A while ago Shortinfosec published an article by Michael Coates about Geo Location based DDoS
The article sparked some interest, and we decided to delve deeper into this issue.
Shortinfosec performed a basic analysis of the possible impacts of Geo Location based DDoS
ITU has published that there are 4.6 billion mobile phones worldwide. That is a truly formidable number, and quite capable of performing a DDoS attack on any mobile network.
But creating a DDoS attack isn't as simple as it looks - especially a Geo Location based DDoS. In order to make a DDoS attack, you need the following ingredients
Software that will make the attack - The software will have to use the geo location function (to know where the phone is) and telco function (to create the DoS) of the mobile phone. Variants of s software are available and can be developed with relative ease for any smartphone platform. Example of apps that use Geo Location and telco functions are GPS tracking apps (for child tracking, or employee tracking) as well as 'Cheating Spouse Spy' apps. They enable access to the geolocation and send out data streams or SMS messages. Some of them are even remotely controllable via SMS. They can be easily modified to create a DOS via SMS or data stream swamping.
Means of distribution of the attack software - In order for a DDoS attack to succeed, you need a high volume of attack ('zombie') devices. In a Geo Location DDoS you attack something which is at one geographic location, so zombie phones need to be at or around the target location. This means that you need to persuade a lot of people to install the attacking app needs on their phones. There would be two options for this task:
- An App that everyone will like - This is very hard to achieve, since whatever your App is - even a game, the percentage of people that will like the game can be very limited. Also, you need to develop this App for a lot of platforms, since there are a lot of phone manufacturers and everyone has several different OS platforms.
- A self-distributing (virus like) application - poses a whole set of challenges: A virus can self-distribute either through a vulnerability of the Operating System, or through user action (like sending an SMS with instructions to install an app). Phone users do not readily install new apps simply because an SMS instructed them to, and good luck finding vulnerabilities in a sufficient amount of platforms and versions of phone OS.
To estimate the number of zombie phones in any given area, we need some starting parameters. We'll use worst case scenarios for every parameter
- Geo Location enabled phone percentage in total phone population (between 24% and 95%) - Gartner estimates that smart phones take up 18% of the total number of mobile phones. We'll assume that every smart phone has Geo Location ability, and we'll use percentages higher then 18%, since the target area is going to have a greater population with the means and needs to have a smart phone. For US, we'll use 95% simply because of the FCC E911 phase 2 directive, which mandates that 95% of all subscribers of the US mobile networks to have some form of Geo Location.
- Percentage of phones that will be targeted by the attack app (51%) - since there are multiple manufacturers and platforms, the attacker needs to attack the population with the highest probability of success - the largest phone population with similar characteristics. We'll use the percentage of penetration of platform - Symbian, which according to Gartner had 51% market share of all smart phone platforms.
- Successfully zombified phones (20%) - the target population of mobile phones cannot be fully controlled. The widest penetration of a virus infection was the Melissa virus, for which it is estimated that it infected between 15% and 20% of all computers worldwide. We'll use 20% for good measure.
- Area where most attack phones will reside (4 million square meters) - on a business day most Geo Location based phones will be within the city business area. For a city of over a million inhabitants, this area is at least a 4 kilometer by 4 kilometer square (2.49x2.49 miles). That is 4 million square meters.
- Concentration of zombified phones (50% within the attack area) - on a business day we will assume that 50% of zombie phones will be within the attack area
Analysis of the table
Assuming the the parameters of the analysis can be met (especially the number of phones that are zombified), here are the results of the numbers
Overwhelming the network - highly unlikely: The maximal number of zombie phones represent from 2.41 to 9.7 percent of the total phone population for urban areas. The mobile network switches are designed to handle traffic spikes, so they'll will be able to handle the increase of maximum 10% of the total city population.
Overwhelming the central area - possible : Long before the DDoS attack can overwhelm the network switches, it will hit a bottleneck: the mobile radio cells have a technical limit of number of active calls, so in a DDoS scenario the mobile cells where most zombified phones reside will be affected.
Overwhelming Hot spots - very likely: Even within the attack target area, there are hot spots with huge concentrations of mobile phones - large office buildings and business parks. These hot spots are rarely treated with a dedicated set of cells, and the DDoS attack will most likely overwhelm the available cells.
In simpler terms, on a business day, the cells in the business area of the city will be have more requests for service then available channels, so there will be a lot of No Service or No Network within the central attack area.
Detection and remedy - at least several hours: The mobile network operator will immediately identify the overwhelmed cells, but it will take hours to identify the pattern of who is creating the congestion. Even then, the remedy will not be simple, and will come down to disabling service for every identified zombie phone. This will take several hours the first time around. But once this particular type of attack is identified, a lot of effort will be put into creating automatic or semi-automatic detection and disabling systems, so after several attacks this correction will be brought down to a maximum of several tens of minutes. Also, mobile operators have the financial means to go after the initiator of the DDoS with every available investigative and legal tool
The parameters in this table are based on a worst case scenario, but based on current numbers of phones and estimated Geo Location ability
The estimation assumed that the attacker can actually install the attack app into 20% of Geo Location enabled devices. This assumption is very far fetched, and therefore, the entire scenario is not very realistic.
The future may be darker - if we start using a common mobile platform, similar to the Windows prevalence in the PC world, and with the Geo Location function becoming either a commodity or even a mandate, the parameters of the analysis can change dramatically - and make the mobile networks vulnerable to DDoS attacks
Talkback and comments are most welcome
Geo Location based DDOS can target Mobile Operators
Labels: information security