Impact of Paging Channel Overloads or Attacks on a
Cellular Network∗
Jeremy Serror
ENS, France Sprint Advanced Tech. Labs
jeremy.serror@ens.fr hui.zang@sprint.com
ABSTRACT
IP and cellular networks used to be isolated from each other. In re-
cent years however, the two networks have started to overlap with
the emergence of devices that access the Internet using cellular in-
frastructures. One important question then is whether actions or
threats on the Internet side can impact the telecom or cellular side.
We address this problem in the paper and specifically consider the
paging channel, which is a key conduit shared by both Internet
and cellular traffic. Our contributions are as follows: we illustrate
through experiments on a CDMA2000 cellular network that attacks
launched from the Internet can significantly increase the paging
load and increase the delay of paging messages including cellular
call setup requests; we derive a simple but accurate queuing model
for the paging system in a CDMA2000 network and use this model
to demonstrate that the paging channel exhibits sharp rather than
graceful degradation under load; and through this model, we iden-
tify critical parameters that impact paging performance. Although
our study is focused on CDMA2000 networks, we believe that sim-
ilar problems exist in other types of cellular networks that employ
a single control channel with limited bandwidth for both voice and
data services.
Categories and Subject Descriptors
C.2.3 [Computer-Communication Networks]: Network Opera-
tions
General Terms
Measurement, Performance, Security, Experimentation
Keywords
Paging, Overload, Attack, Queuing systems, CDMA
1. INTRODUCTION
∗Part of the work was done while J. Serror was an intern at Sprint
ATL during summer 2005.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
WiSe’06, September 29, 2006, Los Angeles, California, USA
Copyright 2006 ACM 1-XXXXX-XXX-X/06/0009 ...$5.00.
Hui Zang Jean C. Bolot
Sprint Advanced Tech. Labs
bolot@sprint.com
Access to the Internet and to cellular networks, as well as to the
services provided by these networks, is a key component of modern
life and modern economies. In the past, separate networks provided
separate services. Recently, however, users and devices have been
able to access both the Internet and the cellular networks, or access
the Internet through cellular networks, and subscribe to services
on both types of networks. For example, mobile devices such as
cell-phones, Personal Digital Assistants (PDAs), laptops equipped
with aircards, can access the Internet through a cellular connection.
Combo phones with multiple interfaces can access the Internet and
the cellular service simultaneously. A key issue then is whether
actions (such as sending or receiving data or control traffic) on one
side, say the Internet, can impact the other, cellular side, and if
so whether that impact can be detrimental to the service offered to
cellular customers.
Cellular networks include two main components, the wireline
part, which includes the wireless backbone and the equipment con-
nected to it, and the wireless part, often referred to as the “air inter-
face” and which essentially includes the radio channel and the mo-
bile devices. The wireline backbone is connected at some point to
the Internet, and it is the point of entry of Internet traffic directed to
wireless devices. The air interface is a critical component because
it is bandwidth constrained, and because cellular network opera-
tors have to invest significant amounts of money (through spectrum
auctions or other mechanisms) to be able to use that bandwidth.
The air interface in turn is divided into traffic channels and con-
trol channels. Traffic channels carry voice and data traffic (such
as web traffic, etc). Control channels are used for signaling (such
as call setup/release), delivery of short messages (SMS), etc. An
important control channel is the paging channel. A paging channel
carries signaling and SMS traffic from a base station to a group of
mobile devices. In most cellular systems, cells are grouped into
paging areas and mobiles must be paged within a given paging area
(which is stored in the Home Location Registry (HLR)) before it
receives either a voice or data call. Therefore, an important role
of the paging channel is to carry messages used to locate a mobile,
which is referred to as “page messages”. For energy-saving pur-
poses, the paging channel usually has a time-slotted structure and
slots are grouped into cycles. Mobile devices such as cell-phones,
PDAs, or aircards, conserve energy by being in a dormant mode
when not engaged in a voice or data call. While in dormant mode,
the devices listen to the paging channel periodically and wake up
only when they detect a page message addressed to them.
The key characteristic of the paging channel is that it is not
a control channel dedicated to cellular voice calls, but a conduit
shared by both cellular and Internet traffic. Furthermore, it is a low-
bandwidth channel, and therefore it is susceptible to even moderate
overloads. Given the importance of the paging channel for both In-
ternet and cellular users, and the current and anticipated importance
of cellular devices for Internet users [1], we need to address several
questions, namely i) is it possible for Internet users and Internet
traffic to overload the paging channel, ii) do such overloads actu-
ally impact the performance or service provided to cellular users,
and if so iii) can we quantify that impact and devise mechanisms to
render the paging channel more robust to overloads or attacks (i.e.
malicious overloads)? We address these questions in the paper and
examine in detail the behavior of the paging channel in CDMA2000
networks.
Our contributions are threefold. First, we illustrate through ex-
periments on a CDMA2000 cellular network that overloads or at-
tacks launched from the Internet do indeed impact the paging chan-
nel; specifically, we show that they increase the load of the pag-
ing channel and the delay of paging requests, including cellular
call setup requests. Second, we describe the operation of the pag-
ing channel in CDMA2000 networks in detail and derive a simple
queuing model of the paging channel using a single server queue
with server vacations and impatient customers. Third, we use the
model to show that the paging channel exhibits rapid rather than
graceful degradation under load and identify the key parameters
that drive the relevant performance metrics. The focus of this pa-
per is on the vulnerability itself rather than solutions. We demon-
strate the existence of the specific vulnerability in cellular networks
through experimental evidence and quantify the performance degra-
dation through mathematical modeling. The results from this paper
are to motivate cellular providers to improve the performance and
robustness of the paging system. The specific solutions, however,
are outside of the scope of this study.
Earlier work has considered the performance of the paging chan-
nel and the negative impact of paging channel overloads. Looking
at the paging channel as a conduit for cellular users only, telecom
operators and telecom equipment vendors have examined ways to
adequately provision and dimension the channel to support cellular
calls - refer to the GSM and CDMA standards [2, 3, 4] and to queu-
ing model evaluations such as [5]. In parallel, a large amount of
work has been devoted to improving paging performance through
location management, which is a combination of both paging and
location update strategies [6]-[27]. Paging is tightly coupled with
location updates since the more frequent a mobile updates its loca-
tion, the more accurate information the system has, and the less
it costs the system to page the mobile. Most cellular networks
today use a combination of location-area-based scheme [3] and
time-based scheme [12, 13]. There are various alternative loca-
tion management approaches, including distance-based [6, 11, 17],
movement-based [7], cost-based [24], velocity-based [9], and profile-
based [22, 23, 25, 26].
More recent work has looked at the implications of using the
paging channel for both cellular and Internet users. Reference [28]
includes a survey of new threats and attack opportunities following
the emergence of smart phones, and describes in particular denial-
of-service (DoS) attacks to and from smart phones that could be
