Professional Documents
Culture Documents
Cellular Network∗
0.9
0.7
20
# Data pages / sec
Utilization (%)
0.3 0.6
CDF(x)
15 0.5
0.25 0.4
10
0.3
0.2 0.2
5
0.1 before attack
during attack
0 0.15 0
0 100 200 300 400 500 600 700 800 900 0 100 200 300 400 500 600 700 800 900 0 1 2 3 4 5 6
Time (sec) Time (sec) delay (sec)
(a) Rate of data page messages (b) Utilization by slotted messages (c) CDF of paging delay
Figure 5: The effect of a sustained attack: a few metrics before and during the attack.
replies on the access channel. Therefore, we measure the time in- one geographical area. Not only does the paging load in-
terval between the time a GPM is sent and the time a CAM is sent crease, but also more valid IP addresses are present in one
to the same mobile, which is referred to as the “paging delay”9 . paging area. Attacks during these occasions could be devas-
Figure 5(c) plots the CDF of paging delays before and during the tating.
attack. Clearly, there is an increase of the delays during the attack
period. Without the attack, half of the CAMs are sent within one Furthermore, we note that although the source of the overload
second after the GPM and all CAMs are sent within two seconds; traffic (a malicious attacker for example) has to be in the targeted
while during the attack, only 25% of the CAMs are sent within one paging area to measure if the attack is successful or not, the at-
second and the paging delay can be as high as six seconds. This tacker does not have to be physically present in the area to perform
attack to some extend degrades the quality of service perceived by the attack. Therefore, with enough computational and network-
the calling party for voice calls, which contribute to the majority of ing resources, an attacker can “blindly” scan a wide range of IPs
cellular calls today. When 5% of users receive a channel assign- belonging to a cellular network and is likely to hit highly-loaded
ment message more than two seconds later after the GPM message, areas.
it means that calling parties of these users on average are experi- A natural question arises as what is the threshold for the load
encing a silence period of more than 4.5 seconds before hearing the on the paging channel so that the system is robust to this type of
first ring tone, since GPMs are sent on average 2.56 seconds later data attacks as long as the load is below this threshold. Then a
after they arrive. carrier can just upgrade the paging system once this threshold is
Although we only demonstrated slight performance degradation exceeded. This is a function of the number of active data users in a
from our experiments, the vulnerability is actually more serious given area. The more active data users exist, the lower the threshold
than what we have just observed. First, we only attempted to in- is. With the increasing popularity of cellular data applications and
crease the paging load by 10% while more increase is possible. the growth in cellular data user population, the paging system in
Second, we performed our experiment in a lightly-loaded paging its current implementation will become even more vulnerable over
area. Without attacks, the average load of slotted traffic in the area time.
under study was only 20% and the load of non-slotted traffic was
less than 5%. We observed 20% to 25% paging capacity used by
overhead traffic. Therefore, the total load on the paging channel 4. MODELING THE PAGING CHANNEL
was around 50%. In such an area, creating an extra load of 10% In this section, we introduce a model to capture the interaction
only introduces negligible performance degradation (e.g., slightly between the slotted traffic and non-slotted traffic at a base sta-
increased paging delay) but it does not totally overwhelm the sys- tion. The base station receives paging requests from the Mobile
tem or dramatically decrease the quality of service provided to cel- Switch Center (MSC). After sending out those requests, the remain-
lular users. However, repeating the same experiments in a highly ing bandwidth is used to transmit non-slotted messages – including
loaded paging area is very likely to overwhelm the paging chan- Channel Assignment Messages (CAM), SMS Data Burst Messages
nel and intolerably delay the call setup messages, leading to denial (DBM) and Acknowledgment Messages (ACK).
of cellular service. A highly loaded paging area could exist for a
couple of reasons: 4.1 Assumptions
• Population density. There are highly populated metropolitan We assume that the arrival process of incoming calls is Poisson,
areas such as Manhattan, New York City. The paging load and each call generates a non-slotted message with probability p
in these areas during certain time of the day is usually much after leaving the system. Whenever a non-slotted message is gen-
higher than in other areas. erated, one can view this as a slotted message feeding back into the
system. We assume that the feedback delay is zero. The system we
• Flash crowds. During special events, more users appear in consider is then reduced to a queuing system in which messages
9
This paging delay also includes the time it takes for a mobile to arrive initially according to a Poisson process and feed back into
send out the PRM on the access channel, which could vary with the the system with probability p. Note that, p is a function of the size
load on the access channel. of the paging area which is determined by the paging strategy.
