BTS resource depletion attack

Every commercial eNB has a maximum capacity of active user connections based on their hardware and software specifications. The purpose of the BTS resource depletion attack is to deplete this capacity of the active RRC Connections, thereby preventing other users from connecting to the target eNB. 1) Adversary model: This attack targets a commercially operating eNB. An adversary could obtain the connection information of the target eNB by passively listening to the broadcast messages similar to other normal devices. 2) Attack procedure: The adversary repeatedly performs Random Access and generates RRC Connections in order to increase the number of active RRC Connections as depicted in Fig. 5(a). In a normal situation, immediately after the RRC Connection is established, an initial NAS Connection procedure proceeds through either an NAS Attach request or NAS Service request piggybacked on an RRC Connection complete message. In our attack, the adversary sends the NAS Attach request with an arbitrary user IMSI. Unlike the normal procedure, once the adversary receives the NAS Authentication request, it restarts Random Access to establish a new RRC Connection. The reason the adversary does not reply to the NAS Authentication request from the MME is to sustain the established RRC Connection while the MME waits for a valid NAS Authentication response. If the adversary replies with an invalid NAS Authentication response, it causes immediate RRC Connection release. One consideration for the attack to succeed is that the number of newly established RRC Connections has to be greater than the number of existing RRC Connections that are released. 3) Implementation: We used one USRP B210 for the software radio transceiver, and srsUE  to implement a malicious UE. To repeat the RRC Connection procedure continuously with different C-RNTIs, we modified the srsUE to restart another Random Access procedure whenever it receives an NAS Authentication request rather than replying with an NAS Authentication response. If several RRC Connection requests are sent with the same C-RNTI, the eNB processes this as repeated requests for the same RRC Connection, which is not our adversary’s goal. 4) Validation: Because attacking commercially operating eNBs can affect legitimate users, we performed our BTS resource depletion attack against a COTS femtocell connected to our testbed EPC network implemented on OpenAirInterface (OAI). We mainly attempted to determine the number of fake RRC Connections that could be established using one USRP device. This is accomplished by verifying active RRC Connections of our femtocell

using an Airscope, which provides over-the-air user information by decoding the communication channels in the physical layer of LTE. Fig. 6 shows that the number of active RRC Connections increases until it reaches the maximum capacity of the femtocell, namely 16 active connections in the case of our target femtocell. Therefore, once an adversary has generated 16 RRC Connections, the femtocell rejects all subsequent RRC Connection requests either from the adversary or from the legitimate UE, as shown in Fig. 7. When demonstrating the attack, it took 0.762 s to establish 16 RRC Connections, and we could establish 20 RRC Connections per second. Therefore, an adversary would be able to create 200 RRC Connections in case the operational eNB was to wait 10 s for inactive RRC Connections to be released. We confirmed with the carrier that an attack of this nature would affect an operating eNB. In addition, the carrier suggested an even more serious scenario. If the adversary was to include “emergency” as an establishment cause in an RRC Connection request, it would even release existing RRC Connections, if no additional RRC resource was available