在5G核心網路控制平面上的阻斷服務攻擊之可行性及基於P4的緩解措施

Abstract

隨著5G行動網路技術不斷演進，對於網路進行的各種類型攻擊的保護變得越來越重要。在這篇論文中，我們探討了5G系統中註冊程序的漏洞，並利用這些漏洞，提出了兩種新型的阻斷服務（DoS）攻擊。我們在自行搭建的5G測試環境上實作並證明了我們提出的攻擊的有效性。此外，為了對抗這些DoS威脅，我們提出了一種使用P4可程式化交換機的新型防禦機制。這種緩解技術利用來自NGAP/NAS標頭的訊息來實現一種in-network的演算法，該演算法可以辨識封包是否為惡意的，並即時的阻擋和關閉與核網的連線。我們的實驗結果顯示，該方法在確保了正常用戶連接性的同時，能有效地保護核心網絡免受特定類型的DoS攻擊。

As 5G network technology continues to evolve and spread across the globe, securing these networks against various types of attacks becomes increasingly important. In this study, we explore the vulnerabilities in the registration procedure of the 5G system and propose two novel Denial of Service (DoS) attacks, specifically designed to exploit these vulnerabilities. We demonstrate the effectiveness of our proposed attacks on a self-build 5G testbed. To counter these DoS threats, we propose a novel defense mechanism using P4 programmable switches. This mitigation technique leverages the information from the NGAP/NAS headers to implement an in-network algorithm that identifies whether a signal packet is malicious, and can immediately block and close the connection with the core network. Our experimental results show that the proposed approach ensures normal user connectivity and effectively protects the core network against specific types of DoS attacks.