diff --git a/docs/attacks/cqi_manipulation.rst b/docs/attacks/cqi_manipulation.rst new file mode 100644 index 00000000..46ef8209 --- /dev/null +++ b/docs/attacks/cqi_manipulation.rst @@ -0,0 +1,47 @@ +CQI Manipulation attack +===================================================== + +Implementation (UE Side): +-------------------------- +- **Override CQI**: Implement code to consistently send high CQI values. + +- **Monitoring Impact**: + - **Measure Throughput**: Track throughput and bandwidth allocated to the UE. + - **Assess Network Impact**: Evaluate the effects on other users and overall network performance. + +Mitigation Components in srsRAN gNB under Test: +------------------------------------------------ +1. **Proportional Fair Scheduling (PFS)**: + - **Balance Allocation**: Distributes resources considering both channel quality and historical throughput. + - **Limit Impact**: Adjusts allocation based on actual performance to mitigate exaggerated CQI effects. + +2. **CQI Reporting and Filtering**: + - **Thresholds**: Applies thresholds to filter out unrealistic CQI values. + - **Configuration**: Configurable to detect and handle abnormal CQI reports. + +3. **Quality of Service (QoS) Management**: + - **Prioritization**: Enforces QoS policies to ensure service needs are met, mitigating bandwidth hogging. + - **Resource Allocation**: Allocates resources based on QoS requirements. + +4. **Resource Allocation Limits**: + - **Maximum Limits**: Configures resource limits to prevent excessive bandwidth use by any single UE. + - **Rate Limiting**: Implements rate limiting to ensure fair resource distribution. + +Metrics to Assess the Attack: +------------------------------ +1. **Bandwidth Utilization**: + - **Throughput Measurement**: Quantify throughput allocated to the modified UE. + - **Bandwidth Consumption**: Track the percentage of total network bandwidth used by the UE. + +2. **Network Performance**: + - **Impact on Other Users**: Monitor changes in service quality (e.g., throughput, latency) for other UEs. + - **Error Rates**: Observe increases in error rates or retransmissions due to congestion. + +3. **Network Load**: + - **Resource Allocation Metrics**: Measure resource usage by the attacking UE compared to others. + - **System Performance**: Assess the impact on network CPU and memory usage due to increased load. + +Notes +----- +- **Development Branch**: `cqi_attack_development `_ + diff --git a/docs/attacks/gnb_impersonation_attack.rst b/docs/attacks/gnb_impersonation_attack.rst new file mode 100644 index 00000000..6eed2d06 --- /dev/null +++ b/docs/attacks/gnb_impersonation_attack.rst @@ -0,0 +1,20 @@ +gNB Impersonation Attack +========================================================== + +Implementation (gNB): +--------------------- + +- Broadcast preambles over a wide spectrum. +- Detect UEs attempting to connect. +- Establish a connection with the UE. +- Store all UP and CP messages. + +Mitigation (UE and gNB): +--------------------------- +- Implement unique identifiers for both gNB and UE. + +Attack Metrics: +---------------- +- Collection of sensitive UE data. +- IMSI capture. +- Disruption of normal connections. diff --git a/docs/attacks/imsi_capture.rst b/docs/attacks/imsi_capture.rst new file mode 100644 index 00000000..aa435e48 --- /dev/null +++ b/docs/attacks/imsi_capture.rst @@ -0,0 +1,20 @@ +IMSI Catching Attack +========================================================== + +Implementation (gNB): +-------------------------- +Create a dummy gNB: + +- configure the gNB to have a higher signal strength than the other +- configure the dummy gNB to send IMSI and other sensitive data to a server + +Mitigation: +------------ +- Verify gNB identity +- Use encryption + +Attack Metrics: +---------------- +- captured IMSIs +- disconnected UEs +- disrupted network function diff --git a/docs/attacks/preamble_collision.rst b/docs/attacks/preamble_collision.rst new file mode 100644 index 00000000..957c9de8 --- /dev/null +++ b/docs/attacks/preamble_collision.rst @@ -0,0 +1,34 @@ +Preamble Collision attack +========================================================== + +Introduction: +-------------- +A Preamble Collision Attack targets the Random Access Procedure in LTE and 5G networks by deliberately causing preamble collisions during the Random Access Channel (RACH) process. In standard network operations, UEs (User Equipment) select a random preamble from a set of available options to initiate a connection with the base station. However, in a Preamble Collision Attack, an adversary repeatedly sends the same preamble as legitimate UEs, causing multiple devices to use the same preamble simultaneously. This leads to collisions, resulting in failed or delayed connection attempts, as the base station cannot differentiate between the colliding UEs. Such an attack can degrade network performance, particularly in high-load scenarios, and can be used to disrupt the normal operation of UEs within the coverage area. + +**Summary:** + +- Capture the preamble message of another UE. +- Send the captured preamble repeatedly to confuse the network. +- Repeat the process for every new UE connecting to the RAN. + +Implementation: +--------------------- + +- Simulate multiple UEs in srsRAN to perform a Preamble Collision Attack. +- Modify the ue.conf file in srsUE to set a specific preamble index instead of selecting one randomly. +- Deploy multiple