used to overload and attack the paging channel. The authors in
[29] argue that generating a large number of packets destined to
dormant hosts could overwhelm the paging channel, and they show
using simple simulations that DoS attacks could indeed push pag-
ing delays beyond an acceptable threshold. Wireless denial of ser-
vice attacks including signaling and sleep deprivation (or battery)
attacks are examined in [30, 31]. Attacks that specifically use Short
Messaging Service (SMS) messages are described in [32]. There,
the authors perform grey-box testing by sending SMS messages to
three specific handsets on three different networks (AT&T Wire-
less, Verizon Wireless, and Sprint). They establish the limits in the
operators’ Internet messaging interface and the per-user message
limits configured in the operators’ Short Message Service Centers
(SMSCs). They then use that information to estimate under which
conditions a large-scale SMS overload or attack could impact the
cellular network, and argue that realistic-sized attacks might be able
to saturate the cellular infrastructure in metropolitan areas such as
Washington, DC and Manhattan, NY areas. Our work differs from
theirs in several aspects. Unlike in [32], i) although we also discuss
about approaches to gather the required information to carry out at-
tacks and specific ways to carry out attacks, they are not the focus
of this paper, instead ii) we provide actual experimental evidence of
the impact of overloads on cellular traffic, iii) we provide a specific
queuing model of the paging channel rather than using a grey-box
approach, and iv) we can solve our model to quantitatively predict
the impact of overloads on paging performance, and to identify the
key parameters of the system that drive performance metrics.
The rest of the paper is organized as follows. In Section 2,
we describe the operation and structure of the paging channel in
CDMA2000 cellular networks, and identify reasons why overloads
on the paging channel coming from the Internet side might impact
the performance of cellular voice calls. In Section 3, we present ex-
perimental evidence of such an impact. Specifically, we show that
it is possible to generate overloads on the paging channel, and we
show that such overloads do actually impact the delay experienced
by messages on the paging channel (such as call setup messages).
In Section 4, we derive a single-server queuing model of the paging
channel in CDMA networks and discuss solutions to the model in
Section 5. We present numerical results in Section 6 to gain insight
into the behavior and performance of the paging channel. Finally,
we conclude the study in Section 7.
2. THE PAGING CHANNEL
We consider in this paper a cellular network using the Code Divi-
sion Multiple Access (CDMA) technology, specifically a CDMA2000
(also referred to as 1xRTT) network. Refer to [2] for a detailed de-
scription of the paging channel in a GSM network. We describe
the paging operation in a CDMA2000 network in this section and
more details can be found in [3, 4].
In a CDMA network, each cell, identified by a base station, op-
erates on 64 Walsh codes. Each code can be dedicated to a channel
and up to 64 channels can operate at the same time. One of them1
is dedicated to the paging channel, the main function of which is to
carry signaling messages from the base station to the mobiles when
the mobiles are not assigned any other (traffic) channels. Another
channel, the access channel, is used by the mobile devices to send
messages to the base station. Both channels are essential to the op-
eration of the network. Whenever a mobile is not assigned a traffic
channel, it monitors the paging channel for system parameters or
paging requests. The overhead traffic carries system configuration
information and must be sent periodically.2
The structure of the paging channel is rendered quite complex
by power constraints. In order to reduce power consumption, when
a mobile device is idle, i.e., it is not engaged in a voice or data
call, it does not monitor the paging channel continuously but only
periodically, each time for a duration of 80 ms, which is referred
to as a slot. We say that at this time the mobile is in the dormant
mode. The time between two consecutive slots monitored by the
1
Up to seven Walsh codes can be used for paging. The other six
Walsh codes can be used for traffic channels when they are not
configured for paging.
2
Each type of overhead message must be sent at least once every
1.28 seconds.
same user is called a cycle and it is set in most commercial net-
works to 32 or 64 slots, i.e. 2.56 or 5.12 seconds, respectively. A
mobile is assigned to a particular slot in a cycle based on its Inter-
national Mobile Station Identifier (IMSI) [4]. An example is given
in Fig. 1 where the paging channel is divided into 32-slot cycles
and a dormant mobile monitors the ith slot during each cycle. A
paging request is sent when a mobile is to receive a call while it is
in dormant mode. When a mobile decodes a page message directed
to itself, it wakes up from the dormant mode and keeps monitoring
the channel for subsequent messages.
Figure 1: Structure of a 32-slot paging channel: a mobile is
monitoring the ith slot in each cycle.
Base station Mobile
General Page Message (GPM)
Page Response Message(PRM)
paging delay
Acknowledgement (ACK)
Channel Assignment Message (CAM)
Paging Channel
Access Channel
Figure 2: Call flow of a paging request.
Figure 2 illustrates the paging process of a mobile-terminated
call3 . Let us assume the call is either a voice call or a data call,
and the mobile is in dormant mode at the time of the call. There-
fore, a paging request must be sent to locate and notify the mobile.
Since the mobile is in dormant mode, the paging request must be
sent in the particular slot monitored by the mobile. The mobile is
paged by a General Page Message (GPM), which contains a list
of phone numbers, all paged together by the base station. Only
one GPM is sent per slot and it can usually carry up to eight or
nine phone numbers depending on the implementation. If the mo-
bile is in the coverage area of the base station and decodes a GPM
with its number, it exits the dormant mode, sends a reply on the
access channel, and monitors the paging channel continuously for
the next message. When the base station receives the reply, it sends
two back-to-back messages on the paging channel: an acknowledg-
ment message (ACK) and a Channel Assignment Message (CAM)
which assigns a traffic channel to the mobile. The mobile after re-
ceiving the CAM sends out an acknowledgment back to the base
station (this step is omitted in Fig. 2). After this step and until the
end of the call, the mobile communicates with the base station on
the traffic channel only. In voice call terminations4 , the time when
3
“Mobile-terminated”, as opposed to “mobile-originated”, means
that the receiving end of the call is a mobile.
4 5
Recall that, the word “termination” means that the receiving end
of the call is a mobile and does not mean that a call is ended.
a CAM is successfully received by the mobile is when the first ring
tone starts.
If the paging request is for an SMS termination, the process is
similar except in two aspects: first, the CAM is replaced by a Data
Burst Message (DBM), and second, after the DBM, there is no fur-
ther communication on the traffic channel5 .
When a mobile decodes a GPM and replies, we say that the mo-
bile has exited the slotted mode and entered the non-slotted mode [4].
The subsequent messages to this mobile, e.g., a CAM, can therefore
be sent in any of the slots. Messages that must be sent in designated
slots, such as a GPM, are called slotted messages and messages that
can be sent in any slots, such as a CAM, are referred to as non-
slotted messages. Note that a mobile stays in the non-slotted mode
until either a release order from the base station or a timer expires.
Therefore, if a subsequent non-slotted message is queued for too
long and the mobile has returned to the slotted mode, the message
will be dropped by the base station or will be lost even if it is trans-
mitted. Because a network usually does not know the location of a
mobile down to the granularity of a cell, a GPM is usually broad-
cast to a set of cells which form a paging area. Non-slotted traffic,
however, is restricted to the cell from which the mobile replies to