4.2 Paging system representation served (refer to Fig. 7). When the server is on vacation, it cor-
responds to the service of slotted traffic in the actual system. For
timeout mathematical convenience, we assume that messages arrive accord-
32 slotted queues
ing to a Poisson process with rate λ and require an exponentially-
distributed service time with average duration 1/µ. While waiting
in the queue, messages are impatient and may leave the system
non slotted before getting serviced. We assume that messages get impatient
queue
slotted messages feeding
according to an exponential distribution of rate γ. Finally, we as-
back into the system (probabilty p) sume that the state of the server changes at times following two
exponential transitions: the server switches from the active state to
slotted messages leaving
the system (probability 1−p) the vacation state with a rate α and conversely with a rate β. In the
case when the service of a message is interrupted, the message is
non−slotted
messages put back to the front of the queue and the partial service is lost.
Figure 6: Representation of a paging system with 32 slots 5. SOLVING THE QUEUING MODEL
As every transition is exponentially distributed, the model can be
We are now able to represent the paging channel at a base station described by an infinite state continuous time Markov process with
as a queuing system (Fig. 6) with N + 1 queues where N is the the transition diagram shown in Fig. 8.
number of slots of the paging channel, i.e., N = 32 or N = 64. The infinitesimal generator has the following form, where one
Among the queues, N of them are used to store slotted messages, can recognize a level-dependent Quasi Birth-and-Death (QBD) pro-
and one is for non-slotted messages. When a slotted message ar- cess with two phases. The transition matrix has a tridiagonal block
rives, it is enqueued according to the slot number monitored by structure:
the targeted mobile. A server serves the slotted queues in a time-
division-multiplexing (TDM) manner. More precisely, the server
Q0 Λ
spends a constant time, the slot duration, serving each queue in a M1 Q1 Λ 0)
round-robin fashion. If a slotted queue is emptied during its ser-
..
vice, the remaining time is used to serve the non-slotted queue. If
M2 Q2 .
both the slotted queue and the non-slotted queue are empty, the .. ..
server remains idle until the end of the slot. Then the next slot-
0) . . Λ
ted queue is served and the whole process rotates across all slotted Mn Qn
queues. The service time is assumed to be constant for all mes- where
sages. Furthermore, if a non-slotted message waits more than D
λ 0 µ+γ·i 0
units of time in the queue, it expires and leaves the system. Unlike Λ= , Mi = ,
0 λ 0 γ·i
in previous section where paging delay is measured in experiments,
our goal here is to study the throughput of the non-slotted queue as and
a function of the load of slotted messages. We choose a different
−α α
performance metric because throughput is more computationally Qi = − Λ − Mi .
β −β
tractable through a model while delay is easier to measure by an
end-user. For any integer i ≥ 0, denote (0, i) (1, i) as the states of the
system with i users and 0 (or 1) indicating the server is active (or
4.3 Analytical model on vacation). Assuming the system has a stationary distribution,
denote π0,i and π1,i as the corresponding steady state probabilities
of the Markov process.
With the convention π1,−1 = 0, the balance equations of the
process can be written as:
γ
timeout
non−slotted (λ + α)π0,0 = βπ1,0 + µπ0,1 (1)
queue α
(λ + α + µ + γ(i − 1))π0,i = λπ0,i−1
+βπ1,i + (µ + γi)π0,i+1 , i≥1 (2)
active state vacation state (λ + β + γi)π1,i = λπ1,i−1
β
µ
+απ0,i + γ(i + 1)π1,i+1 , i≥0 (3)
serviced completed We do not have to completely solve the simplified model for the
state probabilities. The metric of interest is the throughput of the
Figure 7: A single server model with server taking vacations system, which is defined as
X
P =µ· π0,i . (4)
Since our main focus is the throughput of the non-slotted traf-
i>0
fic (recall that it is the non-slotted traffic that completes a paging P
process), we can simplify the system shown in Fig. 6 and consider Therefore, we only need to solve i>0 π0,i instead of each indi-
a model in which there is no slotted-traffic. Specifically, a sin- vidual π0,i and π1,i . However, even this turns out toP be non-trivial.
