To simulate Signalling System No.7 (SS7) attack projects using OMNeT++ has includes generating a network design that replicates telecommunication signalling across the SS7 protocol and executing various types of attacks that discover susceptibilities in the SS7 signalling system. SS7 is mainly utilized in telecommunication networks to interchange information among network elements, and its weaknesses have been a target for attacks such as location tracking, call interception, SMS hijacking, and denial of service (DoS). For further details drop us a message we grant you best results with all your project needs. Get your comparative analysis one by our team perfectly tailored to your needs.
Since OMNeT++ and INET framework are not intended particularly for telecommunication signalling protocols such as SS7, we can execute and replicate SS7 attacks by designing SS7 signalling over IP-based networks that is known as SIGTRAN (SS7 over IP). We will need to generate custom modules for SS7 components, replicate different attack environment, and measure the effects.
Here’s a detailed guide on how to simulate SS7 attack projects using OMNeT++:
Steps to Simulate SS7 Attack Projects in OMNeT++
- Set up OMNeT++ and INET Framework
- Install OMNeT++: Download and install OMNeT++.
- Install INET Framework: INET deliver support for simple networking protocols such as TCP/IP that can be prolonged to replicate SS7 over IP (SIGTRAN). Download it from the INET GitHub page or use OMNeT++’s package manager.
- Understand SS7 and SIGTRAN
- SS7 is a set of telephony signalling protocols utilized to interchange information over telecom networks. It’s utilized for call setup, routing, billing, SMS, and more.
- SIGTRAN: SS7 protocols can be sum up over IP networks using SIGTRAN, creating it easier to replicate SS7 in OMNeT++ by building on traditional TCP/IP models.
Key SS7 Protocols:
- MAP (Mobile Application Part): Utilized for SMS routing, location services, and subscriber management.
- SCCP (Signaling Connection Control Part): deliver transport of signalling messages in an SS7 network.
- MTP (Message Transfer Part): Levers routing and network management for SS7 messages.
SS7 Attacks:
- Location Tracking: Following the location of subscribers using MAP.
- Call/SMS Interception: Intercepting calls or SMS messages by exploiting susceptibilities in signalling.
- DoS Attacks: Overloading SS7 components to trigger a denial of service.
- Define a Network Topology (NED File) for SS7 Simulation
Generate a network topology that replicates telecom components such as Home Location Register (HLR), Visitor Location Register (VLR), Mobile Switching Center (MSC), Short Message Service Center (SMSC), and attacker nodes. These elements interact using SS7 protocols over IP networks.
Example NED File for SS7 Attack Simulation:
network SS7AttackNetwork
{
submodules:
hlr: StandardHost {
@display(“i=device/server”);
}
vlr: StandardHost {
@display(“i=device/server”);
}
msc: StandardHost {
@display(“i=device/server”);
}
smsCenter: StandardHost {
@display(“i=device/server”);
}
attacker: StandardHost {
@display(“i=device/pc”);
}
router: Router {
@display(“i=abstract/router”);
}
connections:
hlr.pppg++ <–> PointToPointLink <–> router.pppg++;
vlr.pppg++ <–> PointToPointLink <–> router.pppg++;
msc.pppg++ <–> PointToPointLink <–> router.pppg++;
smsCenter.pppg++ <–> PointToPointLink <–> router.pppg++;
attacker.pppg++ <–> PointToPointLink <–> router.pppg++;
}
In this topology:
- hlr (Home Location Register) and vlr (Visitor Location Register) denote telecom components that contain to handle subscriber data.
- msc (Mobile Switching Center) handle voice call setup and routing.
- smsCenter handles SMS routing.
- attacker is connected to the network and tries to perform numerous SS7-based attacks.
- router replicate the core network associating all nodes.
- Implement SS7 Protocols in C++
While OMNeT++ and INET don’t natively support SS7, we want to execute key SS7 components such as MAP, SCCP, and MTP in C++. These components will manage to sending and receiving SS7 messages among the telecom nodes (such as HLR, VLR, MSC, and SMSC).
Example C++ Class for SS7 Protocol Simulation:
class SS7Component : public cSimpleModule
{
protected:
virtual void initialize() override;
virtual void handleMessage(cMessage *msg) override;
void processSS7Message(cPacket *pkt);
void simulateMAPRequest(const std::string& type);
void simulateSCCPMessage(const std::string& content);
};
void SS7Component::initialize()
{
// Initialization of SS7 components (MAP, SCCP, MTP)
}
void SS7Component::handleMessage(cMessage *msg)
{
cPacket *pkt = check_and_cast<cPacket*>(msg);
processSS7Message(pkt);
}
void SS7Component::processSS7Message(cPacket *pkt)
{
// Process SS7 signaling messages (e.g., MAP request, SCCP message)
EV << “SS7 message received: ” << pkt->getName() << endl;
}
void SS7Component::simulateMAPRequest(const std::string& type)
{
// Simulate MAP request for location tracking or SMS routing
EV << “Simulating MAP request for ” << type << endl;
}
void SS7Component::simulateSCCPMessage(const std::string& content)
{
// Simulate SCCP message transmission
EV << “Simulating SCCP message with content: ” << content << endl;
}
- Configure SS7 Traffic and Attacks in omnetpp.ini
We will need to set up the traffic generation among SS7 components and the attack behaviour of the attacker node in the omnetpp.ini file.