the GPM. Therefore, a base station deals with two types of traffic
that compete for the resources of the paging channel: the (global)
slotted traffic and the (local) non-slotted traffic. One may recall that
overhead messages are also carried on the paging channel. Since
overhead messages must be sent periodically and the sizes of the
messages do not change much over time, the utilization generated
by the overhead traffic is usually constant in a paging area. Accord-
ing to [33], about 25% of the capacity is used to carry overhead
traffic. Therefore, for the purpose of this study, we focus on a sys-
tem with two types of traffic only: slotted and non-slotted traffic.
The scheduling of those two classes of traffic is where resides the
vulnerability of the paging channel and the focus of our study.
As mentioned in [33], most commercial networks today use 64-
slot paging cycles, in which a slotted message “has to go in one
particular slot within the span of 64 paging slots, otherwise it has
to wait for 5.12 seconds more to get another chance.” Given that
a slotted message waits on average 2.56 seconds for its first slot to
arrive, missing a slot means that the calling party has to wait up to
about eight seconds for the first GPM to be sent. This is unaccept-
able to most human callers. Non-slotted messages, however, can
afford to miss a slot given that they can be sent in any subsequent
slots. Therefore, a widely deployed scheduling scheme is to give
priority to slotted traffic over non-slotted traffic. In the rest of the
paper, we consider such a paging system where slotted messages
are queued according to the destination mobile’s slot index (i.e.,
there are 32 slotted queues in a 32-slot system) and non-slotted
messages are queued separately. At the beginning of every slot, the
base station first sends messages from the queue corresponding to
the current slot. After sending the slotted messages, if there is time
left until the beginning of the next slot, the base station sends one
or more non-slotted messages.
Note that it is non-slotted messages that complete a paging pro-
cess and establish a “real” communication (voice, data, or SMS).
If slotted messages take up the entire channel capacity, no real
communication can occur. In this situation, non-slotted messages
would be dropped since the mobile only waits for a non-slotted
message for a fixed duration. We refer to such a scenario as a
storming event, which is the result of an excessive (and possibly
malicious) load of slotted traffic in a paging area. In the following
sections, we examine whether this scenario can indeed happen, and
An SMS delivery sometimes involves the traffic channel too, and
the call flow is the same as a voice or data call.
whether we can model and predict its impact on the performance
of the paging channel.
3. EXPERIMENTAL EVIDENCE
In this section, we investigate whether storming events that in-
volve Internet-addressable devices can indeed occur in a CDMA2000
network, and whether they actually impact the performance per-
ceived by cellular users of the network. We illustrate how an end
user can attack the CDMA2000 network by starting a storming
event targeting at the paging channel. Due to the sensitive nature of
the issue, we only give a high-level description of the attack proce-
dure.
We inject UDP packets as probes from the Internet to data users
in the cellular network. The UDP packets are minimum in length
and easy to generate on a computer even with a low-bandwidth
connection. A single UDP packet would generate several signaling
messages on the paging channel (Fig. 2). Instead of overloading
the system completely, our goal is to increase the occupancy by
10%. To measure the effect of our probes, we employ a commer-
cial wireless interface monitoring software which can capture and
display the messages over the CDMA2000 interface.
1 Time (sec)
0.9
0.8
0.7
0.6
F(x)
0.5
0.4
0.3
No attack
0.2 Attack 1
0.1
Attack 2
Attack 3
0
0 2 4 6 8 10 12 14 16
# data pages / sec
Figure 3: CDF of the number of data page messages on the pag-
ing channel: load increases with more intensive probing. No at-
tack: measured when we do not send any UDP probes; Attack
1 through Attack 3: measured when we send UDP probes at
increasing intensities, with Attack 1 associated with the small-
est value of Nip /sec and Attack 3 with the largest Nip /sec,
where Nip is the number of distinct IP addresses to which a
UDP packet is sent.
Using the public resources and tools, one can easily find out the
IP subnets allocated to a particular service provider and then the IP
addresses on a given subnet that are currently being used by mobile
devices6 . After obtaining a list of valid IP addresses on the given
cellular network, we send UDP packets to these addresses peri-
odically. Figure 3 shows the cumulative density functions (CDF)
of the number of data page messages observed per second on the
paging channel, before we send any UDP packets, and during the
periods when we send UDP packets at different intensities. We see
that the intensity of the UDP stream has a clear impact on the rate
of data page messages on the paging channel. Based on our mea-
surements, each additional paging request contributes 72 bits to a
GPM. Since only one GPM is sent per slot, given the slot duration
6 8
Note that only mobile devices that are connected to the data net-
work have valid IP addresses (while they do not have to be engaged
in an active session, i.e., they can still be in dormant mode). For ex-
ample, a laptop with an aircard will only get a valid IP address once
it connects to the network.
80 ms and channel bandwidth 9600 bps, each paging request thus
consumes about 0.75% of the paging channel capacity. In order
to increase the paging load by 10%, we need to generate about 13
paging requests per second.
We consider the impact of two types of overloads, a short-duration
or spike overload, and a long-duration or sustained overload. In the
case of malicious users, those overloads or storms would corre-
spond to flash or sustained attacks.
3.0.1 Spike overload/attack
16
14
Number of data page msgs/sec
12
10
8
6
4
2
0
0 200 400 600 800 1000 1200 1400 1600
Figure 4: Spike overload: rate of data page messages
To carry out a short-duration or spike storm, we obtain about
1000 IP addresses through probing a few IP subnets, then send a
burst of packets every 30 seconds, which consists of one packet
to each IP address. Figure 4 shows the number of data page re-
quests observed per second on the paging channel. The curve has
been smoothed using an Exponentially Moving Weighted Average
(EMWA)7 . The spikes appear clearly identifiable with an average
18
height of around 10. This means that increasing the paging chan-
nel occupancy by 10% is quite feasible. Furthermore, the spikes
are clearly spaced, which indicates that the paging system behaves
robustly during this type of attack and the load drops as soon as the
attack finishes.
3.0.2 Sustained overload/attack
We next generate a sustained overload, in an attempt to achieve
a steady increase in the load of the paging channel. We scanned
a wider range of subnets and obtained a larger number of valid IP
addresses. We then sent UDP packets to these IPs at a constant rate.
Figures 5(a) and 5(b) show the rate of data page messages and
the channel utilization8 by slotted messages observed on the paging
channel, before and during the attack. We observe a 11% increase
in the utilization by slotted messages during the attack.
We also measure the delay distribution on the paging channel
during our experiments. Studying the delay is not straightforward.
By looking at the paging call flow (Fig. 2), we see that several types
of messages are involved: GPMs, PRMs, ACKs, and CAMs. Al-
though it would be ideal to measure the delay between the time a
mobile’s PRM is received by the base station and the time the ACK
is sent from the base station, because it represents the delay for
non-slotted messages, it is not possible to capture other mobiles’
7
The smoothing is performed only to make the graph easier to read.
The channel utilization for slotted/non-slotted messages is calcu-
lated as the number of bits in slotted/non-slotted messages during a
certain time period, e.g., a slot, divided by the product of the length
of the time period (e.g., 80 ms) and the channel capacity (9600
bps).
 30 0.4 1
before attack before attack
during attack during attack 0.9
25
0.35 0.8