instances of srsUE, ensuring all transmit the same preamble simultaneously. +- Run srsGNB to act as the base station and monitor the RACH procedure. +- Observe the RACH request logs to monitor preamble collisions. +- Analyze the collision rate to assess the attackā€™s impact on the network's ability to handle connection requests. + +This test helps us understand the network's vulnerability to preamble collisions and assess potential countermeasures, such as dynamic preamble allocation or collision resolution strategies. + +Mitigation (gNB): +------------------ +- Once a UE sends the preamble attach, invalidate that preamble as long as the UE remains connected. + +Attack Metrics: +---------------- +- Disconnected UEs +- Lowering of channel quality +- gNB crash / malfunction diff --git a/docs/attacks/rach_jamming.rst b/docs/attacks/rach_jamming.rst new file mode 100644 index 00000000..1fb143b8 --- /dev/null +++ b/docs/attacks/rach_jamming.rst @@ -0,0 +1,14 @@ +RACH Jamming Attack +========================================================== + +Implementation (UE): +-------------------------- + +- Transmit a higher volume of RACH messages +- Configure UE to transmit at a higher gain + +Attack Metrics: +---------------- +- Inability of UEs to connect +- Low channel quality +- gNB overload /crash diff --git a/docs/attacks/rach_replay.rst b/docs/attacks/rach_replay.rst new file mode 100644 index 00000000..0f1d588d --- /dev/null +++ b/docs/attacks/rach_replay.rst @@ -0,0 +1,18 @@ +RACH Replay Attack +========================================================== + +Implementation (UE): +-------------------------- + +- Capture the RACH requests of other UEs +- Replay these requests later to confuse the RAN + +Mitigation (UE and gNB): +-------------------------- +- add identifiers to RACH requests like timestamps or identifiers + +Attack Metrics: +---------------- +- Disconnected UEs +- Channel quality reduction +- gNB crash / malfunction diff --git a/docs/attacks/rach_signal_flooding.rst b/docs/attacks/rach_signal_flooding.rst new file mode 100644 index 00000000..2192c3cd --- /dev/null +++ b/docs/attacks/rach_signal_flooding.rst @@ -0,0 +1,20 @@ +RACH Signal Flooding attack +========================================================== + +Implementation (T-UE): +-------------------------- +Initiate flooding on the UE side by: + +- overriding srsRAN Random Access Channel Request function to send a large number or concurrent requests +- develop an environment with multiple UEs over UHD, where the results of the experiment can be seen in real time +- create an attack option in the GUI + +Mitigation (gNB): +-------------------------- +- Blacklisting UEs with excessive RACH requests + +Attack Metrics: +---------------- +- Possible throughput reduction of clean UEs on the network +- Disconnect of clean UEs +- gNB crash diff --git a/docs/attacks/rohc_poisoning_attack.rst b/docs/attacks/rohc_poisoning_attack.rst new file mode 100644 index 00000000..b3a18812 --- /dev/null +++ b/docs/attacks/rohc_poisoning_attack.rst @@ -0,0 +1,21 @@ +RoHC Poisoning Attack +========================================================== + +Implementation (UE): +--------------------- +- Generate messages with constantly changing and lengthy packet headers. +- Create high entropy in packet metadata. +- Send a high volume of corrupted packets to the RAN. + + +Mitigation (UE and gNB): +--------------------------- +- Improve the RoHC algorithm or implement anomaly detection. + + +Attack Metrics: +---------------- +- Disconnected UEs +- Reduced channel quality +- gNB crash/malfunction +- Increased packet latency diff --git a/docs/conf.py b/docs/conf.py index a3cc3f4e..9dfab02a 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -26,4 +26,14 @@ ] html_theme = 'sphinx_rtd_theme' -html_theme_path = [sphinx_rtd_theme.get_html_theme_path()] \ No newline at end of file +html_theme_path = [sphinx_rtd_theme.get_html_theme_path()] +html_theme_options = { + "display_version": False, + "show_sourcelink": False, + "collapse_navigation" : False, + "sticky_navigation": False, +} + +html_show_sphinx = False +html_show_sourcelink = False +html_favicon = 'images/favicon.png' diff --git a/docs/images/favicon.png b/docs/images/favicon.png new file mode 100644 index 00000000..3e098815 Binary files /dev/null and b/docs/images/favicon.png differ diff --git a/docs/index.rst b/docs/index.rst index accf01d0..bc5b73fa 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -6,15 +6,19 @@ Soft-Tester UE documentation ============================ -Add your content using ``reStructuredText`` syntax. See the -`reStructuredText `_ -documentation for details. +This documentation is a part of our project, `Soft-Tester UE `_. +This project aims to develop a **software-defined tester UE for 5G and open RANs, focusing on security testing**. The soft T-UE will be compatible with commercial off-the-shelf software radio hardware, supporting both standardized and custom test. .. toctree:: - :maxdepth: 2 - :caption: Contents: + :maxdepth: 1 + :caption: Attacks implemented - cqi_manipulation - gnb_impersonation_attack - imsi_capture \ No newline at end of file + attacks/cqi_manipulation.rst + attacks/gnb_impersonation_attack.rst + attacks/imsi_capture.rst + attacks/preamble_collision.rst + attacks/rach_jamming.rst + attacks/rach_replay.rst + attacks/rach_signal_flooding.rst + attacks/rohc_poisoning_attack.rst \ No newline at end of file