How to Implement SS7 Attack in NS2

 

To implement Signalling System No. 7 (SS7) in ns2 has several steps to follow and it is set of procedures that utilized in telecommunication networks for interchanging data among network elements. SS7 attacks are pertinent in telecom networks, and they heroic act vulnerabilities in the SS7 signalling network to intercept calls, messages, track locations, and more.

In ns2 is mainly concentrated on data networks and it doesn’t support directly for SS7 simulation by the way it is intended for internet protocols such as TCP, UDP, and IP. But, we can still mimic the contexts of an SS7 attack by approximating the behaviour of SS7 in NS2 and establish custom logic to denote on how a malicious entity might intercept or manipulate signalling traffic.

Here, the below is the brief structured procedure to implement the Signalling System No. 7 (SS7) in ns2:

Step-by-Step Implementation:

To simulate an SS7 attack in NS2, we need to:

  1. To mimic a network environment in which the signalling messages (representing SS7 signaling traffic) are interchanged among nodes.
  2. Establish a malicious node that intercepts or manipulates the signalling messages.
  3. To mimic the attack effects, like message interception, modification, or redirection.

Steps to Simulate SS7 Attack in NS2

  1. Simulating SS7 Signaling Messages

SS7 signalling messages can be denoted as application-layer traffic. We need to use a custom application to mimic the behaviour of SS7 signalling. For instance, we can treat SS7 messages as regular packets sent among the nodes (representing telecom switches or Mobile Switching Centers).

  1. Setting up the Network Topology

In the NS2 simulation, generate a network in which the nodes interacts using signalling messages. These nodes denote diverse network elements in a telecom network, like MSC (Mobile Switching Center), HLR (Home Location Register), or VLR (Visitor Location Register).

  1. Simulating SS7 Attack

A malicious node can perform actions such as:

  • Interception: The malicious node captures signalling messages among the legitimate nodes.
  • Modification: The malicious node changing the contents of the intercepted messages.
  • Redirection: The malicious node retransmits the signalling messages to another node.

Example TCL Script for Simulating SS7 Attack in NS2

In this instance, we mimic a simple SS7-like signalling network in which one malicious node intercepts and manipulates signalling messages among two legitimate nodes.

# Create a new simulator instance

set ns [new Simulator]

# Open trace and nam files

set tracefile [open “ss7_attack_trace.tr” w]

$ns trace-all $tracefile

set namfile [open “ss7_attack.nam” w]

$ns namtrace-all-wireless $namfile

# Define network topology

set msc [$ns node]  ;# MSC (Mobile Switching Center)

set hlr [$ns node]  ;# HLR (Home Location Register)

set attacker [$ns node]  ;# Malicious SS7 attacker node

# Create a UDP connection for signaling traffic between MSC and HLR

set udp_msc [new Agent/UDP]

set udp_hlr [new Agent/UDP]

$ns attach-agent $msc $udp_msc

$ns attach-agent $hlr $udp_hlr

$ns connect $udp_msc $udp_hlr

# Simulate an SS7 signaling application over UDP

proc simulate_signaling_traffic {src dst} {

global ns

# Create an application for SS7 signaling

set signaling [new Application/Traffic/CBR]

$signaling set packetSize_ 512  ;# Set the packet size to simulate SS7 message size

$signaling set rate_ 512Kb  ;# Simulate signaling rate

$signaling attach-agent $src

$ns at 1.0 “$signaling start”

$ns at 5.0 “$signaling stop”

}

# Function to simulate the SS7 attack (interception and modification)

proc ss7_attack {attacker src dst} {

global ns

# Simulate intercepting the signaling traffic

puts “Attacker node $attacker is intercepting traffic between $src and $dst.”

