unveiling the hidden dangers of public ip addresses in 4glte cellular data networks_h

1、Unveiling the Hidden Dangers of Public IP Addresses in 4G/LTE Cellular Data NetworksWai Kay Leong, Aditya Kulkarni, Yin Xu and Ben LeongSchool of Computing, National University of SingaporeABSTRACTWhile it is often convenient for mobile cellular devices to have a public IP address, we show that such

2、 devices are vulnerable to stealthy malicious attacks. In particular, we show with experimentswe were able to investigate the effect of these attacks on our own mobile devices on these networks. Surprisingly, we found that an attacker requires only a small amount of resources to conduct these attack

3、s. In particular, a low-rate data stream of less than 3 Mb/s was sufficient to launch a DoS flooding attack that reduces the vic- tims throughput to almost zero. Also, because 4G/LTE speeds are very high, it only takes an attacker about 10 minutes to completely exhaust the monthly 2 GB data quota of

4、 a mobile subscriber using a data stream of 30 Mb/s. Finally, by simply sending a stream of 0-byte payload UDP packets every 15 s, an attacker can drastically increase the battery drain rate by up to 24 times, by preventing a mobile phone from going to sleep mode.on three 4G/LTE cellular data networ

5、ksingapore that it is easyfor an attacker to initiate three different types of attacks on such mobile devices: (i) data quota drain, (ii) DoS flooding, and (iii) battery drain. Our experiments show that a potential attacker cancompletely exhaust the monthly data quota within a few minutes, completel

6、y choke the data connection of a mobile subscriber with a data stream of just 3 Mb/s, and increase the battery drain rate by up to 24 times. Finally, we argue that a simple proxy-based firewall with a secret IP address would be an effective and feasible defense aga t such potential attacks.These att

7、acks cannot be prevented bytalling a firewall on amobile device, as harm would already have been done once the data packets reach the device. While it might be possible for an ISP to tall a firewall to protect its mobile subscribers, the stealthy nature1.INTRODUCTIONCellular data ISPs typically use

8、network address translation to share a limited number of public IP addresses among a large number of subscribers. This means that most cellular devices are provided with private IP addresses and thus unable to receive direct incoming connections from the Internet, which consequently provides some fo

9、rm of security aga t IP-based network attacks. While it is not yet common practice, a small number of users do request, and often pay additional fees for public IP addresses for their cellular data connections from their ISPs 2, 10. If IPv6 were to eventually find widespread adoption, then all mobil

10、e devices are likely to have their own public IP addresses.While a public IP address might be desirable, we have found that it can cause a cellular device to be vulnerable to some poten- tial malicious IP-based attacks. In recent years, significant amount of research efforts have been focused to dem

11、onstrate such attacks which particularly include over-billing attacks 5, battery depletion attacks 15, 16, Denial of Service (DoS) attacks 8, 17, 19, IP spoofing and masquerading attacks 12.Though traditional servers and desktop computers are equally susceptible to such attacks, their impact is more

12、 severe for cellu- lar subscribers because i) cellular data charges are often expensive and monthly data quota is typically limited, and ii) battery power is a limited resource. In addition to the typical IP-based denial-of- service (DoS) flooding and IP spoofing attacks, cellular devices are vulner

13、able to additional forms of attack that drain their data quota or battery. Thus, we investigate three forms of potential attacks: i) data quota drain, ii) DoS flooding, and iii) battery drain.of these attacks (because of their low data rate) makes them hard to detect, and it would also be difficult

14、for an ISP to differentiate mali- cious packets from legitimate incoming packets. An attacker might also decide to spoof the IP address of legitimate sources. We argue that a simple proxy-based firewall would be an effective and feasible defence aga t such potential attacks. This firewall would be i

15、m- plemented with proxy servers with two IP addresses, one public and one secret. Incoming connections would be received on the public IP and legitimate data is then forwarded to the mobile subscriber via the secret IP.2.RELATED WORKThe availability of a public IP address in LTE networks is known to

16、 make cellular devices inherently susceptible to the common IP- based security attacks 12. Early forms of DoS attacks on cellular phones target the intense signalling demands of the SMS protocol to overwhelm the network 19. In modern 3G/4G networks, DoS attacks such as paging and signaling attacks c

17、an be done at the link layer by targeting the protocol state machine to cause unnecessary state changes, to overwhelm the network. Many of these attacks have been studied recently 4, 17, 8. Bassil et al. simulated DoS- based signaling attacks over LTE, where the signaling overhead is exploited to pr

18、event legitimate users from accessing the network 3. Pelechrinis et al. showed that DoS-based jamming attacks are possi- ble at the MAC and PHY layers 13. Such attacks however requirespecialized hardware that is not easily available. Our workteadinvestigates attacks that can effectively be carried o

19、ut at the network or transport layers using a single desktop computer.Racic et al. described a stealthy battery depletion attack whichAll three local mobile ISPsingapore provide a public IP ad-dress to their 4G/LTE subscribers at no additional charge. As such,drathe battery of a mobile device by exp