0.7
20
# Data pages / sec

Utilization (%)
0.3 0.6

CDF(x)
15 0.5

0.25 0.4
10
0.3

0.2 0.2
5
0.1 before attack
during attack
0 0.15 0
0 100 200 300 400 500 600 700 800 900 0 100 200 300 400 500 600 700 800 900 0 1 2 3 4 5 6
Time (sec) Time (sec) delay (sec)

(a) Rate of data page messages (b) Utilization by slotted messages (c) CDF of paging delay

Figure 5: The effect of a sustained attack: a few metrics before and during the attack.

replies on the access channel. Therefore, we measure the time in- one geographical area. Not only does the paging load in-
terval between the time a GPM is sent and the time a CAM is sent crease, but also more valid IP addresses are present in one
to the same mobile, which is referred to as the “paging delay”9 . paging area. Attacks during these occasions could be devas-
Figure 5(c) plots the CDF of paging delays before and during the tating.
attack. Clearly, there is an increase of the delays during the attack
period. Without the attack, half of the CAMs are sent within one Furthermore, we note that although the source of the overload
second after the GPM and all CAMs are sent within two seconds; traffic (a malicious attacker for example) has to be in the targeted
while during the attack, only 25% of the CAMs are sent within one paging area to measure if the attack is successful or not, the at-
second and the paging delay can be as high as six seconds. This tacker does not have to be physically present in the area to perform
attack to some extend degrades the quality of service perceived by the attack. Therefore, with enough computational and network-
the calling party for voice calls, which contribute to the majority of ing resources, an attacker can “blindly” scan a wide range of IPs
cellular calls today. When 5% of users receive a channel assign- belonging to a cellular network and is likely to hit highly-loaded
ment message more than two seconds later after the GPM message, areas.
it means that calling parties of these users on average are experi- A natural question arises as what is the threshold for the load
encing a silence period of more than 4.5 seconds before hearing the on the paging channel so that the system is robust to this type of
first ring tone, since GPMs are sent on average 2.56 seconds later data attacks as long as the load is below this threshold. Then a
after they arrive. carrier can just upgrade the paging system once this threshold is
Although we only demonstrated slight performance degradation exceeded. This is a function of the number of active data users in a
from our experiments, the vulnerability is actually more serious given area. The more active data users exist, the lower the threshold
than what we have just observed. First, we only attempted to in- is. With the increasing popularity of cellular data applications and
crease the paging load by 10% while more increase is possible. the growth in cellular data user population, the paging system in
Second, we performed our experiment in a lightly-loaded paging its current implementation will become even more vulnerable over
area. Without attacks, the average load of slotted traffic in the area time.
under study was only 20% and the load of non-slotted traffic was
less than 5%. We observed 20% to 25% paging capacity used by
overhead traffic. Therefore, the total load on the paging channel 4. MODELING THE PAGING CHANNEL
was around 50%. In such an area, creating an extra load of 10% In this section, we introduce a model to capture the interaction
only introduces negligible performance degradation (e.g., slightly between the slotted traffic and non-slotted traffic at a base sta-
increased paging delay) but it does not totally overwhelm the sys- tion. The base station receives paging requests from the Mobile
tem or dramatically decrease the quality of service provided to cel- Switch Center (MSC). After sending out those requests, the remain-
lular users. However, repeating the same experiments in a highly ing bandwidth is used to transmit non-slotted messages – including
loaded paging area is very likely to overwhelm the paging chan- Channel Assignment Messages (CAM), SMS Data Burst Messages
nel and intolerably delay the call setup messages, leading to denial (DBM) and Acknowledgment Messages (ACK).
of cellular service. A highly loaded paging area could exist for a
couple of reasons: 4.1 Assumptions
• Population density. There are highly populated metropolitan We assume that the arrival process of incoming calls is Poisson,
areas such as Manhattan, New York City. The paging load and each call generates a non-slotted message with probability p
in these areas during certain time of the day is usually much after leaving the system. Whenever a non-slotted message is gen-
higher than in other areas. erated, one can view this as a slotted message feeding back into the
system. We assume that the feedback delay is zero. The system we
• Flash crowds. During special events, more users appear in consider is then reduced to a queuing system in which messages
9
This paging delay also includes the time it takes for a mobile to arrive initially according to a Poisson process and feed back into
send out the PRM on the access channel, which could vary with the the system with probability p. Note that, p is a function of the size
load on the access channel. of the paging area which is determined by the paging strategy.
4.2 Paging system representation served (refer to Fig. 7). When the server is on vacation, it cor-
responds to the service of slotted traffic in the actual system. For
timeout mathematical convenience, we assume that messages arrive accord-
32 slotted queues
ing to a Poisson process with rate λ and require an exponentially-
distributed service time with average duration 1/µ. While waiting
in the queue, messages are impatient and may leave the system
non slotted before getting serviced. We assume that messages get impatient
queue
slotted messages feeding
according to an exponential distribution of rate γ. Finally, we as-
back into the system (probabilty p) sume that the state of the server changes at times following two
exponential transitions: the server switches from the active state to
slotted messages leaving
the system (probability 1−p) the vacation state with a rate α and conversely with a rate β. In the
case when the service of a message is interrupted, the message is
non−slotted
messages put back to the front of the queue and the partial service is lost.

