To simulate Signalling System 7 (SS7) attacks in NS2 can be difficult task because NS2 mainly concentrate on network and transport layer protocols such as TCP, UDP, and numerous routing protocols. SS7, instead of, this is a protocol utilized in the telecommunications network, especially in the control plane of traditional Public Switched Telephone Network (PSTN) and mobile networks such as GSM, 3G, and LTE. It enables signalling among network components for call setup, routing, billing, SMS, and many other services.
Though, we need to replicate SS7-like attack scenarios in NS2 by concentrates on specific behaviours, such as network signalling attacks, SMS-based attacks, and session hijacking. We would replicate traffic interception, denial of service, or spoofing scenarios.
Here’s a high-level approach to simulate an SS7 attack scenario in NS2:
Steps to Simulate SS7-like Attacks in NS2
While NS2 does not directly support SS7, we will replicate the network behaviours which resemble SS7 signalling and attacks by using message-passing mechanisms that can implement signalling communication.
- Set up NS2 Environment
Make sure that NS2 is installed and functioning correctly. We need to validate this by typing:
ns
This should begin the NS2 shell if the installation is correct.
- Focus Areas for Simulating SS7 Attacks
Here are a few attack environments that can simulate:
- Location Tracking Attack: An adversary interrupts SS7 messages to control the location of a user.
- SMS Interception: An attacker intercepts or redirects SMS messages.
- Call Interception or Redirection: An attacker hijacks or redirects phone calls by deploying signaling traffic.
- Denial of Service (DoS) Attack: Flood the SS7 network with signaling messages to overload it.
- Simulate Signaling Traffic Using TCP/UDP in NS2
We can mimic signaling messages using UDP or TCP among the nodes to implement SS7 signalling communication.
Example: Simulating an SS7 Location Tracking Attack
# Create a simulator object
set ns [new Simulator]
# Create trace and NAM output files
set tracefile [open out.tr w]
set namfile [open out.nam w]
$ns trace-all $tracefile
$ns namtrace-all $namfile
# Create network nodes (n0 and n1 are mobile network elements, n2 is the attacker)
set n0 [$ns node] ;# Home Location Register (HLR)
set n1 [$ns node] ;# Mobile Switching Center (MSC)
set attacker [$ns node] ;# Attacker intercepting signaling traffic
# Create duplex links between the nodes
$ns duplex-link $n0 $n1 1Mb 10ms DropTail
$ns duplex-link $n1 $attacker 1Mb 10ms DropTail
$ns duplex-link $n0 $attacker 1Mb 10ms DropTail
# Signaling traffic setup between n0 (HLR) and n1 (MSC)
# Simulate SS7 signaling using UDP between HLR and MSC
set udp_hlr [new Agent/UDP]
$ns attach-agent $n0 $udp_hlr
set udp_msc [new Agent/UDP]
$ns attach-agent $n1 $udp_msc
# Connect HLR to MSC
$ns connect $udp_hlr $udp_msc
# Create a CBR traffic generator to simulate signaling messages
set signaling [new Application/Traffic/CBR]
$signaling set packetSize_ 256 ;# Simulate small signaling messages
$signaling set interval_ 0.01 ;# Frequency of signaling messages
$signaling attach-agent $udp_hlr
# Simulate the attacker’s behavior to intercept signaling messages
# Attacker will listen to the traffic between HLR and MSC
proc attack {} {
global ns
puts “Attacker: Intercepting signaling traffic”
# Simulate attacker’s observation of signaling messages
$ns at 1.0 “puts \”[exec date]: Attacker observed signaling message from HLR to MSC\””
$ns at 1.5 “puts \”[exec date]: Attacker observed signaling message from MSC to HLR\””
}
# Start the attacker’s observation
$ns at 1.0 “attack”
# Schedule the signaling traffic
$ns at 0.5 “$signaling start”
$ns at 3.0 “$signaling stop”
$ns at 3.5 “finish”
# Define finish procedure
proc finish {} {
global ns tracefile namfile
$ns flush-trace
close $tracefile
close $namfile
exec nam out.nam &
exit 0
}
# Run the simulation
$ns run
- Explanation of the Script
- HLR (Home Location Register): Node n0 signify a signaling entity that holds user information.
- MSC (Mobile Switching Center): Node n1 is the network element handling call setup and routing.
- Attacker: Node attacker eavesdrops to the signaling messages being interchanged among n0 and n1 to replicate traffic interception.
- Signaling Traffic: UDP traffic is utilized to replicate SS7 signalling messages among the HLR and MSC, with an attacker monitoring the traffic.
- Running the Simulation
Save the script as ss7_attack_simulation.tcl and execute it using:
ns ss7_attack_simulation.tcl
This will create a trace file (out.tr) and a NAM file (out.nam) for network visualization.
- Visualizing the Simulation
To envision the network using NAM, run:
nam out.nam
In NAM, we will track the signaling traffic among nodes n0 and n1 and the attacker node observing the traffic.
- Simulating Additional SS7 Attacks
Here are some other SS7 attacks that could simulate:
- SMS Interception: we need to replicate SMS messages using UDP or TCP traffic and ideal the attacker intercepting or redirecting those messages.
For example, incorporate the following to signify SMS traffic:
# Create a second CBR to simulate SMS traffic
set sms [new Application/Traffic/CBR]
$sms set packetSize_ 128 ;# SMS message size
$sms set interval_ 0.02 ;# Interval between SMS messages
$sms attach-agent $udp_hlr
- Call Redirection Attack: Replicate call signaling messages and have the attacker reroute those messages to a diverse destination.
We can replicate a new traffic route among the attacker and the original destination, demonstrating a hijacked call.
- Denial of Service (DoS) Attack: Replicate a flood of signalling messages from the attacker node to overload the SS7 signaling network, disturbing legitimate services.
# Simulate a DoS attack by sending a flood of signaling messages
set dos [new Application/Traffic/CBR]
$dos set packetSize_ 512
$dos set interval_ 0.001 ;# High-frequency packets to flood the network
$dos attach-agent $udp_msc
# Start DoS attack
$ns at 1.0 “$dos start”
- Analysing the Trace File
The trace file (out.tr) encompasses detailed information about the packet transmissions, like source and destination nodes, packet sizes, and timings. We need to utilize grep or awk to measure on how many packets the attacker interrupted or the volume of signalling traffic.
For example, to see the packets interrupted by the attacker:
grep “attacker” out.tr
- Performance Evaluation
To measure the performance and effects of the SS7 attack:
- Interception Success Rate: Evaluate on how many signaling messages were interrupted by the attacker.
- Network Overload: Monitor on how much signalling traffic the network can manage before being overloaded in a DoS attack.
- Defense Mechanisms: Replicate defense mechanisms like encryption or rate-limiting to prevent the SS7 susceptibilities.
In this module, we deliver the information through the instruction regarding to the Signalling System 7 attack project that were simulated using ns2 tool. Additional details regarding the Signalling System 7 attack will also be provided.
We have a team of specialists ready to help you simulate SS7 Attack projects using the NS2 tool. Just send us your project details, and we’ll support you through the entire process. Plus, you can get some great project ideas from our experts!
