Unwanted Traffic in 3G Networks
Fabio Ricciato
Forschungszentrum Telekommunikation Wien
Donau City Straße 1, Vienna, Austria, EU
ricciato@ftw.at
ABSTRACT
component, plus the new risks emerging from their combination. The 3G environment inherits from the cellular
paradigm a number of features like terminal personalization
and geolocalization that make privacy and information security particularly critical. When coupled with the IP world,
markedly the “openess” of its applications and accessibility,
the concerns of privacy and security from the user perspective become even more critical than in legacy 2G networks.
Because of that - and of some “lessons learned” from past
mistakes in 2G security [5] - privacy and information security
aspects have received a thorough treatment in the 3G specifications (see [7] for an exhaustive overview). Nevertheless,
the specific topic of 3G network security in relation to the robustness and availability of the network infrastructure itself
has not received adequate attention by the research community to date. The problem can be condensed in the following
question: What is the level of robustness of a 3G network
against deliberate attacks or other unanticipated stimuli?
The problem of network security involves issues related to
network resilience and stability, and can not be addressed
without a deep understanding of the detailed structure and
organization of the real network. Considered the relative
recent deployment of 3G, and the very limited access that
research groups have to these networks, it should be no surprise that the work in this area has been sporadic. Some
exploits against 3G network are known and documented in
industry reports (e.g. [15] [2]), while the fact that a limited
amount of malicious traffic can cause large-case troubles to
a wireless cellular network has been “unveiled” in the recent
paper [18] with reference to a 2G network supporting open
SMS service. But at this stage what is still missing is an
exhaustive and systematic recognition of the potential risks,
threats and problems to 3G network security, from which a
research agenda can be drawn.
We provide here a novel contribution towards this goal
by introducing an issue that has passed unrecognized so far:
the impact onto 3G networks of unwanted traffic, and specifically large-scale worm infections. Remarkably, all the cited
previous works consider deliberate DoS attack against the
network. Instead here we focus on a slightly more subtle
issue, namely the (side-)effects onto the network of (unwanted) traffic, whose intended target is typically not the
network but rather its terminals. Our work was inspired
by the consequences of the Code-Red-II infection onto the
routers of the wired Internet, reported in [3] and [4].
We claim that under certain conditions and for certain
network configuration scenarios large-scale worm infections
can cause sensible degradation and risks for the network
The presence of “unwanted” (or background) traffic in the
Internet is a well-known fact. In principle any network
that has been engineered without taking its presence into
account might experience troubles during periods of massive exposure to unwanted traffic, e.g. during large-scale
infections. A concrete example was provided by the spreading of Code-Red-II in 2001, which caused several routers
crashes worldwide. Similar events might take place in 3G
networks as well, with further potential complications arising from their high functional complexity and the scarcity
of radio resources. For example, under certain hypothetical
network configuration settings unwanted traffic, and specifically scanning traffic from infected Mobile Stations, can
cause large-scale wastage of logical resources, and in extreme
cases even starvation. Unwanted traffic is present nowdays
also in GPRS/UMTS, mainly due to the widespread use of
3G connect cards for laptops. We urge the research community and network operators to consider the issue of 3G
robustness to unwanted traffic as a prominent research area.
Categories and Subject Descriptors: C.2.3 [Network
Operations]: Public networks, Network monitoring.
General Terms: Security, Reliability, Measurement.
Keywords: Cellular networks, 3G, Unwanted traffic.
1.
INTRODUCTION
Public wide-area wireless networks are now migrating to
third-generation systems (3G), designed to support packetswitched data services and Internet access. Several UMTS
networks became operational since 2003 while early GPRS
deployments date back to 2000. Since then, the growing
popularity of 3G terminals and services has extended the
coverage of Internet wireless access to the geographic area,
and 3G networks are becoming key components of the global
Internet. In a recent CCR contribution Keshav [17] foresees
that cell phones will become the dominant component of future Internet population, while Kleinrock expects this role
to be played by “small pervasive devices ubiquitously embedded in the physical world” (quoted from [14, p. 112]).
Both scenarios underlay that the main access mode in the future Internet will be wide-area wireless. Currently deployed
3G networks, along with their future evolutions, are in poleposition face to concurrent technologies (e.g. WIMAX) to
provide such access connectivity in the large-scale.