Figure 6: Representation of a paging system with 32 slots 5. SOLVING THE QUEUING MODEL
As every transition is exponentially distributed, the model can be
We are now able to represent the paging channel at a base station described by an infinite state continuous time Markov process with
as a queuing system (Fig. 6) with N + 1 queues where N is the the transition diagram shown in Fig. 8.
number of slots of the paging channel, i.e., N = 32 or N = 64. The infinitesimal generator has the following form, where one
Among the queues, N of them are used to store slotted messages, can recognize a level-dependent Quasi Birth-and-Death (QBD) pro-
and one is for non-slotted messages. When a slotted message ar- cess with two phases. The transition matrix has a tridiagonal block
rives, it is enqueued according to the slot number monitored by structure:
the targeted mobile. A server serves the slotted queues in a time-
division-multiplexing (TDM) manner. More precisely, the server 
Q0 Λ

spends a constant time, the slot duration, serving each queue in a  M1 Q1 Λ 0) 
round-robin fashion. If a slotted queue is emptied during its ser- 
 ..


vice, the remaining time is used to serve the non-slotted queue. If 
 M2 Q2 . 

both the slotted queue and the non-slotted queue are empty, the  .. .. 
server remains idle until the end of the slot. Then the next slot-
 0) . . Λ 
ted queue is served and the whole process rotates across all slotted Mn Qn
queues. The service time is assumed to be constant for all mes- where
sages. Furthermore, if a non-slotted message waits more than D    
λ 0 µ+γ·i 0
units of time in the queue, it expires and leaves the system. Unlike Λ= , Mi = ,
0 λ 0 γ·i
in previous section where paging delay is measured in experiments,
our goal here is to study the throughput of the non-slotted queue as and
a function of the load of slotted messages. We choose a different
 
−α α
performance metric because throughput is more computationally Qi = − Λ − Mi .
β −β
tractable through a model while delay is easier to measure by an
end-user. For any integer i ≥ 0, denote (0, i) (1, i) as the states of the
system with i users and 0 (or 1) indicating the server is active (or
4.3 Analytical model on vacation). Assuming the system has a stationary distribution,
denote π0,i and π1,i as the corresponding steady state probabilities
of the Markov process.
With the convention π1,−1 = 0, the balance equations of the
process can be written as:
γ
timeout
non−slotted (λ + α)π0,0 = βπ1,0 + µπ0,1 (1)
queue α
(λ + α + µ + γ(i − 1))π0,i = λπ0,i−1
+βπ1,i + (µ + γi)π0,i+1 , i≥1 (2)
active state vacation state (λ + β + γi)π1,i = λπ1,i−1
β
µ
+απ0,i + γ(i + 1)π1,i+1 , i≥0 (3)
serviced completed We do not have to completely solve the simplified model for the
state probabilities. The metric of interest is the throughput of the
Figure 7: A single server model with server taking vacations system, which is defined as
X
P =µ· π0,i . (4)
Since our main focus is the throughput of the non-slotted traf-
i>0
fic (recall that it is the non-slotted traffic that completes a paging P
process), we can simplify the system shown in Fig. 6 and consider Therefore, we only need to solve i>0 π0,i instead of each indi-
a model in which there is no slotted-traffic. Specifically, a sin- vidual π0,i and π1,i . However, even this turns out toP be non-trivial.
gle server queue carrying the non-slotted traffic with a two-state To better illustrate the system, denoting Π = i≥0 π,i and
Π0 =
P
server: one active state when the queue is served and one vacation i≥1 i · π ,i for  ∈ {0, 1}, one can obtain the following
state when the server is on vacation and queued messages are not equations:
 λ λ λ

0,0 0,1 0,i−1 0,i 0,i+1

µ µ+γ (i−1) µ+γ i

β α β α β α β α β α

λ λ λ

1,0 1,1 1,i−1 1,i 1,i+1

γ γi γ (i+1)

Figure 8: Transition diagram for the QBD process

is equivalent to the approximated case where ρi = β/α, ∀i

described in the next subsection). The system is symmetric
Π0 + Π1 = 1 (5) and a closed form solution for f0 (z) and f1 (z) can be ob-
β α tained.
Π0 = ⇔ Π1 = (6)
α+β α+β