20、loiting the MMS andthe GSM protocol in 3G networks and sending a 1,500-byte UDP packet every 3 to 5 s 16. Puustinen et al. showed that unwanted background Internet traffic can drain the battery of a cellular devicePermission to make digital or hard copies of all or part of this work for personal or

21、classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific

22、permission and/or a fee.ACM HotMobile14, February 26-27, 2014, Santa Barbara, CA, USA. Copyright 2014 ACM 978-1-4503-2742-8 .$15.00.with a public IP address by keeping its cellular radio active to re- ceive packets 15. They showed in a simulation that a well chosen time-out value can mitigate the ef

23、fects of backgroundtraffic.Go et al. highlighted that flawed accounting policies in the cel-lular ISPs in USA and South Korea can resultubscribers be-Table 1: Summary of LTE network characteristicsing wrongly charged for retransmitted TCP packets 5, and this vulnerability in the ISPs accounting mech

24、anism can be exploited by adversaries to inflate the subscribers bill by sending unneces- sary retransmissions. Similarly, Kang et al. discussed how an at- tacker with a cellular device can spoof the IP address of another subscriber in the same local network and send request packets to Internet serv

25、ers 9. These servers will then send their responses to the unsuspecting victim, thereby causing additional data charges as well as draining the battery.Our work builds on these earlier works and quantifies these forms of attack and shows how using a very small UDP packet sent at longer intervals of

26、15 s can be effective in draining the battery. With the availability of a public IP, the attacker does not even need to reside in the same cellular data network as the victim to carry out such attacks.PropertyISP AISP BISP CPublic IP ICMP PingUnsolicited UDP TCP SYNDownlink Buffer Throughput (Mb/s)B

27、y default* Yes Yes Yes2000 pktsSet APN Yes Yes Yes600 pktsSet APN Yes Depends Yes800 ms-Maximum Average34.124.750.430.635.826.8*Except for Samsung Galaxy S4Some APNs block unsolicited incoming UDP packets The downlink buffers for ISP A and ISP B are sized in packets, while ISP C implementssomeform o

28、f AQMthat droppacketswhichremain in the bufferformorethan 800 ms20.3.POTENTIAL IP-BASED ATTACKSTo perform measurements on real commercial cellular data net- works, we obtained the latest post-paid 4G/LTE plans from the three3.2Quota DrainMost cellular data plans do not have unlimited quota. Depend-

29、ing on the ISP data plan, subscribers typically either pay for the data consumed, or are given a monthly quota. In the latter, they will be charged for exceeding the allocated quota. In both cases, subscribers would want to minimize redundant data usage and cost. Peng et al. analyzed the data chargi

30、ng and accounting process of mobile ISPs and showed that data is considered consumed once it passes through the gateway of the 3G/4G network 14. Thus, it is possible for subscribers to be charged for packets that are neverlocal ISPsingapore, which we anonymize as A, B and C. We ranour experiments us

31、ing the cellular data plans with a 4G/LTE USBdongle and two smartphones, namely a Samsung Galaxy S3 LTE and a Samsung Galaxy S4. A server in our lab on campus was used to probe and initiate the attacks. tcpdump was used to capture and examine the packets on both the devices and the server, and Iperf

32、 was used to create UDP and TCP data streams and to measure theresulting throughput of the link. To measuretantaneous batterydelivered to the device, but aretead dropped at the base station.current consumption, we used a Monsoon Power Monitor 11.3.1Preliminariesuch cases, it does not matter if the p

33、ackets from a DoS attackeventually reach the device or not. They will be counted towards the subscribers data quota. Go et al. briefly mentioned the possi- bility of such an attack when they examined how subscribers can be overcharged by TCP retransmissions 5. Because of the billing structure of mob

34、ile ISPs, an attacker can simply flood the victim with random packets at a very high rate, and the victim will have to pay for all the packets, even if they do not eventually reach the victims device. As wired broadband Internet is very cheap these days, an attacker on a wired host can easily flood

35、such a victim at a negligible cost.In our subsequent discussions, we assume that the mobile ISPs can address this billing issue and accurately charge the subscribers for the actual data delivered to the device. Under this assumption, the amount of data that an attacker can use to flood a victim will

36、For the attacks to work, the mobile device must be assigned a public IP address. Among the three telcos, ISP A assigns a pub- lic IP address by default on the USB dongle and on the Samsung Galaxy S3 LTE phone. We were, however, not able to obtain a pub-lic IP with the Samsung Galaxy S4 for the ISP A

37、 network trying different known Access Point Names (APNs) andpite of tallingcustom ROMs and kernels. The reason for this is still unknown. For ISP B and ISP C, we found that they assigned a private IP address by default. However, by simply changing the APN, we were able to obtain a public IP address

38、. Note that we did not pay for nor request for a public IP address from any of the ISPs.After obtaining a public IP address, we first tested reachability by pinging the device from our server using ICMP ping and were able to obtain a response for all three ISPs. Next, we restarted the cellular netwo

