New DOS attacks threaten wireless data networks

NEW YORK CITY -- Forget spam, viruses, worms, malware and phishing. These threats are apparently old school when compared to a new class of denial-of-service (DOS) attacks that threaten wireless data networks.

The latest wireless network threats were outlined in a talk here Thursday by Krishan Sabnani, vice president of networking research at Bell Labs, at the Cyber Infrastructure Protection Conference at City College of New York.

Sabnani said the latest wireless data network threats are the result of inherent weaknesses in Mobile IP, a protocol that uses tunneling and complex network triangulation to allow mobile devices to move freely from one network to another.

"We need to especially monitor the mobile networks – with limited bandwidth and terminal battery—for DOS attacks," Sabnani said.

For more on network research, follow our Alpha Doggs blog

Sabnani said the newest DOS attacks on wireless networks involve repeatedly establishing and releasing connections. These attacks are easy to launch and hard to detect, he added.

"One cable modem user with 500Kbps upload capacity can attack over 1 million mobile users simultaneously," he said.

Here are five wireless data network threats outlined by Sabnani:

1. Signaling DOS

This attack leverages active mobile sessions in the network. It involves sending small amounts of data to re-initiate a session after it has been released. The low-volume attack can create congestion at the radio network controller (RNC). Overload of the RNC results in a denial of service for the subscriber.

2. Battery Drain

This attack also leverages active mobile sessions in the network. It sends packets to a mobile device to prevent the device from going into sleep mode. The attack can involve as little as sending 40 bytes every 10 seconds. This attack wastes radio resources and drains mobile batteries.

3. Peer-to-Peer Applications

Bell Labs found that one subscriber's excessive use of peer-to-peer Web sites was affecting the performance of a North American carrier's 3G network. The subscriber uploaded 1GB and downloaded 3.5GB communicating with 5,000 eDonkey and 37,000 Gnutella sites.

4. Malfunctioning Air Card

The same North American 3G carrier experienced DOS overloads due to a malfunctioning air card. Bell Labs says it took several man-months of effort to identify the rogue device.

5. Excessive Port Scanning

Bell Labs also noted that the same wireless carrier experienced significant wasted air resources from worms and port scans. Bell Labs noted that worms were targeting ports 135, 137, 139, 1026 and 5900.

Sabnani said Bell Labs' research in DOS threats to wireless networks led to the development of a new product for 3G and 4G wireless carriers called AWARE Detector, a packet inspection engine designed specifically for wireless network architecture and protocols. Alcatel-Lucent is offering the product as the 9900 Wireless Network Guardian. 

"We have developed algorithms based on traffic profiling and statistical models that can detect low-volume wireless DOS attacks," Sabnani said. "The system detects and mitigates traffic that will cause RNC signaling overload, unnecessary airlink usage, paging overload, and unnecessary subscriber battery drain."