γ
 5.2 State aggregation and approximation
λ = 1− P + γ(Π00 + Π01 ) (7) One can aggregate the two states (0, i) and (1, i) into one state
µ π0,i
(·, i). Denote ρi = π1,i . For i > 0, the transition rate from state
The first equation comes from the definition of π,i that represents
(·, i) to (·, i + 1) would be λ, and the transition rate from state (·, i)
probabilities of the system in every state. The second one is ob-
to (·, i − 1) would be:
tained by summing Eqn. (2) over i. The last one is a conservation
equation of the number of messages entering and leaving the sys- ρi γi µ−γ
tem in steady state, where P is defined in Eqn. (4). [µ + γ(i − 1)] + = + γi
ρi + 1 ρi + 1 1 + 1/ρi
5.1 Probability generating functions Thus we have:
Denote f0 and f1 as the respective generating functions of (π0,i )i λi
and (π1,i )i . Multiplying Eqns. (2) and (3) by z i and summing π·,i = π0,i + π1,i = π·,0 · Qi µ−γ
, (10)
j=1 ( 1+1/ρj + γj)
each of them over i, we can obtain the following differential sys-
tem: where π·,0 = π0,0 +π1,0 . Hence, knowing ρi leads to a solution for
the system. (ρi )i reflects the symmetry of the system. For a given

λ α 1 − µ/γ
 level i, ρi is the ratio of time spent by the server in the active mode
f00 (z)= + + f0 (z) − to the time spent in the vacation mode in state (·, i). The overall
γ γ(1 − z) z
portion of time spent by the server in active (or vacation) mode is
β µ/γ − 1 1 1
(or 1+β/α )(Eqn. (6)). The relative values of γ and µ on the
f1 (z) + π0,0 (8) 1+α/β
γ(1 − z) z one hand and α and β on the other hand have a direct impact on ρi .
β
 
λ β α In the case µ = γ, one has ρi = α for all i. Finally, one can expect
f10 (z) = + f1 (z) − f0 (z) (9)
γ γ(1 − z) γ(1 − z) to have
Note several special cases: β .
ρi →i→∞ = ρ∞ (11)
α
• γ = 0. This case corresponds to a system where messages Indeed we have
do not time out and can wait indefinitely. We do not have
a differential system any more; and a closed form for (π·,i ) µ + γ · (i − 1) ∼i→∞ γ · i.
can be obtained but it is rather complex.
The system appears more and more symmetric as i increases.
β
• α = 0. This is the case where the server can start a vaca- We use ρ∞ = α , the asymptotic value of ρi in Eqn.(11) as an
tion only if there are no customers in the system. A spe- approximation for all ρi to solve the model.
cial situation is considered by [34] in which a customer only
starts a timeout timer if he/she finds the server to be on va- 6. NUMERICAL RESULTS
cation. This case is solved by Altman and Yechiali in [34]
In order to use the analytical model to characterize the actual sys-
for M/M/1, M/G/1 and M/M/c queues and in [35] for
tem (represented by the multi-queue system in Fig. 6), we need to
M/M/∞ queues. Exponentially distributed impatience time
map the parameters in the model (represented by the single vacation
is assumed in both papers.
queue system in Fig. 7) to those in the actual system. For brevity,
• α = 0 and β = 0. This case is for a system without server we refer to the actual system as the “system” and the single-queue
vacations. The state space is then one dimensional. Choi model as the “model”.
et al. [36] obtained closed form solutions for a M/M/1 queue First, the arrival rate in the model λ = pδ where δ is the arrival
with impatient customers who have a constant timeout value, rate in the system. Next, we map the timeout rate γ = 1/D where
which is closer to the actual system we are modeling. D is the timeout timer in the actual system. In the model, the aver-
age service time for a message 1/µ is set to be the constant service
• µ = γ. This case is for a system where a message not in ser- time in the system. To emulate the slotted behavior, we can view
vice times out at the same rate that it would be served (and it the model as a slot repeating itself with the duration of a slot being
the average time between two adjacent vacations. Therefore, we 0.7
Simulation - System
match the fixed slot duration T in the system with 1/α + 1/β, the Simulation - Model
0.6
average duration of a period for the model. Finally, the normal-
ized load of the slotted traffic in the system, δ/µ, must be equal to 0.5

Drop rate (msgs/sec)

the fraction of time spent by the server in the idle state, which is
α 0.4
Π1 = α+β . Solving the two equations, we get the values of α and
β as: 0.3
1 µ
α= , β= . 0.2
T · (1 − δ/µ) δ·T
0.1
We use these parameters for both simulations and numerical re-
sults of the model. In the following subsections, we first compare 0
the model to the system through simulations, then solve the model 0 0.2 0.4 0.6 0.8 1
Intensity of arrival (λ)
numerically and via the approximation method presented in Sec-
tion 5.2. Specifically, four types of results are presented and labeled (a) p = 0.6
as follows: 0.06
Simulation - System
Simulation - Model
• Simulation - system: the results are obtained through the
0.05
simulation of the actual system (Fig. 6);

Drop rate (msgs/sec)

• Simulation - model: the results are obtained through the 0.04

simulation of the model (Fig. 7);

0.03
• Numerical solution: the results are obtained through numer-
ically solving the model (Eqns. (1) through (3)); 0.02

• Approximation: the results are obtained using the approxi- 0.01

mation method (Eqns. (10) and (11)).
0
0 0.2 0.4 0.6 0.8 1
0.4 Intensity of arrival (λ)
Simulation - System
0.35
Simulation - Model (b) p = 0.05
Numerical Solution
Approximation
0.3
Figure 10: Loss rate for different values of p - queuing model
Througput(msgs/sec)

0.25 and simulations

0.2

0.15
6.1 Simulation results
0.1
We first validate the queuing model through simulation of both
0.05 the actual system (Fig. 6) and the model (Fig. 7). In Fig. 9, we
0 simulate the system for µ = 1, D = 128, T = 8, which is corre-
0 0.2 0.4 0.6 0.8 1
Intensity of arrival (λ)
sponding to a system where the transmission time of a non-slotted
(a) p = 0.6 message is 1/8 of a slot, and a non-slotted message times out after
16 slots. We simulate for the cases where p = 0.6 and p = 0.05,
0.045 respectively. We note that p, as the ratio of non-slotted messages
Simulation - System
0.04 Simulation - Model to slotted-messages sent from a base station, is actually an indica-
Numerical Solution
Approximation tion of the success rate of the paging process and is determined by
0.035
the location management scheme. We pick these two values of p
Througput(msgs/sec)

0.03

0.025
as representatives of two types of location management schemes,
a smart one with a 60% paging success rate and a less smart one
0.02
with a hit rate of 5%. One can see that the model matches well with
0.015
the system in both scenarios. The system and the model differ by
0.01 12-13% at the point where the throughput is maximized for both
0.005 p values. We find that the difference is caused by our assumption
0 on the timeout. As shown in Fig. 10, messages are dropped earlier
0 0.2 0.4 0.6 0.8 1
Intensity of arrival (λ)
with an exponential timeout policy than they would with a constant
(b) p = 0.05 timeout value.

