Bug #1477
openRACH flood DoS
0%
Description
On the RACH (part of the CCCH/BCCH), the number of RACH slots per unit of time is fixed. The maximum possible number of RACH slots with a single-timeslot CCCH is 200.
Furthermore, the number of available dedicated (control and traffic) channels is limited in any given cell.
As per the GSM specification, any newly-assigned dedicated channel has to stay assigned for 2 seconds, waiting for the MS to establish the radio link layer. Only after 2 seconds, the channel can be closed and re-used for other purposes.
If anyone can send more RACH requests (in 2 seconds) than the cell has dedicated channels, permanent resource exhaustion of dedicated channels will happen (in other words, a DoS).
As the RACH request can be hand-crafted by the attacker and sent at a timing chosen by the attacker, there is no possibility for the BTS to differentiate real from malicious RACH bursts.
This attack has been implemented in 2009 by Dieter Spaar, and has been publicly demonstrated at the Deepsec 2009 conference in Vienna.
Slides are available from http://www.mirider.com/GSM-DoS-Attack_Dieter_Spaar.pdf
Updated by admin over 13 years ago
- Status changed from New to Closed
- Resolution set to confirmed
Updated by admin over 13 years ago
- Status changed from Closed to Feedback
- Resolution deleted (
confirmed)