁc, we choose an SMS queue size Attempts to reallocate the bandwidth available to messageof 12. Because we desire low latency delivery of high priority delivery would therefore have a greater impact in combatingmessages, we target an average queue occupancy Qave = 3. targeted SMS attacks. We therefore investigate a variety of To meet this objective, we must set tmin and tmax . For techniques that modify the way in which the air interface isM/M/n systems with a ﬁnite queue of size m, the number of used.messages in the queue, NQ , is To analyze these techniques we resort to simple Erlang-B ρ queuing analysis. We prevent a brief background here. For NQ = PQ (2) 1−ρ more details see . In a system with N servers, and an offered load in Erlangs of A, the probability that an arrivingwhere request is blocked because all servers are occupied is given p0 (mρ)m PQ = (3) by: m!(1 − ρ) ANwhere PB = N! (8) m−1 −1 l=N −1 Al (mρ)n (mρ)m l=0 l! p0 = + (4) n=0 n! m!(1 − ρ) The load in Erlangs is the same as the utilization, ρ, in a queuing system; it is simply the offered load multiplied by the Setting NQ = 3, we derived a target load ρtarget = 0.855. service time of the resource. The expected occupancy of theρtarget is the utilization desired at the queue. Thus, the packet servers is given by:dropping caused by WRED must reduce the actual utilization,ρactual , caused by the heavy offered load during an attack, to E(n) = ρ(1 − PB ) (9)be reduced to ρtarget . Therefore In our system, the SDCCHs are the servers. ρtarget = ρactual (1 − Pdrop ) (5) 1) Strict Resource Provisioning: Under normal condi- tions, the resources for service setup and delivery are over-where Pdrop is the overall dropping probability of WRED. For provisioned. At a rate of 50,000 calls per hour in our baselinean attack with average arrival rate of 9.7 msg/sec (λ = 9.7), scenario, for example, the calculated average utilization ofρactual = 3.23333. Solving for Pdrop , SDCCHs per sector is approximately 2%. Given this obser- ρtarget vation, if a subset of the total SDCCHs can be made available Pdrop = 1 − = 0.735567 (6) only to voice calls, blocking due to targeted SMS attacks can ρactual
7 1 communication, such parameters should be carefully tuned. 165 Messages 0.9 330 Messages 495 Messages 50K Calls, 165 Messages We will discuss the impact of additional factors after examin- 0.8 50K Calls, 330 Messages 50K Calls, 495 Messages ing the results of simulation in Section V. 0.7 2) Dynamic Resource Provisioning: While SRP reprovi- 0.6 sions capacity on existing SDCCHs, other over-provisioned P[Blocking] 0.5 resources in the sector could be manipulated to alleviate 0.4 0.3 SDCCH congestion. For example, at a rate of 50,000 calls 0.2 per hour, each sector uses an average of 67% of its TCHs. 0.1 If a small number of unused TCHs could be repurposed as 0 0 2 4 6 8 10 12 SDCCHs, additional bandwidth could be provided to mitigate # SDCCHs such attacks. Our second air interface technique, Dynamic Resource Pro-Fig. 5. The probability that incoming calls and SMS messages are blocked visioning attempts to mitigate targeted text messaging attacksin a system implementing SRP. The allocated number of SDCCHs (x-axis) is by reclaiming a number of TCHs (up to some limit) for uselisted in terms of those to which SMS delivery is restricted. as SDCCHs. This approach is highly practical for a number of reasons. First, increasing the bandwidth (762 bits/second) 0.9 of individual SDCCHs is difﬁcult without making signiﬁcant 165 msgs/sec 0.8 330 msgs/sec 495 msgs/sec changes to the either the radio encoding or the architecture of 0.7 the air interface itself. Because major changes to the network 0.6 are extremely expensive and typically occur over the course of many years, such ﬁxes are not appropriate in the short term. P[Blocking] 0.5 0.4 Secondly, dynamically reclaiming channels allows the network 0.3 to adjust itself to current conditions. During busy hours such 0.2 as morning and evening commutes, for example, channels 0.1 temporarily used as SDCCHs can be returned to the pool 0 4 8 12 16 20 24 28 32 36 40 of TCHs to accomodate elevated voice trafﬁc needs. Lastly, # SDCCHs because SDCCHs are assigned via the AGCH, allocating incoming requests to seemingly random timeslots requiresFig. 