Figure 9: Throughput for different values of p - queuing model
and simulations. In each figure, the top curve corresponds to
simulation of the actual system; the two overlapping curves
at the bottom are from simulating the model and numerically
solving it, respectively; and the curve in the middle is from solv-
ing the model using approximation.
6.2 Numerical solutions and approximation re-
sults
Using Eqns. (1) through (3), we can solve the queuing model
numerically for the same parameters as in the simulations and the
throughput (calculated by Eqn. (4)) is plotted in Fig. 9. The nu-
merical solutions closely match those obtained from simulations,
which verifies the correctness of the system of equations. We also
apply the approximation method described in Section 5.2 and the 99% after the storming event started. This data, to some extent, val-
obtained throughput is also plotted in Fig. 9. We notice that the idated the model in that the throughput drops to zero after a critical
throughput calculated by the approximation method is higher than point.
that given by the model (simulation or numerical solutions). This is
because in the approximation, we are essentially solving for a sys-
tem where the timeout rate is the same as the service rate whereas
7. CONCLUSIONS
in the real model, the timeout timer (D = 128) is larger than the In this work, we identified a serious vulnerability in cellular net-
average service time (1/µ = 1). Therefore, the drop rate in the works when they are connected to the Internet via cellular data
approximated case is lower. Interestingly, however, the approxima- users. This vulnerability exists in the paging channel. We demon-
tion results are closer to the actual system. strated this vulnerability in CDMA2000 networks and we believe
that similar vulnerabilities exist in other types of cellular networks
6.3 Discussion that offer both voice and data services, such as General Packet Ra-
dio Service (GPRS) networks. The basis of this vulnerability re-
0.4
System, p = .6
sides on the scheduling executed at the base stations for two classes
System, p = .05
0.35 Approximation, p = .6
of paging traffic: the slotted and the non-slotted traffic. An entire
Approximation, p = .05 paging area could be locked up by saturating the paging channel
0.3
with paging requests, which means no service (voice, data, SMS)
Throughput (megs/sec)

0.25 can be delivered to users in the area. We performed active exper-

y = 0.6x y = 1−x iments on a CDMA2000 network and presented measurement re-
0.2

x = 1/1.6
sults which proved that an overload condition in the paging channel
0.15 can be easily triggered by malicious users or misbehaving applica-
0.1
tions. We derived a queuing model for the scheduler at a base sta-
y = 0.05x tion as a single queue system with impatient customers and a server
0.05
taking vacations. We used this model to show that the throughput
x = 1/1.05
0 collapses to zero once the paging load exceeds the critical value
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Intensity of arrival (λ) 1/(1 + p), where p is the ratio of non-slotted messages to slotted
messages. Since p is directly related to the location update and
Figure 11: Solutions for simplified model paging schemes, our result is a call to action for cellular operators
to evaluate and deploy efficient location management techniques.
We have found that the throughput curves (e.g., Fig. 9) can all This will decrease the time required to locate mobile users, and
be characterized by a group of line segments as shown in Fig. 11, will significantly increase the robustness of the paging channel to
namely: accidental overloads or malicious attacks.

• y = px, x ∈ [0, 1/(1 + p)]

