5G Network Security Threat: Performing a DDOS Attack with UERANSIM

00:00

hey everyone welcome to this video

00:02

so in this video I am going to talk

00:04

about how you can use uv9 sim to create

00:07

a DDOS attack

00:09

and this is just a kind of a reference

00:12

that I got one of the comment to explain

00:15

how it is possible and how we can do so

00:18

so first let me explain you with help of

00:20

a diagram how it is possible and what is

00:24

the scenario that we can Implement to

00:27

perform this DDOS attack

00:29

so suppose in case of our installation

00:31

we have

00:33

I'm using because I didn't have much of

00:36

time to set up the 2vm setup so in this

00:39

case I'm using only single VM and the

00:42

limitation with single VM is that we

00:44

will not be able to use ping for the

00:46

data traffic but I am going to explain

00:48

how

00:49

we can implement this

00:52

scenario

00:53

now this is just a open 5gs core Network

00:56

right

00:57

in the core Network we have two

00:59

components basically if we think of the

01:02

related functionality one is the control

01:04

Pane and the second one is

01:07

the user type right so the user plane is

01:10

the part which handles the

01:13

user data or the UE traffic

01:17

in case of any core Network

01:19

if any attacker wants to disrupt it

01:24

to disrupt this

01:26

core Network

01:28

there are two ways to do so first is

01:31

he can disrupt the control plane

01:35

by kind of a packet storm so that the

01:38

signal processing taken care by the

01:41

network is choked and it's not able to

01:45

carry out any more signal processing

01:48

the second one is choking the user pane

01:52

but for this it needs to be first

01:54

authenticated with the network

01:56

this is the description of

01:59

control pin

02:01

and the second one is disruption of the

02:03

user blade

02:05

now keep in mind with disruption of the

02:07

control plane there are multiple

02:09

functions in 5G Network at an attacker

02:12

you can try to take out any one of it

02:14

but in this

02:16

example I will show you how we can

02:19

create a signal strum we call it a

02:23

signaling

02:25

Tom

02:26

so the second part would be if you are

02:29

authenticated then you can use the same

02:33

UE to have multiple connection using UE

02:35

Lan Sim

02:37

if you know all the details of that UE

02:40

and

02:41

try out

02:42

multiple streams of data for example

02:45

you have this MC and you know all these

02:50

values you can

02:54

configure it with all these values and

02:57

then what you can do

02:58

you have the same you are authenticated

03:00

with the code Network all right that's

03:03

good the second part would be what you

03:05

would do

03:06

you will just

03:09

send large streams of data here

03:13

on the user plane

03:14

to disrupt it with the same zip

03:17

and

03:19

once you are authenticated your

03:21

signaling is very less

03:23

you are allowed to do anything in the

03:25

network and with this this Sim you would

03:28

be able to have n number of

03:31

you can say instances running with you

03:33

and Sim which can disrupt the user plane

03:37

so in this example I'm going to show you

03:39

this disruption of the control plane and

03:42

how it is easily possible

03:44

just to find 10 Sims here

03:47

if you want you can Define more all

03:49

right so um so I'm in my installation

03:51

and I have a single VM setup so I will

03:54

just start my G note B so I have only

03:56

one G note B here defined and as soon as

03:59

I started you can see it is trying to

04:01

establish a certification satv is a it's

04:04

able to contact the AMF so NG setup is

04:07

okay

04:09

in the second session I will try to

04:11

connect one UE

04:14

and you can see everything is going good

04:16

or UV signaling is up I will not be able

04:19

to Ping any IP through this interface

04:21

because I'm using a single VM setup in

04:23

case you want to use open 5js and UI and

04:25

Sim to communicate with the internet you

04:28

need to use a multi-vm setup now

04:30

so far so good

04:32

in here what I can do is

04:36

I can I will just connect two more

04:38

sessions so one is tail hyphen f for log

04:41

amf15ds

04:44

AMF log so I will see what are the logs

04:48

going on in the AMF in this session and

04:51

I'll just do a great SSH

04:55

and here

04:57

let me just do an H

05:01

so I will check the status of my memory

05:04

usage

05:05

now just close this connection and what

05:07

I will do

05:09

so in UE and Sim so let me just clear it

05:12

so in UE and Sim there is an option

05:16

hyphen n where you can spin up multiple

05:18

number of emcees

05:20

and it will just replace the emcees in

05:24

serely so for example if you define MC1

05:27

here so if I show you the configuration

05:29

here I have MC1 mc2 and so on till 10.

05:33

so I have around 10 in C here so if I

05:36

just pass this parameter hyphen and 10

05:38

it will start those 10 MCS so you can

05:41

see 10 MCS are connected and

05:46

all of them are successful

05:48

memory usage is not

05:50

that I would say increased so I'll just

05:54

power off this machine

05:55

and what I will do inside my VM

05:59

I will just reduce the memory to

06:04

1GB and CPU would be 1.

06:08

so that I can show you what is the

06:10

limitation of the the system once it is

06:14

once it has a reduced capability

06:18

all right now you can see in the edge

06:20

top I have around four fifty percent of

06:23

memory already used

06:25

and

06:26

point seven percent off or 1.3 percent

06:28

of the CPU now my denote weighs up

06:32

and I'm going to start around 100 us now

06:37

and let's see only 10 would be able to

06:39

connect but let's see what would be the

06:41

impact so if you see here

06:44

it has increased a shot up to around 80

06:46

percent

06:47

but then suddenly the case because none

06:49

of these UE were able to connect

06:54

I can form a loop where I can ask it to

06:58

keep on connecting again and again

07:01

and then it will try to

07:05

break

07:06

so let me just create a loop here so

07:09

I'll go to mice

07:12

one more session here

07:14

to config and I will create a

07:18

club.sh

07:20

and

07:22

this is a shell script so I'll just type

07:25

bed and Bash

07:27

for I in

07:30

1 10 so it will run for 10 times

07:33

do

07:36

and I will run

07:39

what was my command here

07:41

just run the same command

07:52

and what I will do I will just

07:56

give it the executable access clear the

08:00

screen and

08:01

let's break my VM

08:05

so you can see here

08:08

it's shot up to 94 percent again

08:11

reduced to 1.4 percent this can create a

08:16

signal storm here

08:18

see

08:20

my e node B actually died up

08:24

and

08:28

there's a lot of failure

08:30

and let us check what is the status of

08:44

okay AMF is running but

08:50

the gene would be dried up

08:55

okay it's going on

09:03

okay

09:04

so as you can see my U is still able to

09:07

connect because the resources are not

09:09

tied up again so just close this

09:13

enter the script again

09:23

so my UE is connected

09:26

and I'm going to spin up around 400 UVs

09:30

let's see what happens

09:32

okay 40 percent and then

09:39

it has shot up to 100 CPU usage

09:43

and all right I have by G note B again

09:46

died

09:47

and my UV got disconnected

09:53

so as you can see this is kind of a DDOS

09:56

attack where

09:59

the issue is that my G note B is in the

10:01

C same VM

10:03

so rather than taking out the AMF

10:06

it's just breaking down the

10:10

gene or B

10:11

but in the same way

10:13

this can be used to disrupt AMF or UPF

10:20

or pfcp depending upon what type of

10:24

system it is targeting so

10:27

keep in mind whenever you are developing

10:29

a

10:31

Network

10:32

which is exposed to such such sort of

10:35

reduce attack you need to have Adidas

10:38

mitigation capabilities in place as well

10:41

I hope this was relevant to what

10:45

you guys were looking for and in case

10:47

you enjoyed this video give it a thumbs

10:49

up and I will see you in the next one