gle server queue carrying the non-slotted traffic with a two-state To better illustrate the system, denoting Π = i≥0 π,i and
Π0 =
P
server: one active state when the queue is served and one vacation i≥1 i · π ,i for ∈ {0, 1}, one can obtain the following
state when the server is on vacation and queued messages are not equations:
λ λ λ
β α β α β α β α β α
λ λ λ
γ γi γ (i+1)
0.15
6.1 Simulation results
0.1
We first validate the queuing model through simulation of both
0.05 the actual system (Fig. 6) and the model (Fig. 7). In Fig. 9, we
0 simulate the system for µ = 1, D = 128, T = 8, which is corre-
0 0.2 0.4 0.6 0.8 1
Intensity of arrival (λ)
sponding to a system where the transmission time of a non-slotted
(a) p = 0.6 message is 1/8 of a slot, and a non-slotted message times out after
16 slots. We simulate for the cases where p = 0.6 and p = 0.05,
0.045 respectively. We note that p, as the ratio of non-slotted messages
Simulation - System
0.04 Simulation - Model to slotted-messages sent from a base station, is actually an indica-
Numerical Solution
Approximation tion of the success rate of the paging process and is determined by
0.035
the location management scheme. We pick these two values of p
Througput(msgs/sec)
0.03
0.025
as representatives of two types of location management schemes,
a smart one with a 60% paging success rate and a less smart one
0.02
with a hit rate of 5%. One can see that the model matches well with
0.015
the system in both scenarios. The system and the model differ by
0.01 12-13% at the point where the throughput is maximized for both
0.005 p values. We find that the difference is caused by our assumption
0 on the timeout. As shown in Fig. 10, messages are dropped earlier
0 0.2 0.4 0.6 0.8 1
Intensity of arrival (λ)
with an exponential timeout policy than they would with a constant
(b) p = 0.05 timeout value.
Figure 9: Throughput for different values of p - queuing model 6.2 Numerical solutions and approximation re-
and simulations. In each figure, the top curve corresponds to sults
simulation of the actual system; the two overlapping curves Using Eqns. (1) through (3), we can solve the queuing model
at the bottom are from simulating the model and numerically numerically for the same parameters as in the simulations and the
solving it, respectively; and the curve in the middle is from solv- throughput (calculated by Eqn. (4)) is plotted in Fig. 9. The nu-
ing the model using approximation. merical solutions closely match those obtained from simulations,
which verifies the correctness of the system of equations. We also
apply the approximation method described in Section 5.2 and the 99% after the storming event started. This data, to some extent, val-
obtained throughput is also plotted in Fig. 9. We notice that the idated the model in that the throughput drops to zero after a critical
throughput calculated by the approximation method is higher than point.
that given by the model (simulation or numerical solutions). This is
because in the approximation, we are essentially solving for a sys-
tem where the timeout rate is the same as the service rate whereas
7. CONCLUSIONS
in the real model, the timeout timer (D = 128) is larger than the In this work, we identified a serious vulnerability in cellular net-
average service time (1/µ = 1). Therefore, the drop rate in the works when they are connected to the Internet via cellular data
approximated case is lower. Interestingly, however, the approxima- users. This vulnerability exists in the paging channel. We demon-
tion results are closer to the actual system. strated this vulnerability in CDMA2000 networks and we believe
that similar vulnerabilities exist in other types of cellular networks
6.3 Discussion that offer both voice and data services, such as General Packet Ra-
dio Service (GPRS) networks. The basis of this vulnerability re-
0.4
System, p = .6
sides on the scheduling executed at the base stations for two classes
System, p = .05
0.35 Approximation, p = .6
of paging traffic: the slotted and the non-slotted traffic. An entire
Approximation, p = .05 paging area could be locked up by saturating the paging channel
0.3
with paging requests, which means no service (voice, data, SMS)
Throughput (megs/sec)
x = 1/1.6
sults which proved that an overload condition in the paging channel
0.15 can be easily triggered by malicious users or misbehaving applica-
0.1
tions. We derived a queuing model for the scheduler at a base sta-
y = 0.05x tion as a single queue system with impatient customers and a server
0.05
taking vacations. We used this model to show that the throughput
x = 1/1.05
0 collapses to zero once the paging load exceeds the critical value
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Intensity of arrival (λ) 1/(1 + p), where p is the ratio of non-slotted messages to slotted
messages. Since p is directly related to the location update and
Figure 11: Solutions for simplified model paging schemes, our result is a call to action for cellular operators
to evaluate and deploy efficient location management techniques.
We have found that the throughput curves (e.g., Fig. 9) can all This will decrease the time required to locate mobile users, and
be characterized by a group of line segments as shown in Fig. 11, will significantly increase the robustness of the paging channel to
namely: accidental overloads or malicious attacks.