One of the basic security element in cellular networks is the verification procedure functioned by means of subscriber identity module that is necessary to give access to network services and hence secure the network from unauthorized usage by implementing different types of parameters. The large amount of computing power available in modern clustered HLRs, it is also essential to consider the counter-intuitive result summarizes and showing that the more busy the HLR is, the more difficult is disrupting its services. The cellular infrastructure as a whole and thus in the measure needed by its defense, namely: 1.The complexity and the high level of programmability of latest mobile phones and 2.The interconnection between the cellular network and the internet. The awareness of this attack can be exploited by many applications both in security and in network equipment manufacturing sectors.
We present a new kind of denial of service attack based on properly crafted SIM-less devices that, without any kind of authentication and by exploiting some specific features and performance bottlenecks of the UMTS network attachment process, are potentially capable of introducing significant service degradation up to disrupting large sections of the cellular network coverage on the node attachment procedure in Universal Mobile Telecommunications System (UMTS) infrastructures, shows that it is possible to mount a full-fledged DoS attack potentially capable of shutting down large sections of the network coverage without the need of hijacking or controlling actual users’ terminals, as well as that the number of devices necessary to make such an attack effective is limited to a few hundred ones. This attack exclusively operates at the user-level by relying on unavoidable protocol-level signaling features so that no hacking on intra-operator facilities is needed. It is indirectly targeted at the Home Location Register (HLR) that is the database containing information on mobile subscribers as well as call blocking and forwarding rules that can be overwhelmed by service requests. Since this database is a critical component, often revealing to be a major bottleneck within the overall infrastructure, an outage of its functionality may cause an interruption of other mobile services. A Denial of Service Attack to UMTS Networks Using SIM-Less Devices
Existing method on DoS attacks have shown that it is possible to achieve a high level of service degradation in a more efficient way than consuming voice and SMS traffic (i.e., user-plane channels). In fact, an attacker may try to flood control channels, which are separated from traffic ones and very limited in terms of available bandwidth. The first work in this direction shows how the interconnection between mobile networks and the Internet can be exploited by an attacker continuously sending SMS from an online service to a crafted hit-list of telephone numbers; the generated data flow is sufficient to keep control channels, shared by SMS and voice, completely busy. The works flaws that can be used to delete, modify or replay some unauthenticated or not integrity protected messages in order to launch DoS attacks against both user phones and network nodes. These flaws may also permit revealing user identities (IMSI) and impersonating the network performing man-in-the-middle attacks. Also, as described in the way a DoS attack to the UMTS network can be mounted is straightforward if the attacker disposes of a list of valid IMSI.
The aim of the proposed scheme is to provide a security application which accurately detects and blocks DoS attack creating nodes in a UMTS network. The aim also measures the time delay by assigning the different types of parameter values. The application could be easily deployed in the network. Here we are proposing two main algorithms, UMTS integrity algorithm used to compute message authentication code and AKA algorithm used for authentication process.
UMTS protocol defines the actions that should be carried on in order to attach to the network high level description of the network access procedure can be sketched in the following common steps: i) cell discovery, ii) best server synchronization, iii) attachment request, iv) authentication and key agreement (AKA) and v) temporary identity creation. The peculiarity of this procedure
is that it cannot leverage previously accrued knowledge since it must accommodate for new devices about which there is no previous information. In such a context, the most critical step from the DoS vulnerability perspective is the AKA one, where an unauthenticated device may force the core network to carry on computations that are more resource-consuming than the connection request itself.
We described in the way an attack based on the above considerations could be set up is straightforward: in a preliminary phase an attacker builds a database of valid IMSIs, then, he floods the network with multiple attach requests, each one carrying a different IMSI chosen from that database. The cellular network, in order to accomplish the AKA phase, forwards the requests to HLR/AuC where each IMSI is validated and, being authentic, triggers the calculation of authentication information that are sent to SGSN that, in turn, has to submit the challenge back to the MS and verify the correctness of the reply. As the attacker does not really own the SIM corresponding to the used IMSI, he does not know the correct answer. However, such a correct answer is not strictly needed; in fact, since the attack’s goal is to exhaust HLR/AuC computing resources, hitting the target with a sufficiently large volume of valid attach requests is enough to introduce network core level DoS.