Is Geo Location Based DDoS Possible?

Tuesday, October 19, 2010

Bozidar Spirovski


A while ago Shortinfosec published an article by Michael Coates about Geo Location based DDoS. The article sparked some interest, and we decided to delve deeper into this issue.

Shortinfosec performed a basic analysis of the possible impacts of Geo Location based DDoS.

ITU has published that there are 4.6 billion mobile phones worldwide. That is a truly formidable number, and quite capable of performing a DDoS attack on any mobile network.

But creating a DDoS attack isn't as simple as it looks - especially a Geo Location based DDoS. In order to make a DDoS attack, you need the following ingredients:

Software That Will Enable the Attack

The software will have to use the geo location function (to know where the phone is) and telco function (to create the DoS) of the mobile phone.

Variants of s software are available and can be developed with relative ease for any smartphone platform. Example of apps that use Geo Location and telco functions are GPS tracking apps (for child tracking, or employee tracking) as well as 'Cheating Spouse Spy' apps.

They enable access to the geolocation and send out data streams or SMS messages. Some of them are even remotely controllable via SMS. They can be easily modified to create a DOS via SMS or data stream swamping.

Means of Distribution of the Attack Software

In order for a DDoS attack to succeed, you need a high volume of attack ('zombie') devices.

In a Geo Location DDoS you attack something which is at one geographic location, so zombie phones need to be at or around the target location.

This means that you need to persuade a lot of people to install the attacking app needs on their phones. There would be two options for this task:

  • An App that everyone will like - This is very hard to achieve, since whatever your App is - even a game, the percentage of people that will like the game can be very limited. Also, you need to develop this App for a lot of platforms, since there are a lot of phone manufacturers and everyone has several different OS platforms.
  • A self-distributing (virus like) application - poses a whole set of challenges: A virus can self-distribute either through a vulnerability of the Operating System, or through user action (like sending an SMS with instructions to install an app). Phone users do not readily install new apps simply because an SMS instructed them to, and good luck finding vulnerabilities in a sufficient amount of platforms and versions of phone OS.

Sufficient Concentration of Geo Location Enabled Zombie Phones in Targeted Areas

Now this is a real numbers game with a lot of interesting results. Targeted areas will be large metropolitan areas which are focus of large businesses - which will have the highest concentration of zombie phones, and where most damage to the reputation of the mobile provider can be done.

To estimate the number of zombie phones in any given area, we need some starting parameters. We'll use worst case scenarios for every parameter

  • Geo Location enabled phone percentage in total phone population (between 24% and 95%) - Gartner estimates that smart phones take up 18% of the total number of mobile phones. We'll assume that every smart phone has Geo Location ability, and we'll use percentages higher then 18%, since the target area is going to have a greater population with the means and needs to have a smart phone. For US, we'll use 95% simply because of the FCC E911 phase 2 directive, which mandates that 95% of all subscribers of the US mobile networks to have some form of Geo Location.
  • Percentage of phones that will be targeted by the attack app (51%) - since there are multiple manufacturers and platforms, the attacker needs to attack the population with the highest probability of success - the largest phone population with similar characteristics. We'll use the percentage of penetration of platform - Symbian, which according to Gartner had 51% market share of all smart phone platforms.
  • Successfully zombified phones (20%) - the target population of mobile phones cannot be fully controlled. The widest penetration of a virus infection was the Melissa virus, for which it is estimated that it infected between 15% and 20% of all computers worldwide. We'll use 20% for good measure.
  • Area where most attack phones will reside (4 million square meters) - on a business day most Geo Location based phones will be within the city business area. For a city of over a million inhabitants, this area is at least a 4 kilometer by 4 kilometer square (2.49x2.49 miles). That is 4 million square meters.
  • Concentration of zombified phones (50% within the attack area) - on a business day we will assume that 50% of zombie phones will be within the attack area

Based on these parameters, we created a table which calculates the number of zombified phones in large metropolitan areas throughout the world.

See Table Here

Analysis of the Table

Assuming the the parameters of the analysis can be met (especially the number of phones that are zombified), here are the results of the numbers

Overwhelming the network - highly unlikely: The maximal number of zombie phones represent from 2.41 to 9.7 percent of the total phone population for urban areas.

The mobile network switches are designed to handle traffic spikes, so they'll will be able to handle the increase of maximum 10% of the total city population.

Overwhelming the central area - possible: Long before the DDoS attack can overwhelm the network switches, it will hit a bottleneck: the mobile radio cells have a technical limit of number of active calls, so in a DDoS scenario the mobile cells where most zombified phones reside will be affected.

Overwhelming Hot spots - very likely: Even within the attack target area, there are hot spots with huge concentrations of mobile phones - large office buildings and business parks. These hot spots are rarely treated with a dedicated set of cells, and the DDoS attack will most likely overwhelm the available cells.

In simpler terms, on a business day, the cells in the business area of the city will be have more requests for service then available channels, so there will be a lot of No Service or No Network within the central attack area.

Detection and remedy - at least several hours:
The mobile network operator will immediately identify the overwhelmed cells, but it will take hours to identify the pattern of who is creating the congestion.

Even then, the remedy will not be simple, and will come down to disabling service for every identified zombie phone.

This will take several hours the first time around. But once this particular type of attack is identified, a lot of effort will be put into creating automatic or semi-automatic detection and disabling systems, so after several attacks this correction will be brought down to a maximum of several tens of minutes.

Also, mobile operators have the financial means to go after the initiator of the DDoS with every available investigative and legal tool


The parameters in this table are based on a worst case scenario, but based on current numbers of phones and estimated Geo Location ability

The estimation assumed that the attacker can actually install the attack app into 20% of Geo Location enabled devices. This assumption is very far fetched, and therefore, the entire scenario is not very realistic.

The future may be darker - if we start using a common mobile platform, similar to the Windows prevalence in the PC world, and with the Geo Location function becoming either a commodity or even a mandate, the parameters of the analysis can change dramatically - and make the mobile networks vulnerable to DDoS attacks.

Cross-posted from ShortInfosec

Possibly Related Articles:
Information Security
Wireless DoS geo-location
Post Rating I Like this!
Jimi Thompson It's not always what you can do but HOW you use it. Let's say you wanted to rob a bank. You don't want the cellular alarm to summon the police... Then you only need an app that will appeal to a sufficient number of users a targeted area - aay an elementray school.... At that point it becomes a whole lot easier to find a use for something like this.... :/
Steve Smith One of the limiting factors for using cellphones for a DDOS attack would be the limited processing power of phones in general. As a ballpark it could be estimated say 10 mobile phones = 1 average pc.

The other thing to note does the capacity of the computer hardware exceed the capacity of the towers they are serving (which one goes down first, the computers serving the tower or the tower network itself).

I would suspect the computers, so the data network might go down due to server outage or be horrendously slow but the radio towers would still work.

What about different service providers using different towers too. Or shared towers different physical networks.

If the goal was to take down a data network there are probably easier ways to do this as all the data networks terminate on physical servers somewhere even the GeoLocation is easily accessible from the internet, it would be easier to go stright for the servers rather than use the cellphones as a middle man.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.