Example Configuration for Location Tracking Attack:
network = SS7AttackNetwork
sim-time-limit = 200s
# Configure HLR, VLR, MSC, and SMSC nodes to handle SS7 traffic
*.hlr.numSS7Apps = 1
*.hlr.ss7App[0].typename = “SS7Component”
*.hlr.ss7App[0].role = “HLR”
*.vlr.numSS7Apps = 1
*.vlr.ss7App[0].typename = “SS7Component”
*.vlr.ss7App[0].role = “VLR”
*.msc.numSS7Apps = 1
*.msc.ss7App[0].typename = “SS7Component”
*.msc.ss7App[0].role = “MSC”
*.smsCenter.numSS7Apps = 1
*.smsCenter.ss7App[0].typename = “SS7Component”
*.smsCenter.ss7App[0].role = “SMSC”
# Attacker configuration to send malicious MAP requests
*.attacker.numSS7Apps = 1
*.attacker.ss7App[0].typename = “SS7Component”
*.attacker.ss7App[0].role = “Attacker”
*.attacker.ss7App[0].attackType = “LocationTracking” # Attacker performs a location tracking attack
In this configuration:
- The attacker transmits fake MAP requests to monitor the location of subscribers by querying the HLR and VLR.
- Other telecom components (HLR, VLR, MSC, and SMSC) manage SS7 traffic and respond to MAP requests.
- Simulate Attacks
Here are common SS7 attack types that can simulate in OMNeT++:
Location Tracking Attack
The attacker transmits a malicious MAP request to the HLR or VLR to acquire the location of a subscriber.
- Attack Description: The attacker transmit a MAP SendRoutingInfo or ProvideSubscriberInfo request to the HLR or VLR that responds with the current location of the subscriber.
- Simulation: enforce the attack in the attacker module by transmit forged MAP requests to the HLR and logging the responses.
Call Interception
The attacker interrupts a voice call by manipulating the MAP and SCCP messages utilized for call setup.
- Attack Description: The attacker transmits a MAP UpdateLocation message to the HLR, makes believe to be a legitimate MSC, and redirects the call to a rogue MSC.
- Simulation: Execute the attack by falsifying MAP requests to update the subscriber’s location in the HLR.
SMS Interception
The attacker intercepts SMS messages by developing susceptibilities in the MAP protocol utilized for SMS routing.
- Attack Description: The attacker transmits a MAP ForwardSM request to the SMSC, pretending to be the designed recipient, and intercepts the SMS.
- Simulation: Replicate this by sending forged MAP ForwardSM messages to the SMSC.
Denial of Service (DoS)
The attacker floods the SS7 works (like HLR, VLR, MSC) with a large number of requests, triggering a denial of service.
- Attack Description: The attacker transmit excessive MAP requests, like SendRoutingInfo, to overwhelm SS7 components.
- Simulation: Execute the attack by creating a high volume of requests from the attacker node to replicate the load on SS7 components.
- Run the Simulation
Once the SS7 attack environment are configured, execute the simulation using OMNeT++:
- Qtenv or Tkenv: Utilize OMNeT++’s graphical environment to envision the network topology, monitor traffic, and monitor how SS7 messages are processed and attacked.
- Logging: Log the SS7 messages sent and received by each node, and monitor how threats such as location tracking or SMS interception are achieved.
- Analyse the Results
After the simulation, evaluate the effect of the SS7 attacks:
- Impact on Subscriber Privacy: For location monitoring attacks, validate how usual the attacker successfully recovers the subscriber’s location.
- Interception Success Rate: For call or SMS interception, measure on how usual the attacker successfully redirects or interrupts the communication.
- Network Performance: Evaluate the load on SS7 components in the period DoS attacks, and measure how efficiently the network manages high traffic volumes.
- Extend the Project
Here are a few ways to expand the SS7 attack simulation:
- Simulate More SS7 Protocols: Prolong the simulation to contain more SS7 protocols such as TCAP (Transaction Capabilities Application Part) or ISUP (ISDN User Part).
- Advanced Attack Techniques: Execute more sophisticated SS7 attacks, like IMSI Catching or Subscriber Fraud.
- Countermeasures: Implement security mechanisms such as firewalls, rate limiting, or SS7 filtering to secure against these attacks.
- Large-Scale Network: Replicate a larger telecom network with multiple HLRs, VLRs, MSCs, and attackers to evaluate the effects of distributed SS7 attacks.
Example Project Structure:
SS7AttackSimulation/
├── src/
│ └── SS7AttackNetwork.ned # Network topology for SS7 simulation
│ └── SS7Component.cc # Custom SS7 protocol implementation
├── omnetpp.ini # Simulation configuration
└── Makefile # Build files for compilation
From the demonstration, we completely delivered the fundamental approach that supported by example coding for Signalling System No.7 attack was simulated and evaluated using OMNeT++. Further specific details will be added later.