# Schedule packet interception

for {set time 1.0} {$time <= 5.0} {set time [expr $time + 1.0]} {

$ns at $time “$attacker intercept_packets $src $dst”

$ns at $time “$attacker modify_packets $src $dst”

}

}

# Start signaling traffic between MSC and HLR

$ns at 1.0 “simulate_signaling_traffic $msc $hlr”

# Schedule the SS7 attack (intercept and modify traffic)

$ns at 2.0 “ss7_attack $attacker $msc $hlr”

# Define finish procedure

proc finish {} {

global ns tracefile namfile

$ns flush-trace

close $tracefile

close $namfile

exec nam ss7_attack.nam &

exit 0

}

# End the simulation at 6.0 seconds

$ns at 6.0 “finish”

# Run the simulation

$ns run

Explanation of the TCL Script:

  1. Network Elements:
    • The nodes msc (Mobile Switching Center) and hlr (Home Location Register) denotes legitimate elements of an SS7-based telecom network. These nodes interchange SS7-like signalling messages using UDP.
  2. Simulating Signaling Traffic:
    • The simulate_signaling_traffic procedure mimics the signalling traffic among the msc and hlr. The signalling traffic is denoted by a CBR (Constant Bit Rate) application over UDP.
  3. Malicious Node (Attacker):
    • The node attacker is the malicious node carrying out the SS7 attack. The attack is mimicked by intercepting the signalling messages among the msc and hlr.
    • The ss7_attack procedure permits the attacker to intercept and adjust signalling traffic periodically.
  4. Packet Interception and Modification:
    • The attacker intercepts packets using a custom logic (intercept_packets) and modifies (modify_packets). This denotes an attacker changing SS7 signalling messages in transit.
    • We can execute these functions to adjust the message content, like modifying call setup information or user location data.
  5. Trace Files and Visualization:
    • The simulation records packet events in a trace file (ss7_attack_trace.tr), and we can visualize the traffic and attack using NAM.
  1. Customizing the SS7 Attack

We can expand this sample to mimic more complex SS7 attack scenarios, such as:

  1. a) Interception and Extraction of Information:

The attacker can intercept SS7 messages and extract sensitive information, like subscriber details, location, or call metadata.

proc intercept_packets {attacker src dst} {

global ns

puts “Attacker $attacker intercepted a packet from $src to $dst.”

# Extract sensitive information from the intercepted packet

set packet_info [ns extract-packet-info $src $dst]

puts “Extracted info: $packet_info”

}

  1. b) Message Modification:

The attacker can adjust SS7 signalling messages to modify call setup, change location information, or redirect messages.

proc modify_packets {attacker src dst} {

global ns

puts “Attacker $attacker modifying a packet from $src to $dst.”

# Modify the contents of the packet (e.g., alter user location data)

set modified_data “Fake_Location_Data”

$ns modify-packet-data $src $dst $modified_data

}

  1. c) Replay Attack:

An SS7 attacker could replay old messages to pretend the system into rely on false information, like false call setup or location updates.

  1. d) Redirection of Traffic:

The attacker could retransmit signalling traffic to a diverse node that leads a call to be misrouted or a user’s location to be faked.

proc reroute_packets {attacker src dst new_dst} {

global ns

puts “Attacker $attacker rerouting packets from $src to $dst to a new destination $new_dst.”

# Redirect traffic from dst to new_dst

$ns reroute-traffic $src $dst $new_dst

}

  1. Advanced Features for SS7 Attack Simulation

The below are some additional features that can simulate:

  • Location Tracking: To mimic a malicious node following a user’s location by interrupting SS7 messages relevant to the Home Location Register (HLR) and Visitor Location Register (VLR).
  • Call Interception: Mimic the interception of SS7 messages relevant to call setup that enable the attacker to eavesdrop on calls.
  • Network Denial: To mimic an attack in which the malicious node sends bogus SS7 messages leads to network congestion or denial of service.
  1. Analysing the Attack and Effects

To evaluate the attack, we can inspect the trace file (ss7_attack_trace.tr) to monitor how the signalling messages were intercepted, adjusted, or redirected by the attacker. Parsing tools such as AWK, Python, or Perl can be used to extract information from the trace file for analysis.

In this setup the SS7 attacks were executed using the ns2 tool that has exploit the vulnerabilities in the intercept calls, trace the user location in the network simulation. If you have any doubts regarding the SS7 attacks we will support and provide it.

The esteemed team at ns2project.com presents a curated selection of project concepts, inviting you to delve into a realm of innovative topics. Experience bespoke assistance from our experts as you embark on the implementation of the SS7 Attack within NS2.