8. REFERENCES
• y = 1 − x, x ∈ [1/(1 + p), 1] [1] S. Keshav, “Why cell phones will dominate the Internet,”
• x = 1/(1 + p), y ∈ [0, p/(1 + p)] Computer Communications Review, April 2005.
[2] “Mobile radio interface layer 3 specifications,” 3GPP GSM
Thus, the throughput curve is bounded by the triangular area un- 04.08, Version 7.8.0, Oct. 2000.
der y = px and y = 1 − x. This means that, under low to medium [3] “Cellular radiotelecommunications intersystem operations,”
load, the throughput of non-slotted messages increases linearly at EIA/TIA IS.41, 3GPP2 N.S0005-0, Version 1.0, July 1997.
the rate p with the load of the slotted messages. However, when
[4] “Upper layer (layer 3) signaling standard for CDMA2000
the load exceeds δ ∗ ∼ 1/(1 + p), the throughput collapses rather
spread spectrum systems, release D,” 3GPP2 C.S0005-D,
than gracefully degrades, at a rate equal to 1 − p. We make two
Version 1.0, Feb. 2004.
observations. First, a normalized paging channel load of 1/(1 + p)
for slotted-messages should be considered as a critical point when [5] C. U. Saraydar and C. Rose, “Minimizing the paging channel
designing or evaluating the performance of paging schedulers. Sec- bandwidth for cellular traffic,” in Proc. Universal Personal
ond, a paging system with a small value of p is more susceptible to Communications, Cambridgte, MA, 1996.
attacks than one with a large p. Recall that p is determined by [6] M. Verkama, “A simple implementation of distance-based
location management which includes location update and paging location updates,” in IEEE 6th International Conference on
strategies. Our result shows that network operators should abso- Universal Personal Communications Record, San Diego,
lutely consider and deploy better location management schemes to CA, USA, 1997, pp. 163–167.
reduce the average load of the paging channel and improve the ro- [7] Y. Xiao and K. Wu, “Location update for PCS networks with
bustness of the paging channel to overloads or attacks. a fractional movement threshold,” in Proc. ICDCSW ’03.
Washington, DC, USA: IEEE Computer Society, 2003, p.
6.4 Validation in a real storming event 825.
It is desirable to validate the queuing model in real life. An ideal [8] M. N. Rocha, G. R. Mateus, and S. L. da Silva, “A
approach would be to increase the paging load in a given area to dif- comparison between location updates and location area
ferent values around and over 1/(1+p) and measure the throughput paging for mobile unit tracking simulation in wireless
of the system. This is not feasible in real networks due to the asso- communication systems,” in Proc. DIALM ’99. New York,
ciated economic and legal consequences. We did collect valuable NY, USA: ACM Press, 1999, pp. 72–77.
network statistics, however, during a real storming event, that indi- [9] G. Wan and E. Lin, “A dynamic paging scheme for wireless
cated the collapse process of the paging throughput. In this event, communication systems,” in Proc. MobiCom ’97. New
we observed drop rate of non-slotted messages at 50%, 90%, and York, NY, USA: ACM Press, 1997, pp. 195–203.
[10] H.-W. Hwang, M.-F. Chang, and C.-C. Tseng, “A Applications and Services in Wireless Networks, Berne,
direction-based location update scheme with a line-paging Switzerland., 2003, 2003.
strategy for PCS networks,” in IEEE Communications [30] T. Bu, S. Norden, and T. Woo, “Defending against novel DoS
Letters, 2000, pp. 149–151. attacks in 3G wireless networks,” Accepted at 3rd ACM
[11] B. Liang and Z. J. Haas, “Predictive distance-based mobility Workshop on Wireless Security (WiSe), Oct. 2004.
management for PCS networks,” in Proc. IEEE INFOCOM, [31] T. Martin, M. Hsiao, D. Ha, and J. Krishnaswami,
New York, NY, 1999, pp. 1377–1384. “Denial-of-service attacks on battery-powered mobile
[12] A. Bar-Noy, I. Kessler, and M. Sidi, “Mobile users: to update computers,” in Proc. 2nd International Conference on
or not to update?” Wirel. Netw., vol. 1, no. 2, pp. 175–185, Pervasive Computing and Communications (PerCom’04),
1995. 2004.
[13] C. Rose, “Minimizing the average cost of paging and [32] W. Enck, P. Traynor, P. McDaniel, and T. L. Porta,
registration: a timer-based method,” Wirel. Netw., vol. 2, “Exploiting open functionality in SMS-capable cellular
no. 2, pp. 109–116, 1996. networks,” in Proc. ACM CCS’05, Alexandria, VA, Nov.
[14] I. F. Akyildiz and J. S. M. Ho, “Dynamic mobile user 2005.
location update for wireless PCS networks,” Wirel. Netw., [33] J. Veerasamy, J. Jubin, and S. Kodali, “Practical approach to
vol. 1, no. 2, pp. 187–196, 1995. optimize paging success rate in CDMA network,” in Proc.
[15] J. S. M. Ho and I. F. Akyildiz, “Mobile user location update WCNC, 2005 IEEE, March 2005.
and paging under delay constraints,” Wirel. Netw., vol. 1, [34] E. Altman and U. Yechiali, “Analysis of customers’
no. 4, pp. 413–425, 1995. impatience in queues with server vacations,” Queueing
[16] S. K. Sen, A. Bhattacharya, and S. K. Das, “A selective Systems, vol. 52, no. 4, pp. 261–279, 2006.
location update strategy for PCS users,” Wirel. Netw., vol. 5, [35] ——, “Infinite-server queues with system’s additional tasks
no. 5, pp. 313–326, 1999. and impatient customers,” Accepted for Publication in
[17] C. K. Ng and H. W. Chan, “Enhanced distance-based Stochastic Models, 2006.
location management of mobile communication systems [36] B. D. Choi, B. Kim, and J. Chung, “M/M/1 queue with
using a cell coordinates approach,” IEEE Transactions on impatient customers of higher priority,” Queueing Systems,
Mobile Computing, vol. 4, no. 1, pp. 41–55, 2005. vol. 38, pp. 49–66, 2001.
[18] Y. Xiao, “Optimal fractional movement-based scheme for
PCS location management,” IEEE Communications Letters,
vol. 7, no. 2, pp. 67–69, 2003.
[19] G. Y. Lee and Y. Lee, “Numerical analysis of optimum timer
value for time-based location registration scheme,” IEEE
Communications Letters, vol. 6, no. 10, pp. 431–433, 2002.
[20] U. Madhow, M. L. Honig, and K. Steiglitz, “Optimization of
wireless resources for personal communications mobility
tracking,” IEEE/ACM Trans. Netw., vol. 3, no. 6, pp.
698–707, 1995.
[21] R.-H. Gau and Z. J. Haas, “Concurrent search of mobile
users in cellular networks,” IEEE/ACM Trans. Netw., vol. 12,
no. 1, pp. 117–130, 2004.
[22] S. Tabbane, “An alternative strategy for location tracking,”
IEEE Journal on Selected Areas in Communications, vol. 13,
no. 5, pp. 880–892, 1995.
[23] G. P. Pollini and C.-L. I, “A profile-based location strategy
and its performance,” IEEE Journal on Selected Areas in
Communications, vol. 15, no. 8, pp. 1415–1424, 1997.
[24] C. Rose, “State-based paging/registration: a greedy
technique,” IEEE Transactions on Vehicular Technology,
no. 1, pp. 166–173, 1999.
[25] S. DasBit and S. Mitra, “A varying per user profile based
location update strategy forcellular networks,” in Proc. ICCT
2000, Beijing, China, Aug. 2000, pp. 754–760.
[26] H.-K. Wu, M.-H. Jin, and J.-T. Horng, “Personal paging area
design based on mobiles moving behaviors,” in Proc. IEEE
INFOCOM, 2001, pp. 21–30.
[27] P. Mutaf and C. Castelluccia, “Hash-based paging and
location update using bloom filters,” Mobile Networks and
Applications, vol. 9, pp. 627–631, 2004.
[28] C. Guo, H. J. Wang, and W. Zhu, “Smart-phone attacks and
defenses,” in HotNets III, San Diego, CA, 2004.
[29] P. Mutaf and C. Castelluccia, “Insecurity of the paging
channel in a wireless internet,” in Proc. IEEE Workshop on