Download Slide 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts
no text concepts found
Transcript 
MOBILE DATA CHARGING:
NEW ATTACKS
AND COUNTERMEASURES
Chunyi Peng,
Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang
University of California, Los Angeles
ACM CCS’12
ACM CCS'12 C Peng (UCLA)
Mobile Data Access
2

1.2 billion global users
Cellular Network
Core
Network
Internet
ACM CCS'12 C Peng (UCLA)
Mobile Data Charging
3
Cellular Network
Internet
Bill
Metered charging
based on actual data usage,
e.g., $20/month for 300MB (AT&T)
Security:
Can any attack make the users pay MORE/LESS?
ACM CCS'12 C Peng (UCLA)
How Charging Works & Be Secured
4
Cellular Network
Authentication
#1: Accounting @ core gateway only
Gatewaycharged
… per connection
#2: Both UL/DL
Internet
Accounting
Policy
NAT
#3: Policy defined by operators
Bill
ACM CCS'12 C Peng (UCLA)
Two Security Issues
5
Authentication
NAT
Bill
#1: Can the attacker bypass the security mechanism to
exploit charging
architecture loophole to make the
Stealth-spam-attack
users pay MORE?
#2: Can theToll-Free-Data-Access-Attack
attacker exploit charging policy to pay LESS?
ACM CCS'12 C Peng (UCLA)
Threat Models
6

Cellular network is not compromised
 Charging
subsystem works as designed
 Security mechanism works as designed

Mobile device is secure
 No

malwares run at mobile-devices
Attacker’s capability


Only use installed apps @ mobile, or
Deploy malicious servers outside cellular networks
ACM CCS'12 C Peng (UCLA)
Outline
7

Stealth-spam-attack (pay MORE)
Vulnerability
 Attack design & implementation & damage
 Countermeasures & insight


Toll-free-data-access-attack (pay LESS)
Vulnerability
 Attack design & implementation & damage
 Countermeasures & insight


Summary
8
Stealth-Spam-Attack
ACM CCS'12 C Peng (UCLA)
Security Against Spamming
9
Authentication
Can security mechanism (e.g.,
Outgoing-Spam
NAT/Firewalls)
block incoming
spam?
Incoming-Spam
Outgoing-Spam
to
•Private due
IP addr.
is not
malwares@mobile or spoofing.
accessible
•Access allowed only when initiatedNAT
bynotthe
mobilehere.
Simple,
addressed
Bill
ACM CCS'12 C Peng (UCLA)
Vulnerability
Authentication
Different from conventional spamming,
① Init
a data
service spam
e.g.,
Email/SMS
Unawareness (stealthy)
Long-lived (lasting
or longer)
② hours
Incoming
Incoming
traffic
Spam
Spam
from
the attacker
① trap
data
access
✔ the victim to open
✗
Data Services (charged)
(normal)
② Incoming Spam
time
Actual charging time window
(attacked)
E-attacker
10
NAT
Bill
ACM CCS'12 C Peng (UCLA)
Stealth-Spam-Attack
11

Step1-Trap: init data access
 Example-1:
click a malicious web link
 Example-2: login Skype once / stay online

Step2-Spam: keep spamming
 No
matter what status @mobile
ACM CCS'12 C Peng (UCLA)
Web-based Attack
12

Implementation
 Phone:
click a malicious web link
 Attacker (server): send spam data at constant rate
(disable TCP congest control and tear-down)

Result: charging keeps going
 Even

after the phone tears down TCP
TCP FIN, timeout
 Even
when many “TCP RESET” sent from the mobile
ACM CCS'12 C Peng (UCLA)
Damage vs. Spamming Rate
13
Charging volume vs. spamming rate
Operator-I
Operator-II
In proportion to spamming rate when rate is low
Charging blocked when rate is high (> 1Mbps)
The charged volume could be > the received one [Mobicom’12]
ACM CCS'12 C Peng (UCLA)
Damage vs. Duration
14
Spamming rate = 150Kbps
No observed sign to end when the attack lasts 2
hours if the rate is low (spamming> 120MB)
ACM CCS'12 C Peng (UCLA)
Skype-based Attack
15

Implementation
 Phone:
do nothing (stay online once in Skype)
 Attacker: Skype call the victim and hang up
 Attacker (server): send spam data at constant rate

Exploit Skype “loophole”
 allows
data access from the host who attempts to call
the victim before the attempt is accepted

Demo
ACM CCS'12 C Peng (UCLA)
Demo: for a specific victim
16

Result: charging keeps going
Even after Skype logout
 Even when there is no any skype call session
 Even when many “ICMP unreachable” sent from
the mobile