Generally speaking, the 3G network being essentially a
mixture of two paradigms, namely mobile cellular and IP, it
is exposed to the security and reliability issues affecting each
ACM SIGCOMM Computer Communication Review
53
Volume 36, Number 2, April 2006
tors are interconnected through the Gp interface for support
of roaming. The Gn protocol stack [10, p. 94] shows that a
lower UDP/IP layer is used to carry the user data packets
across Gn, with an intermediate encapsulation into a 3Gspecific protocol (GPRS Tunnelling Protocol, GTP). In fact,
the Gn interface is basically a wide-area IP network interconnecting the different SGSN/GGSN sites, and as such it
embeds routers, IP subnets etc. Besides that, the CN is rich
in IP-based elements, including servers supporting control
and management functions (e.g. DNS, DHCP, RADIUS, see
[10]) and application elements (e.g. WAP gateway, proxies,
internal servers). The latter are always located behind the
GGSN, on the Gi side (ref. Figure 1) as they operate directly
on the data-plane. Note also that packet filtering and other
restiction policies can be located on separate dedicated elements (NAT, IDS, firewalls) at the network boundaries (Gi,
Gp) and/or directly configured into the GGSNs.
Figure 1: 3G network structure.
performances and availability. We urge the research community and network operators to consider the issue of 3G
robustness to unwanted traffic as a prominent research area.
The goal of this contribution is to trigger interest and at the
same time move the first pioneering steps in such direction.
The following discussion is based on empirical observations from an operational GPRS/UMTS network collected
during an ongoing research project in traffic monitoring and
modeling in 3G, the DARWIN project [1], carried out in collaboration with mobilkom austria AG&CoKG (the leading
mobile operator in Austria, EU) and Kapsch CarrierCom
(provider of equipments and network engineering services).
2.
3G terminals. The population of 3G terminals is highly
heterogeneous and includes very different types of device:
hand-held phones and PDA, connect-card pluggable into
laptops, blackberry, etc. Additionally, a broad range of automatic devices with no human interaction is emerging, taking advantage of the ubiquity of the GPRS/UMTS coverage
(e.g. sensors, alarms, presence indicators, remote cameras).
Presently the most numerous 3G terminals are hand-held
phones. They span a broad range of technological platforms,
a major point of difference (for the moment) from the wired
Internet that is essentially a monoculture. The last aspect
is critical when considering malware infections: such a “biological variety” intrinsically limits the potential infection
scope, which in turn reduces somehow the very appeal for
programming new pieces of malware. As a result, large-scale
infections of cellular phones have not yet been observed, despite a growing number of exploits and pieces of malicious
code targeting GPRS/UMTS phones have already appeared
in the wild (e.g. Cabir, Mosquito, Comwarrior 2 ).
OVERVIEW OF 3G NETWORKS
Network structure. A 3G network includes two main sections: a Packet-Switched Core Network (CN), which is based
on IP, and one or more Radio Access Network (RAN). Along
with the UMTS RAN (UTRAN) based on W-CDMA, several operators maintain a parallel GPRS RAN evolved from
the legacy GSM radio. This structure is sketched in Figure
1. It is also possible to connect additional separate RANs
to the same CN, typically WLAN [13] and perhaps in the
future also WIMAX. Each RAN can evolve independently
from the CN: for example in several networks GPRS has
been upgraded to EDGE [10, p. 152], while UMTS upgrade
towards HSDPA [8, p. 351] is ongoing. Each RAN is connected to the legacy 2G Circuit-Switched Core-Network (not
shown in Figure 1) for traditional services like voice calls,
and to the Packet-Switched Core-Network (CN for short)
for data services. The CN embeds several elements: SGSN,
GGSN, and a number of information servers. Some of the
latter are shared with the Circuit-Switched Core-Network
of the legacy 2G system 1 , e.g. the HLR/AuC. The SGSNs
perform functions such as access control, location management, paging, route management [10]. The GGSN is the
logical gateway between the CN and external packet networks (Internet and private networks), is endowed with a
full IP-stack and handles the IP-level connectivity with the
MS. The SGSN and GGSN of the same operator communicate through the Gn interface. The CNs of different opera-
3G datacards for laptop. Many 3G datacards for laptop
were sold starting in 2004, often coupled with flat-rate offers.
Most of these laptops are equipped with Microsoft Windows
- note that for some datacards drivers are not available for
other operating systems. This introduced into the 3G environment a sub-population of homogeneous terminals, i.e.
