9-1-1 DDoS: Threat, Analysis and Mitigation

The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current FCC regulations require that all emergency calls be immediately routed regardless of the caller's identifiers (e.g., IMSI and IMEI). A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally. We explore the 911 infrastructure and discuss why it is susceptible to this kind of attack. We then implement different forms of the attack and test our implementation on a small cellular network. Finally, we simulate and analyze anonymous attacks on a model of current 911 infrastructure in order to measure the severity of their impact. We found that with less than 6K bots (or $100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. We believe that this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue in order to prevent possible 911-DDoS attacks in the future. 1. INTRODUCTION The '911' emergency number was instituted in the US in 1968 in response to the need for a universal and effective method of reporting emergencies. Over the years the system has evolved, and in 1999 the US government enacted the Wireless Communications and Public Safety Act. This federal law mandated the use of 911 as a universal emergency number and " enhanced 911 " (E911) as the base technology for handling calls from wireline and wireless phones. The E911 network provides dedicated infrastructure for routing and connecting 911 calls to the nearest public call center. These call centers are referred to as public safety answering points (PSAP).