6. The probability of an incoming call/message blocking in a sector for almost no changes to handset software.a varying number of SDCCHs Figure 6 demonstrates the blocking probability for incoming calls and text messages in a sector using DRP to add a variable number of SDCCHs. Again, no queue was used. Thebe signiﬁcantly mitigated. Our ﬁrst air interface provisioning ability of an attacker to block all channels is signiﬁcantlytechnique, Strict Resource Provisoning (SRP), attempts to reduced as the number of SDCCHs increases. Attackers areaddress this contention by allowing text messages to occupy therefore forced to increase the intensity of their attack inonly a subset of the total number of SDCCHs in a sector. order to maintain its potency. For attacks at a rate of 165Requests for incoming voice calls can compete for the entire messages/second, doubling the number of available SDCCHsset of SDCCHs, including the subset used for SMS. In order reduces the calculated blocking caused by an attack by twoto determine appropriate parameters for systems using SRP, orders of magnitude. The blocking probability caused bywe apply equations 8 and 9. attacks at higher rates, in which the number of Erlangs is To illustrate the effectiveness of SRP, we consider a system greater than the number of SDCCHs, decreases in roughly awith no queue. Figure 5 shows the blocking probabilites for linear relationship to the number of SDCCHs added.a system using SRP when we vary the number of SDCCHs One potential drawback with DRP is that by substractingthat will accept SMS requests from 0 (none) to 12 (all). TCHs from the system, it is possible to increase call block-Because incoming text messages only compete with voice ing because of TCH exhaustion. In fact, the reclamation ofcalls for a subset of the resources, any resulting call blocking TCHs for use as SDCCHs increases the blocking probabilityis strictly a function of the size of the subset of voice-only for voice calls from 0.2% in the base scenario (45 TCHs,SDCCHs. The attacks of intensity 165, 330 and 495 messages 12 SDCCHs) to 1.5% where 40 SDCCHs are available (aper second have virtually no impact on voice calls until the reduction to 38 TCHs). Section V offers additional insightfull complement of SDCCHs are made available to all trafﬁc. into the tradeoffs inherent to this scheme.In fact, it is not until 10 SDCCHs are made available to SMS 3) Direct Channel Allocation: The ideal means of eliminat-trafﬁc that the blocking probability for incoming voice calls ing the competition for resources between call setup and SMSreaches 1%. delivery would be through the separation of shared mecha- By limiting the number of SDCCHs that will serve SMS nisms. Speciﬁcally, delivering text messages and incoming callrequests, the blocking for SMS is increased. When only six requests over mutually exclusive sets of channels would pre-SDCCHs are available to text messages, blocking probabilities vent these ﬂows from intefering with each other. The challengefor SMS are as high as 84%. Because signiﬁcant numbers of of implementing such a mechanism is to do so without requir-people rely upon text messaging as their primary means of ing signiﬁcant restructuring of the network architecture. As
8previously mentioned, such fundamental changes in network 1operation are typically too expensive and time consuming to Service Queue (SMS) Service Queue (Voice) TCH (Voice)be considered in the short term. While the SRP technique 0.8provides a rudimentary separation, it is possible to further Percent of Attempts Blockedseparation of these two types of trafﬁc. 0.6 As mentioned in the previous section, DRP is easily im- 0.4plementable because the AGCH speciﬁes the location of theSDCCH allocated for a speciﬁc session. After call requests 0.2ﬁnish using their assigned SDCCH, they are instructed to listen 0to a speciﬁc TCH. Because the use of a TCH is the eventual 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds)goal of incoming voice calls, it is therefore possible to shortcutthe use of SDCCHs for call setup. Incoming calls couldtherefore be directed to a TCH, leaving SDCCHs exclusively Fig. 7. The simulated blocking probability for a sector implementing WFQ.for the delivery of SMS messages. This technique, which we Notice that voice calls are unaffected by the attack, whereas the majority of text messages are dropped.refer to as Direct Channel Allocation (DCA), removes theshared SDCCH channels as the system bottleneck. Calculating blocking probabilites for a system implementing 1 SDCCH UtilizationDCA is a simple matter of analyzing SDCCH and TCH block- TCH Utilization Service