Windows laptops, that are intrinsically exposed to all kinds
of exploits and infections that are found in the wired Internet. In case of active infection (e.g. a scanning worm) they
introduce into the 3G network the same “unwanted” traffic
patterns (e.g. probe SYN packets) that are found in wired
LANs and in the Internet.
3. PROBLEM STATEMENT
Unwanted traffic. The term “unwanted traffic” has been
used in [16] to refer cumulatively to those traffic components
originated directly or indirectly by malicious or anyway “non
productive” activities. It includes backscatter traffic associated to remote DoS attacks, scanning probes, spam, exploit attempts etc. Unwanted traffic might have a negative
impact onto the underlying network, and in extreme cases
drive the network or at least some of its elements to crash.
1
Notably the close coupling between the circuit- (GSM) and
packet-switched (GPRS/UMTS) sections is a source of concern since in principle troubles originated in the latter might
cause impairments or side-effect to the former as well.
ACM SIGCOMM Computer Communication Review
2
54
See www.viruslist.com/en/viruses/encyclopedia.
Volume 36, Number 2, April 2006
A bright example was provided by the spreading of CodeRed-II in 2001 [3]. Once installed on a victim host, the
worm started to scan for new potential victims by sending a high rate of probing TCP SYN packets to random
addresses. This caused troubles to the packet forwarding
modules of several edge routers all over the Internet, some
of which eventually crashed [4]. In simple words, the problem is that route caching mechanisms were designed (and
optmized) to operate under “normal” (i.e. expected) traffic conditions, where most of the packets are directed to a
relativelly small subset of popular subnets. In such nominal
condition, route caching can be very effective. But during
the infection probing SYN packet were massively generated
and sent to randomly chosen IP addresses, thus driving the
cache access mechanisms to explode. In other words, the
worm infection built-up a traffic aggregate macroscopically
different from the “normal” pattern, and the network proved
to be not robust enough to sustain such different conditions.
The lesson to be learned is that in terms of the characteristics of the macroscopic traffic aggregate (entropy of the
destination IP address distribution, packet size, etc.) large
infections or other unwanted traffic components can expose
the network to a different “operating point” from what the
network was engineered and optmized for, with potentially
dramatic effects 3 .
nection (e.g. application layer proxies, servers, NATs). Note
that some stateful operations might be enabled also on the
GGSNs.. In this cases the GGSN logic should be robust to
high rates of SYN packets coming from the MSs.
Large volumes of SYN packets might be originated by deliberate DoS/DDoS or from large-scale infections of scanning
worms. In both cases, the source(s) can be hosts in the Internet (exogenous traffic) or other MS in the RAN (endogenous traffic). In general, exogenous traffic can be blocked at
the external firewall as for any other private network. The
first element to inspect the IP packets sent by the MSs is
the GGSN. The latter generally embeds full router capabilities, therefore it can be configured with the same stateless
/ stateful firewalling policies and/or throttling mechanisms
(see e.g. [12]) to filter endogenous uplink traffic. For an
improved robusteness against residual unblocked SYNs, all
stateful elements should be designed to resist massive SYN
storms rather than just rely on external filtering elements.
Wastage of logical resources. The UMTS radio bearer
TCP SYN packets might cause troubles to those stateful
elements designed to reserve resources for each TCP con-
channels (called Dedicated Channel, DCH) are assigned dynamically to active MSs. The assignment policy is implemented in the RNC and is generally based on a combination of timeouts from the last data packet and thresholds on
the recent sending / receving rates. The exact algorithm is
vendor-dependent, with parameters configurable by the operator. Let us consider here the simplest case of a purely
timeout-based DCH assignment policy: the DCH is assigned
to the MS at the time of the first packet (sent or received),
and is released after TDCH seconds from the last packet,
TDCH being the holding timeout for DCH. Note that when
the MS does not have an assigned DCH, packets are exchanged on the common channels FACH or RACH (see [8,
Ch. 7]). Note also that each channel switch operation involves a signaling procedure at the radio interface, contributing to the total transfer delay for the arriving packet. The
value of TDCH must be tuned carefully. Too short values
causes a high frequency of channel switch cycles, and consequently (i) a higher consumption of signaling resources on
the radio link and (ii) longer packet delays and hence worse
user experience. On the other hand, too long values will
lead to wastage of logical resources, i.e. DCHs, whose available number if limited in each cell. Therefore, the optimal
value of TDCH must be chosen according to the distribution
of idle-period duration for “typical users”.
