Some considerations about IMSI Detach DoS Attack

Gloria Mazzi mazzi.teodolinda.gloria at gmail.com
Fri Jul 22 17:52:47 UTC 2011


Hi Aleph,


>> - what could happen if i will clone one SIM (Ki, IMSI) and use it to
>> register on the same network, but on different BTS/LAC, two phones? Which
>> will be rejected as first? Or both?
>>
>
> Both will go to a blacklist that will block  new GSM Attach in the same HLR
> from carrer, unless you use the OpenBSC! :-)
>
>
>> - if i will send an IMSI detach with one of them... also the other (that
>> is phisically in another BTS/LAC) will be disconnected?
>>
>>
> ...if dettach is promoted by the HLR: Yes. If by the another side: not.
>
>
>> - what could happen if i will connect a C123 with ./mobile to the network
>> using another SIM and then trying to forge IMSI_DET_IND with victim's
>> IMSI/TMSI and send to the network where the victim is connected (that could
>> mean the same network, but different BTS/LAC), this DoS will still be
>> accomplished?
>>
>>
> there are protections in the HLR / VLR of the GSM System network.
>


Could you please suggest me some ETSI specs where i can find more infos
about HLR/VLR's security policies to prevent DoS?


>
> What exactly i would like to know is, if someone already made some
>> experiments on it (obviously on private networks, with a legal experimental
>> license.) and eventually if there are any interesting results.
>>
>>
> I personally, know the existign protections but I never did experiences or
> dared to do this kind of experiment in my country for legal reasons, but its
> the kind of thing I´d like to do withn legal parameters. My experiences were
> only in experimental networks in faraday cage.
>

It would be really interesting to analyze its behaviour on real networks,
unfortunately as you stated, is quite illegal without a previous
authorization from the provider of a pubblic GSM network.

Unfotunately i own only an USRP and OpenBTS doesn't have the full support of
a pseudo HLR/VLR, so i cannot make further investigations about it.

Which results did you reach with OpenBSC? Have you tried to forge some
IMSI_DET_IND and trying to DoS other MS, camped to the same BTS?

At the state of art, as i can see, this attack is more theorical than
practical (i'm talking about real networks' applications). Or am i wrong?


Thank you for attention.

Cheers

Gloria
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20110722/6932a738/attachment.html>


More information about the baseband-devel mailing list