Threat analysis of a Cellular Botnet regarding DoS attacks - - PowerPoint PPT Presentation

Lehrstuhl für Netzarchitekturen und Netzdienste

Institut für Informatik Technische Universität München

Threat analysis of a Cellular Botnet regarding DoS attacks

(Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

Supervisor: Marc Fouquet, Alexander Klein Lucas Louca November 17, 2010

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 2

Outline

 Introduction/Motivation  Related Work  Analysis  Evaluation  Summary

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 3

Introduction and Motivation

Cell Cell

Botmaster

 More powerful and intelligent cell phones  Number of smartphone users increases  Cell phones have a constantly assigned IP Address  Cell phones allow short range communication with the use of Bluetooth  Increased risk of malware distribution through unauthorized drive by

downloads

 DoS attacks on cellular networks become possible through cellular

botnets

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 4

Introduction and Motivation

 Make services unavailable by saturating bandwidth just for fun  The adversary may be an unsatisfied employee  Financial reasons  Political reasons

What motivates a potential adversary?

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 5

Introduction and Motivation

 Some considerations about the scenarios

• Infected mobile devices should not produce constant control traffic in order

to stay undetectable and save battery life

• Attacks on the cells are launched through voice calls and only when a cell

exhaustion is guaranteed in order to avoid unnecessary traffic

 Create scenarios where nodes act totally autonomously

• Decisions are made within ad-hoc like networks

 Create scenarios where the botnet is controlled by a botmaster

• Partially controlled by the botmaster
• Fully controlled by the botmaster

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 6

Introduction and Motivation

 Objective: Study the possibilities of potential attacks

• Build up possible botnet control scenarios
• Simulate a cellular botnet using the different control scenarios
• Examine the test results
• Determine the danger degree of possible attacks
• Project the results of the simulations on a larger area

5 10 15 20 25 30 35 40 45 50 2 4 6 8 10 12 14 Number of Cell downs Mean speed (m/s) Random Walk Random Waypoint Random Waypoint Hotspots

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 7

Related Work

The Threat of Mobile Worms [Marc Fouquet, Elnaz Eghbali Afshar, and Georg Carle.] Bluetooth Worm Propagation: Mobility Pattern Matters! [Yan, Guanhua and Flores, Hector D. and Cuellar, Leticia and Hengartner, Nicolas and Eidenbenz, Stephan and Vu, Vincent .] On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core [Patrick Traynor] An Empirical Study on 3G Network Capacity and Performance [Wee Lum Tan, Fung Lam and Wing Cheong Lau.] Mobility Models for Ad hoc Network Simulation [Guevara Noubir Guolong Lin und Rajmohan Rajaraman]

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 8

Analysis - Scenarios

 Coordinated attack through a Master Server (Central Controlled)  Produces a great amount of

control traffic

 Botmaster has a more granular

view over his botnet

 Cell exhaustion is guaranteed

as long as the needed amount

• f nodes exist within a cell

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 9

Analysis - Scenarios

 Ad-Hoc networks acting independent (Autonomous)  Produces no control traffic  Botmaster has no control over

his botnet

 Nodes must have a large

density for an attack to be launched

 Possible attack situations may

get overlooked even if there are enough infected devices within a cell

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 10

Analysis - Scenarios

 Coordinated attack through a Master Server (Hybrid)  Produces control traffic  Botmaster has partial control

• ver his botnet

 Cell exhaustion is guaranteed

as long as the need amount of ad-hoc networks exist within a cell

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 11

Analysis - Node movement (Mobility Models)

 Random Waypoint

• Random speed
• Random destinations

 Random Waypoint with predefined hotspots

• Random speed
• Random destinations out of a pool of visit probability weighted locations

 Random Walk

• Random speed
• Constant travel time
• Random travel direction

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 12

Evaluation

 Testing the attack rate based on:

• Node’s threshold regarding Ad-Hoc size (Autonomous &

Hybrid)

• Changing node speeds (All scenarios)
• Botmaster’s threshold regarding nodes within a cell

(Central Controlled & Hybrid)

 Test parameter configuration

• 100 - 400 nodes
• 1000m × 1000m surface (4 cells)
• 500m cell range
• maximum 52 simultaneous voice calls within a cell
• Initial node speed 1 - 2 m/s