Queue Utilizationing for the two independent ﬂows. For 165 messages/second, 0.8text messages have a calculated blocking probability of ap- 0.6proximately 20%. This value increases to 68% as the attack Utilizationintensity increases to 495 messages/second. Voice calls, at 0.4an average rate of 50,000/hour, have a blocking probabilityof 0.2%. Note that because the shared bottleneck has been 0.2removed, it becomes extremely difﬁcult for targeted text mess- 0saging attacks to have any effect on voice communications. In 0 500 1000 1500 2000 Time (seconds) 2500 3000 3500 4000Section V, we will highlight these new potential points ofcontention. Fig. 8. The simulated utilization for a sector implementing WFQ. Notice that TCH utilization remains constant throughout the attack. V. E XPERIMENTAL R ESULTS In order to characterize each of our proposed mitigationtechinques, we simulate attacks against networks with the voice calls receiving a preferential weighting of 2 to 1 oversame parameters used in Section III. Attacks exhibit Poisson text messages.interarrival characteristics and arrive at an average rate of Figure 7 illustrates the resulting blocking for a sector9 messages/second/sector. This is equivalent to an attack implementing WFQ. The preferential treatment of voice trafﬁcon Manhattan with a rate of 495 messages/second. These eliminates the blocking previously seen in an unprotected sys-messages were marked as follows: 10% emergency, 10% users tem. Incoming text messages, however, continue to experiencewithin the network and 80% originating from the Internet as roughly the same probability (71.8%) of blocking observedpart of an attack. Blocking on the RACH, the parameters of by all trafﬁc in the base attack scenario. As is shown inwhich were set using optimal settings  was not a factor in Figure 8, the queue itself does nothing to prevent congestion.these experiments. Total queue utilization is 65.1%. As two-thirds of the queue space is available to text messaging, this represents a near total average occupancy of the SMS queue and a virtuallyA. Queue Management Strategies unused voice trafﬁc queue. Such an observation conﬁrms our 1) Weighted Fair Queueing: In order to implement queue analytical results.management techniques, buffers were added to the system The advantage to implementing the WFQ mechanism isbefore messages are assigned to SDCCHs. If all SDCCHs are not only its relative simplicity, but also its effectiveness inoccupied, newly arriving voice and SMS messages are placed preventing degredation of voice services during targeted SMSinto their own queues. While a number of different buffer attacks. Unfortunately, the granularity for prioritizing textsizes were considered and examined, the following queue messages is insufﬁcient to provide adequate service to thosemanagement experiments occur in the presence of two buffers users relying upon text messaging as their dominant means of- one of size 12 for SMS and a second of size 6 for voice. communication. We discuss means of adding such granularityMatching the number of SDCCHs, queues of this size offer through the use of WRED.the a good tradeoff between message delay and protection 2) Weighted Random Early Detection: While WFQ couldfrom message overload. Note that buffer size alone is not be expanded to provide prioritization for ﬂows with differentsufﬁcient to protect against congestion , . Queues are origins through the use of multiple queues, the increasedwork conserving and are served in a round robin fashion, with complexity of managing such a system as the number of
9 tion of voice call blocking seen through the use of WFQ, 1 Service Queue (SMS - Priority 1) Service Queue (SMS - Priority 2) but also offer signiﬁcantly improved performance in terms Service Queue (SMS - Priority 3) 0.8 of message delivery. Implementing this solution, however, Percent of Attempts Blocked faces its own challenges. The veriﬁcation of high priority 0.6 messages, for example, would require the use of additional 0.4 infrastructure. High priority messages originating outside the network, such as emergency messages distributed by a city, 0.2 may require the use of a dedicated line and/or the use of public keys for veriﬁcation. Because of historical difﬁcul- 0 0 500 1000 1500 2000 2500 3000 3500 4000 ties effectively achieving the latter , implementing such Time (seconds) a system may prove difﬁcult. Even with such protections, this mechanism fails to protect the system against insiderFig. 