39、rk interface to get a new IP address and attempted to send UDP packets from our server to random ports on the device. We found that while ISP A and ISP B allow all the UDP packets to reach the device, ISP C appears to block UDP packets. Only bydepend completely on the throughput of the cellular link

40、. We per- formed a throughput measurement of our three cellular data plans byrecording the time taken to download 3 MB of data. To obtapa-tial and temporal diversity, we carried the phone as we went about with our daily routines and measured the time taken for these datadownloads in the background p

41、eriodically, throughout the day. We plot the cumulative distribution of the throughput in Figure 1 and summarize the average throughput in Table 1.From our results, we can see that the LTE networks can achieve very high download throughput. This means that it is easy for an attacker to send large am

42、ounts of data to exhaust the victims data quota. We plot in Figure 2 the amount of time needed to transfer between 1 GB to 4 GB of data as the network throughput increases.first sending a UDP packet from the device to our server, does ISP C forward UDP packets originating from our server to any port

43、 on the device. This suggests that a simple firewall rule was implemented in the ISP C network which blocks unsolicited incoming connections. While this firewall rule might be useful, it will also block legitimate incoming UDP connections to the device. We subsequently found an alternate APN for ISP

44、 C that also assigned a public IP but did not have a firewall that blocks unsolicited incoming UDP packets. We proceeded to use this APN for ISP C in our experiments.We also found that all incoming TCP SYN packets are forwarded by all ISPs, even for the APN with a firewall. While this allows a conne

45、cted mobile device to host a TCP server, it also renders the device vulnerable to DoS attacks. The characteristics of the LTE networks of the ISPs are summarized in Table 1.Given that local 4G/LTE data plansingapore are typically al-located a data allowance of 2 GB per month, an attacker can po- ten

46、tially completely exhaust our data quota with a throughput of 30 Mb/s in less than 10 minutes.While a sustained flood of random UDP packets could be easily flagged by the ISPs firewall as a potential attack and the attacker be blocked or restricted, a potential attacker can circumvent this by132 byt

47、es64 bytes150 bytes750 bytes1500 bytes10000 0.88000 60000.640000.42000000.2ISP AISP B ISP C510152025303540Attackers sending rate (Mb/s)(a) ISP A0010203040506032 bytes64 bytes150 bytes750 bytesThroughput (Mb/s)Figure 1: Cumulative distribution of measured throughput for LTE networks of local ISPs.100

48、00 8000 1500 bytes60004 GB3 GB 2 GB 1 GB 4000200010000510152025303540Attackers sending rate (Mb/s)(b) ISP B1032 bytes64 bytes150 bytes750 bytes1500 bytes10000 8000 15101520253035406000Bandwidth (Mb/s)Figure 2: Amount of time needed to exhaust different sized quotas for different network throughputs.

49、4000200000scheduling the attack and spreading it outmall bursts over the510152025303540entire billing month. While a regular stream of one packet every second would be easy to detect, sending 1 MB of data every 15 min would seem more legitimate, and result in 2.8 GB of accumulated data in a month. S

50、ince it takes less than half a second to transfer 1 MB of data at 30 Mb/s, this data transfer would be completed even before the victim has time to react. In todays context, 1 MB is not a particularly large or suspicious amount of data, and it would be hard to distinguish the attack flow from legiti

51、mate connections, especially if the attacker can spoof the source address of the packets.3.3DoS FloodingWe next investigate a naive denial-of-service attack where the victim is simply flooded with random traffic to congest the network link. We had earlier measured the size of the downlink buffers fo

52、r the local ISPs, and found that the base stations implement separate buffers for each mobile device and schedule the transmissions with a fair queuing scheme 20. The buffer sizes measured for the local LTE networks are given in Table 1.Because 4G/LTE networks have such high speeds, ISPs typicallyAt

53、tackers sending rate (Mb/s)(c) ISP CFigure 3: Plot of TCP goodput for UDP flooding at different rates for different packet sizes.To investigate the effectiveness of a “small packet” DoS attack, we first sent a stream of UDP packets at a fixed rate to saturate the victims buffer. After 1 s, we initia

54、ted a TCP connection from the server to the device in the presence of this background UDP stream. To avoid using an excessive amount of data, we stopped the UDP stream after 3 s and computed the TCP goodput achieved within this 2-second period. We varied the sending rate as well as the size of the U

55、DP packets and plot the results in Fig. 3.We can see from our results that by using small packet sizes, an attacker can effectively reduce the TCP throughput of a subscriber to almost zero, and he can achieve this at a very low data rate of less than 3 Mb/s. We also see that ISP C is also affected e

56、ven though its buffer is not sized in packets. When examining the packet traces, we found that while no packets were lost, the time taken by the phone to process the UDP packets caused a delay in replying to the TCP SYN, thus affecting the TCP preformance. This shows that such “small packet” DoS att

57、acks can still be effective aga t mo- bile devices with low processing resources independent of the ISPs buffering scheme. In our experiments for DoS flooding, we used a minimum packet size of 32 bytes because Iperf did not support smaller packet sizes. With a specially-written tool, it is possible to send UDP streams with no data payload.3.4Battery DrainTo conserve battery, a mobile device would