9-1-1 DDoS: Threat, Analysis and Mitigation

The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current FCC regulations require that all emergency calls be immediately routed regardless of the caller's identifiers (e.g., IMSI and IMEI). A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally. We explore the 911 infrastructure and discuss why it is susceptible to this kind of attack. We then implement different forms of the attack and test our implementation on a small cellular network. Finally, we simulate and analyze anonymous attacks on a model of current 911 infrastructure in order to measure the severity of their impact. We found that with less than 6K bots (or $100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. We believe that this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue in order to prevent possible 911-DDoS attacks in the future.

[1]  Vyas Sekar,et al.  LADS: Large-scale Automated DDoS Detection System , 2006, USENIX Annual Technical Conference, General Track.

[2]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.

[3]  Ralf-Philipp Weinmann,et al.  Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks , 2012, WOOT.

[4]  Jean-Pierre Seifert,et al.  Rise of the iBots: Owning a telco network , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[5]  Rosli Salleh,et al.  Mobile Botnet Attacks: A Thematic Taxonomy , 2014, WorldCIST.

[6]  Christoforos Ntantogian,et al.  Attacking the baseband modem of mobile phones to breach the users' privacy and network security , 2015, 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace.

[7]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[8]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[9]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[10]  Anonymous,et al.  Testimony , 2001, The Lancet.

[11]  Fang Binxing,et al.  Andbot: towards advanced mobile botnets , 2011 .

[12]  Christian Rossow,et al.  Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks , 2014, WOOT.

[13]  Thomas F. La Porta,et al.  On cellular botnets: measuring the impact of malicious devices on a cellular network core , 2009, CCS.

[14]  Ali A. Ghorbani,et al.  Android Botnets: What URLs are Telling Us , 2015, NSS.

[15]  Thomas Magedanz,et al.  Survey of network security systems to counter SIP-based denial-of-service attacks , 2010, Comput. Secur..

[16]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[17]  Aaron Smith,et al.  U.S. Smartphone Use in 2015 , 2015 .

[18]  Ajay R. Mishra,et al.  Fundamentals of Cellular Network Planning and Optimisation: 2G/2.5G/3G... Evolution to 4G , 2004 .

[19]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.