9. The simulated blocking probability for a sector implementing WRED. attacks. If the machine responsible for sending high priorityUnlike WFQ, only Internet-originated text messages are dropped at an elevated messages into the network or user phones are compromised byfrequency. malware, systems implementing WRED lose their messaging performance improvements over the WFQ solution. Note that networks not bounding priority to speciﬁc geographic regions 1 SDCCH Utilization TCH Utilization cab potentially be attack through any compromised high Service Queue Utilization 0.8 priority device. 0.6 Utilization B. Air Interface Strategies 0.4 1) Strict Resource Provisioning: Before characterizing the 0.2 SRP technique, careful consideration was given to the selec- tion of operating parameters. Because many MSCs are capable 0 0 500 1000 1500 2000 2500 3000 3500 4000 of processing up to 500,000 calls per hour, we engineer our Time (seconds) solution to be robust to large spikes in trafﬁc. We therefore allow SMS trafﬁc to use 6 of the 12 total SDCCHs, whichFig. 10. The simulated utilization for a sector implementing WRED. Notice yields a blocking probability of 1% when voice trafﬁc requeststhat the queue occupancy stays low due to the decreased priority of Internet- reach 250,000 per hour. Note that calls would experienceoriginated messages. an average blocking probability of 70.6% due to a lack of TCHs with requests at this intensity. Because these networks are designed to operate dependably during elevated trafﬁcﬂows grows quickly becomes unmanageable. The use of a conditions, we believe that the above settings are realistic.prioritized dropping policy allows a system to offer similar The blocking probabilites for SMS and voice ﬂows in aprioritization while maintaining only a single queue. In our im- sector implementing SRP are shown in Figure 11. Becauseplementation of WRED, we assume that SMS trafﬁc is marked SRP prevents text messages from competing for all possibleupstream as having either high (thigh,max = thigh,min = 12), SDCCHs, voice calls experience no blocking on the SDCCHsmedium (tmed,max = 10, tmed,min = 6) or low (tlow,max = throughout the duration of the attack. Text messages, however,2, tlow,min = 1 priority. These priorities correspond directly are blocked at a rate of 82.8%. Channel utilization, illustratedto emergency priority users, network customers and Internet- in Figure 14, gives additional insight into network conditions.originated messages, respectively. Dropping decisions are Because calling behavior remains the same during the attack,made in an event-driven fashion  with a pdrop−max of 1 the resources allocated by the network are more than sufﬁcientfor all ﬂows and a weight of 0.8 on the most recent sample to provide voice service to users. By design, SDCCH utiliza-data use for determining the average queue length. Like the tion plateaus well below full capacity. Whereas the SDCCHsprevious queue management technique, a queue of size 12 is used by text messages have an average utilization of 96.9%,allocated for both voice and text messages. the SDCCHs used by incoming voice calls average a utilization Figure 9 gives the blocking probabilities for each of the of 6.3%. This under-use of resources, represents a potentialthree priorities of text messages. Because voice calls never loss of utility as the majority of text messages (legitimate orblock in these simulations, they are ommitted from this otherwise) go undelivered.graph. Both high and medium priority ﬂows experienced a The difﬁculty with this solution becomes correct parameterblocking probability of zero throughout all of the simulations. setting. While theoretical results indicated that allocating up toThe blocking of Internet-originated messages averages 72.8%, 10 SDCCHs only increased call blocking to 1%, voice trafﬁcapproximately the same blocking probability experienced my volumes ﬂuctuate throughout the day. Provisioning resourcesall incoming messages in the base attack scenarios. Service in a static fashion must account for worst-case scenariosqueue utilization, shown in Figure 10, corresponds with WAIT and therefore leads to conservative parameter settings. WhileFOR WILL’S DATA. protecting the network from an attack, such a mechanism may Systems implementing WRED not only match the elimina- actually hinder the efﬁciency of normal operation. When trafﬁc