Wednesday, November 17, 2010

5 10 15 20 25 30 35 40 45 50 5 10 15 20 25 Number of Cell downs Mean speed (m/s) Random Walk Random Waypoint Random Waypoint Hotspots

Threat analysis of a Cellular Botnet regarding DoS attacks 13

Evaluation - Test: Node’s speed

 Scenario 1: Central Controlled

• Random Walk prevails with 300 or more nodes
• More than 400 nodes within the surface results in constant

attack rates with all three mobility models

Wednesday, November 17, 2010

5 10 15 20 25 30 2 4 6 8 10 12 14 Number of Cell downs Mean speed (m/s) Random Walk Random Waypoint Random Waypoint Hotspots 5 10 15 20 25 30 35 40 45 50 2 4 6 8 10 12 14 Number of Cell downs Mean speed (m/s) Random Walk Random Waypoint Random Waypoint Hotspots

Threat analysis of a Cellular Botnet regarding DoS attacks 14

Evaluation - Test: Node’s speed

 Scenario 2 & 3: Autonomous & Hybrid

• Random Walk hardly produces any attacks
• Attack rate drops as mean speed increases

Autonomous Hybrid

Wednesday, November 17, 2010

10 20 30 40 50 60 50 100 150 200 250 300 350 400 Number of Cell downs Threshold(Nodes) Random Walk Random Waypoint Random Waypoint Hotspots 5 10 15 20 25 30 50 100 150 200 250 300 350 400 Number of Cell downs Threshold(Nodes) Random Walk Random Waypoint Random Waypoint Hotspots

Threat analysis of a Cellular Botnet regarding DoS attacks 15

Evaluation - Test: Node’s threshold

 Scenario 2 & 3: Autonomous & Hybrid

• Random Walk hardly produces any attacks
• Attack rate drops radically as threshold increases
• Random Waypoint using hotspots prevails in

“Autonomous”

• Attack rate using the “Autonomous” scenario is higher

than with the “Hybrid” Autonomous Hybrid

Wednesday, November 17, 2010

10 20 30 40 50 60 70 80 100 150 200 250 300 350 400 Number of Cell downs Threshold(Nodes) Random Walk Random Waypoint Random Waypoint Hotspots 2 4 6 8 10 12 14 16 18 100 150 200 250 300 350 400 Number of Cell downs Threshold(Nodes) Random Walk Random Waypoint Random Waypoint Hotspots

Threat analysis of a Cellular Botnet regarding DoS attacks 16

Evaluation - Test: Botmaster’s threshold

 Scenario 1 & 3” Central Controlled & Hybrid

• Random Walk hardly produces any attacks in “Hybrid”
• Attack rate drops as threshold increases
• Attack rate using “Central Controlled” is higher than in

“Hybrid”

• Attack rate in “Central Controlled” is about the same with

all three mobility models Central Controlled Hybrid

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 17

Evaluation - What about a larger area?

 Larger area representing Munich

• Calculate a node distribution with Random Walk combined

based on the user placement according to population density maps

• Distribute cells within the city area based on real life data

(Deutsche Telekom)

• Set an hypothetical cell capacity for our cells based on the

number of sectors

• Place users within the city using the pre-calculated node

distribution

• Cell capacity in the center is larger than on the edges

How many cells can be taken down within a city with 1000 - 50 000 infected mobile devices?

Wednesday, November 17, 2010

50 100 150 200 250 300 10000 15000 20000 25000 30000 35000 40000 45000 50000 Number of Cell downs Nodes

Threat analysis of a Cellular Botnet regarding DoS attacks 18

Results

 Nodes converge towards the center of the city  Number of cells taken down monotonically increases as amount of

infected devices grows, especially in the center

 Although people do not move according to Random Walk, attacks

may be possible with “Central Controlled” scenario

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 19

Summary

 The scenario being used has a great impact on the attach rate

• Central controlled like scenarios usually produce more attacks but also

more control traffic making them easier to detect

• Autonomous and Hybrid like scenarios depend on node density and

threshold values in order for an attack to be launched

 Mobility models affect our simulation results

• Random Walk had on average a smaller attack count
• Which model is more realistic?

 Successful attacks are also possible in larger areas, making the

problem of cellular botnets critical

Wednesday, November 17, 2010

Threat analysis of a Cellular Botnet regarding DoS attacks 20

Thank you for your attention!

Wednesday, November 17, 2010