ACM CCS'12 C Peng (UCLA)
Damage vs. Spamming Rate
17
Charging volume vs. spamming rate
Operator-I
Operator-II
No bounds on spamming rate compared with TCP-based attack
ACM CCS'12 C Peng (UCLA)
Damage vs. Duration
18
Spamming rate = 50Kbps
No observed sign to end when the attack
lasts 24 hours (spamming > 500MB)
ACM CCS'12 C Peng (UCLA)
Root Cause
19
Current system:
IP forwarding can push
Secure only the initialization packets to the victim (not
① Init a data service
controlled by the victim)
#1: Initial authentication ≠ authentication all along
② Incoming Spam
Current system:
Different views @ mobile:
① trapifthe
victim
to open
data
access
Keep charging
data
comes
data
conn.
ends or never starts
Local view @ core gateway
or exception happens
Lack of feedback/control
E-attacker
NAT
#2: Data flow termination @ the phone
≠ chargingBill
termination @ the operator
ACM CCS'12 C Peng (UCLA)
Countermeasures
20

Spamming inevitable due to IP push model

Remedy: stop early when spamming happens
 Detection
of unwanted traffic @mobile/operator
 Feedback (esp. from the mobile to the operator)
 At
least allow users to stop data charging (no service)
 Exploit/design mechanisms in cellular networks: implicitblock, explicit-allow, explicit-stop
 Precaution,
e.g., set a volume limit
 Application:
be aware of spamming attack
21
Toll-Free-Data-Access-Attack
ACM CCS'12 C Peng (UCLA)
Vulnerability
22
Both operators provide free DNS service
Real DNS
datapackets
over 53 #1: free fake DNS loophole
Policy:
Free DNS Service
Bill (DNS) = 0
Bill (ANY-on-DNS) = 0
Free
via port
53 srcPort,
DNSOP-I:
flow ID:
(srcIP,
destIP,
OP-II:protocol)
Free via UDP+Port 53
destPort,
OP-I:
via port 53 loophole
are free
#2:
noPackets
volume-check
OP-II: Packets via UDP+Port 53 free
Any enforcement for packets over
port 53?
OP-I: no observed limits, except
29KB for one request packet
OP-II: no observed limits
ACM CCS'12 C Peng (UCLA)
Toll-Free-Data-Access-Attack
23

Proxy outside cellular network
Tunneling over 53 between the mobile and external
network
 similar to calling 800-hotline


Implementation
HTTP-proxy on port 53 (only for web, OP-I)
 Sock-proxy on port 53 (for more apps, OP-I)
 DNS-tunneling on UDP-53 (all apps, OP-I, II)


Results
Free data access > 200MB, no sign of limits
 Demo if interested

ACM CCS'12 C Peng (UCLA)
Countermeasures
24

Simplest fix: stop free DNS service
 OP-III

stopped it since this July
Other suggestions
 Authenticate
DNS service
 Only
allow using authenticated DNS resolvers
 DNS message integrity check
 Provide
free DNS quota
ACM CCS'12 C Peng (UCLA)
Beyond DNS
25

Existing DNS tunneling tools: iodine etc,
 Designed
for data access when Internet access is
blocked
differentiated-charging policy
e.g., free access to one website/ via some
APN, or cheaper VoIP than Web
Incentive to pay less
(Attackers or even normal users)
Bill
Gap btw policy and its enforcement
Bullet-proof design & practice
ACM CCS'12 C Peng (UCLA)
On Incentive
26

Toll-Free-Data-Access-Attack ✔

Stealth-Spam-Attack
 Good
news: no obvious and strong incentive
 No
immediate gain for the attacker unless the illintentioned operator does it
 Monetary
loss against the attacker’s adversary
 Unexpected incentive in the future?
ACM CCS'12 C Peng (UCLA)
More information/demo in
Summary
http://metro.cs.ucla.edu/projects.html
27


Assess the vulnerability of 3G/4G data charging
system
Two types of attacks,
 Toll-free-data-access-attack

Enforcement of differentiated-charging policy
 Stealth-spam-attack

(overcharging > 500MB)
Rooted in charging architecture, security mechanism and IP
model
 No

(free > 200MB)
observed volume limits
Insight
 IP
push model is not ready for metered-charging
 Feedback or control needed during data charging
 Differentiated-charging policy has to secure itself
Related documents
prostate cancer support group
prostate cancer support group
Computing Ontology - Villanova Computer Science
Computing Ontology - Villanova Computer Science
Distinctions Between Computing Disciplines
Distinctions Between Computing Disciplines
Are you interested in a study aimed at improving your
Are you interested in a study aimed at improving your
Presentation
Presentation
Pre-Post Knowledge Assessment_Beirut II
Pre-Post Knowledge Assessment_Beirut II
演講公告-1050328
演講公告-1050328
carbon capture storage RCCs as it is known
carbon capture storage RCCs as it is known
Dr. Sotiris Kapellos - Athens Energy Forum 2015
Dr. Sotiris Kapellos - Athens Energy Forum 2015
Costs of CCS
Costs of CCS
The future of CCS in China under the Chinese strategy - for
The future of CCS in China under the Chinese strategy - for