Given such framework, consider what happen when a number of infected terminals are scanning the local address space.
Each active MS (not necessarely infected) will be visited by
scanning probes at an average rate of Rv pkt/sec. The exact value of Rv depends on several factors like number of
scanning MSs, scanning rate, etc. (see [6] for more details)
and can typically be in the order of few seconds or below.
In case that the average probe interarrival time is smaller
than the DCH holding timer, i.e. τv = (Rv )−1 < TDCH , the
incoming unwanted traffic will keep the DCH channel assigned to the target MSs indefinitely, until the user switches
off the terminal or explicitely close the PDP-context 4 . Note
that the volume in byte count of such incoming background
traffic is extremely low and would pass unnoticed by the
user. No assumption is made about the vulnerability of the
3
In this regard, this is another example of (lack of) robusteness to unanticipated types of events in HOT systems [11].
4
The “PDP-context” is the logical connection to the 3G
network, conceptually similar to a wired modem dial-up.
Potential impact on 3G. In principle, the 3G network is
exposed to the same type of incidents, and perhaps even
more given the higher functional complexity inherited by the
wireless cellular paradigm. The 3G network is ultimately an
IP network, but with important peculiarities. First, the underlying transport stratum, specifically the 3G-specific lower
protocols in the RAN, are endowed with very high functional
complexity and signaling interactions - mainly for the sake
of mobility management and efficient resource management.
Second, the population of internal “hosts” is extremely large
(from thousands to millions of MSs) and highly dynamic (activity periods can be as short as few seconds). The potential
impact of large-scale infections and unwanted traffic in such
a system is an intriguing point for research, that has not yet
been addressed by the research community. The existence of
the problem has been conjectured in a previous work [9, p.
447-448]. In lack of past empirical events, it is not possible
to claim that 3G network are exposed to serious damages
from large infections. On the other hand, without a systematic risk assessment it is neither possible to provide a priori
guarantees about their robustness. Empirical evidence of
the very existence of unwanted traffic in a real 3G network
has been reported in [6] along with initial but technicallydetailed speculations on the potential impact that the observed traffic would have under certain hypothetical conditions and configuration setting. The actual impact, if any,
depends on a combination of factors related to the network
configuration and equipment features. In the following we
illustrate the problem by discussing a few examplary forms
of impact that might take place in a real network.
Stateful elements. The presence of massive amounts of
ACM SIGCOMM Computer Communication Review
55
Volume 36, Number 2, April 2006
borrowing concepts and tools from the recent achievements
in the field of anomaly detection in the Internet. The prerequisite for all that is a continuous (always-on) process of
large-scale traffic monitoring and analysis from inside the
network, i.e. on the internal interfaces like Gn.
target MS to the specific exploit, the only condition being
that it is reachable by probing packets, i.e. it has an active PDP-context. Such always-on “spurious” DCH waste
resources on the radio interface. Notably, wastage is limited to the logical resources, i.e. DCH, since the physical
bandwidth is left largely unused as only sporadic and small
packets (probe SYNs) are transmitted over the air. Such
phenomenon might lead to logical congestion of some radio
cells as soon as the number of active MSs in the cell reaches
the number of available DCHs.
5. REFERENCES
[1] DARWIN home page
http://userver.ftw.at/∼ricciato/darwin.
[2] A. Bavosa. Attacks and Counter Measures in 2.5G
and 3G Cellular IP Networks. Juniper White Paper,
June 2004. Online at www.juniper.net/solutions/literature/white papers/200074.pdf.
[3] C.C. Zou, W. Gong, D. Towsley. Code Red Worm
Propagation Modeling and Analysis. 9th ACM Conf.
on Computer and Comm. Security (CCS’02), 2002.
[4] Cisco. Dealing with mallocfail and High CPU
Utilization Resulting From the “Code Red” Worm.
www.cisco.com/warp/public/117/ts codred worm.pdf.
[5] E. Barkan, E. Biham, N. Keller. Instant CiphertextOnly Cryptanalysis of GSM Encrypted Communications. Crypto 2003, Santa Barbara, CA, August 2003.
[6] F. Ricciato, P. Svoboda, E. Hasenleithner, W.
Fleischer. On the Impact of Unwanted Traffic onto a
3G Network. Technical Report FTW-TR-2006-006,
February 2006. Available online from [1].