10 1 1 1 SDCCH (SMS) SDCCH (SMS) SDCCH (SMS) SDCCH (Voice) SDCCH (Voice) SDCCH (Voice) TCH (Voice) TCH (Voice) TCH (Voice) Percent of Attempts Blocked 0.8 0.8 0.8 Percent of Attempts Blocked Percent of Attempts Blocked 0.6 0.6 0.6 0.4 0.4 0.4 0.2 0.2 0.2 0 0 0 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) Time (seconds) Time (seconds) Fig. 11. SRP Blocking Fig. 12. DRP Blocking Fig. 13. DCA Blocking 1 1 1 SDCCH Utilization SDCCH Utilization SDCCH Utilization TCH Utilization TCH Utilization TCH Utilization 0.8 0.8 0.8 0.6 0.6 0.6 Utilization Utilization Utilization 0.4 0.4 0.4 0.2 0.2 0.2 0 0 0 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) Time (seconds) Time (seconds) Fig. 14. SRP Utilization Fig. 15. DRP Utilization Fig. 16. DCA Utilizationchannels are naturally saturated, as may be common during As was a problem for SRP, determining the correct pa-an emergency, such hard limits actually prevent users from rameters for DRP is a difﬁcult undertaking. The selection ofcommunicating. Determining the correct balance between in- two TCHs for conversion to SDCCHs illustrates the utilitysulation from attacks and resource utilization becomes non- of this mechanism, but is not sufﬁcient for real settings.trivial. Accordingly, we look to our other techniques for more To reduce the blocking probability on SDCCHs below thecomplete solutions. values observed for TCHs, a total of 48 SDCCHs would 2) Dynamic Resource Provisioning: Although it is possible have to be made available. This leaves 39 TCHs, with a callto reclaim any number of TCHs for use as SDCCHs under the blocking rate of 2.1%, for use by voice calls. Elevations inDRP mechanism, we limited the candidate number of channels the volume of voice calls would likely require the releasefor this conversion two. In these experiments, a single TCH of some number of reclaimed TCHs to be repurposed towas repurposed into 8 SDCCHs every 10 minutes during the their original use. The decision to convert channels is alsoattack. This separation was designed to allow the network non-trivial. Whereas the decision to reallocate channels atto return to steady state between channel allocations. While speciﬁc times was decided statically, dynamically determiningconverting only two channels is not enough to completely these parameters would prove signiﬁcantly more challenging.eliminate attacks at high intensities, our goal is to understand Basing reclaimation decisions on small observation windows,the behavior of this mechanism. while offering greater responsiveness, may result in decreased The blocking probabilities for SMS and voice ﬂows in resource use due to thrashing. If the observation windowa sector implementing the DRP technique are illustrated in becomes too large, an attack may end before appropriate actionFigure 12. As TCHs are converted for use as SDCCHs, can be taken. As was observed for SRP, the static allocation ofthe blocking probabilites for both incoming SMS and voice additional SDCCHs faces similar inﬂexibility problems. Lowrequests fall from 71.19% to 52.55% and eventually 34.88%. resource utilization under normal operating conditions againThis represents a total reduction of the blocking probability represent a potential loss of opportunity and revenue.by approximately half. The reduced number of available 3) Direct Channel Allocation: To simulate the DCA mech-TCHs results in no additional blocking for voice calls. Fig- anism, incoming voice calls skip directly from the RACHure 15 illustrates a gradual return towards pre-attack TCH to the next available TCH. An average of 1.5 additionalutilization levels as additional SDCCHs are allocated. The seconds was added to each incoming call to replicate theeffects of the reprovisioning are also obvious for SDCCH processing formerly occurring on an SDCCH. As is shownutilization. The downward spikes represent the sudden inﬂux in Figure 13, voice calls arriving in a sector implementingof additional, temporarily unused channels. While SDCCH the DCA scheme experience no additional blocking duringutilization quickly returns to nearly identical levels after each a targeted SMS attack. The decoupling of these mechanismsreallocation, more voice calls are able to be completed due limits similar denial of service attacks to the RACH, whichto a decrease probability of the attack holding all SDCCHs at has exhibited no call dropping throughout the entirity of ourany given time. experiments. Figure 16 conﬁrms the results in the previous