[7] G. M. Koien. An Introduction ro Access Security in
UMTS. IEEE Wireless Communications, 11(1), 2004.
[8] H. Holma, A. Toskala. WCDMA for UMTS. Wiley.
[9] H. Yang, F. Ricciato, S. Lu, L. Zhang. Securing a
Wireless World. Proceedings of the IEEE, 94(2), 2006.
[10] J. Bannister, P. Mather, S. Coope. Convergence
Technologies for 3G Networks. Wiley, 2004.
[11] J. M. Carlson, J. Doyle. HOT: Robustness and design
in complex systems. Phys. Rev. Let., 84(11), 2000.
[12] J. Twycross, M. M. Williamson. Implementing and
testing a virus throttle. Tech. Report HPL-2003-103,
May 2003. Online www.hpl.hp.com/techreports/2003.
[13] K. Ahmavaara, H. Haverinen, R. Pichna. Interworking
Architecture Between 3GPP and WLAN systems.
IEEE Communications Magazine, November 2003.
[14] L. Kleinrock. The Internet: History and Future. Lectio
Magistralis at Politecnico di Torino, October 2005.
Online at www.tlc.polito.it/∼nordio/seminars.
[15] O. Whitehouse. GPRS Wireless Security: Not Ready
For Prime Time. Research Report by stake, June 2002.
Online at www.atstake.com/research/reports.
[16] R. Pang et al. Characteristics of Internet Background
Radiation. IMC’04, Taormina, Italy, October 2004.
[17] S. Keshav. Why Cell Phones Will Dominate the
Future Internet. Computer Communication Review,
35(2), April 2005.
[18] W. Enck, P. Traynor, P. McDaniel, T. La Porta.
Exploiting Open Functionality in SMS Capable
Cellular Networks. 12th ACM Conf. on Computer and
Comm. Security (CCS’05), November 2005.
Signaling overhead. One key assumption in the above scenario is that the average interarrival of background packets
is smaller than the DCH holding timeour, i.e. τv < TDCH .
Other problems arise in case that τv is higher but close to
TDCH , i.e. τv = TDCH + ǫ for small ǫ, particularly in the
case of low TDCH . In this case, a DCH reassignment follows
immediately a DCH release at rate 1/TDCH , thus wasting
signaling bandwidth in the radio section. Again, the more
“victims” are present in the same cell the higher the impact.
4.
CONCLUSIONS
We warn that unwanted (or “background”) traffic can
have an impact onto the functionally-complex 3G network,
at least under certain conditions of network configuration
and setting. Real measurements [6] provide evidence of the
presence of such traffic inside a real GPRS/UMTS network.
We have speculated on its potential impact under hypothetical network conditions (e.g. MS-to-MS communication enabled, no firewalling set in the GGSNs). The extent to which
such conditions are effectively found in a real network is unknown, as mobile operators do not disclose details about the
deployment and configuration of their networks. Since the
actual impact, if any, depends pointedly on a combination
of factors related to the network configuration and equipment features, in many cases the relevant countermeasures
and fixes are obvious or anyway simple to implement once
that the potential risk has been identified. Often preventive
actions are as simple as a careful and informed network engineering and equipment configuration. For instance, stateful firewalling at the GGSN prevents probe packets to reach
the target MS thus avoding DCH channels to be “spuriously” kept alive by background traffic. Alternatively, a
more sophisticated DCH assignment strategy (e.g. based on
thresholds on the packet rate) would alleviate the problem.
However, such features might never be activated unless an
explicit recognition of the problem of unwanted traffic and
its consequences. In summary, the very first problem is to
recognize and assess the potential risks, which might be hidden in the intricate web of interactions and dependencies
embedded within the functionally-complex 3G network.
The potential risks due to the presence of unwanted traffic
must be taken into account in the design of the network setting, so as to avoid the emergence of hazardous conditions.
A coherent process of risk assessment should be considered
as a natural component of the network engineering process.
In turn, risk recognition must be based on a thorough understanding of the specific traffic environment, which is continously evolving following the emerging of new services, new
types of terminals, new forms of infections, new attacks, etc.
Automatic or semi-automatic methods can be implemented
to detect drifts in the macroscopic composition of the traffic,
including the raise of new components of unwanted traffic,
ACM SIGCOMM Computer Communication Review
56
Volume 36, Number 2, April 2006