Securing eNode-B from DDoS Attacks Using Isolation Bandwidth Technique

The Internet of Things (IoT) has significantly transformed industries like smart cities and agriculture by facilitating data-driven processes, increasing efficiency, and enhancing creativity through device connectivity [1]. The rapid development of IoT has led to its integration into more fields, making it a fundamental component of modern infrastructure [2, 3]. The number of IoT connections is projected to grow significantly, with estimates suggesting that it will reach 27 billion by 2025, and a staggering 125 billion devices used globally by 2030 [4]. Long-Term Evolution-Advanced (LTE-A) networks were initially designed for H2H communication, offering services like video streaming, Voice over Internet Protocol (VoIP), and File Transfer Protocol (FTP). The growing use of IoT devices and M2M traffic presents challenges in maintaining sustainable Quality of Service for both Machine-to-Machine (M2M) and Human-to-Human (H2H) traffic [5, 6].

New M2M technologies, such as Narrowband Internet of Things (NB-IoT), are expected to cater to IoT needs in future mobile networks with limited bandwidth [7]. Despite their potential benefits, these networks are vulnerable to network saturations due to DDoS attacks, which use botnets to flood networks with massive fake requests [8]. Attacks on NB-IoT limited bandwidth can easily overwhelm it.

The growing use of IoT devices raises concerns about network resource security, particularly in NB-IoT networks, where DDoS attacks pose a significant threat [9].

NB-IoT networks face security challenges like electronic intrusions, digital espionage, eavesdropping, and data manipulation. Access control, identity management, and defending against DDoS attacks and intrusions are also challenges. Botnets, compromised networks, can execute DDoS attacks without users' knowledge [10, 11].

Researchers are exploring Blockchain-based methods to counter DDoS attacks on IoT devices, including distributed engineering, traffic control, and Ethereum-based solutions, with future research focusing on their working standards and weaknesses [12].

The study [13] used the Canadian Institute for Cybersecurity Intrusion Detection System (CICIDS) 2017 dataset to study DDoS attacks in a cloud context. They developed a Machine Learning model predicting DDoS and bot attacks, achieving 97.86% accuracy.

The study [6] introduced the "LTE-M Adaptive eNodeB" scheme to efficiently manage network resources and improve M2M traffic in an IoT environment.

3GPP introduced NB-IoT to manage congestion in LTE-A networks caused by H2H and M2M traffic coexistence. NB-IoT limits M2M bandwidth, reducing congestion and ensuring smooth H2H traffic. An adaptive eNodeB (A-eNB) addresses network overload, and the study [8] proposed using Continuous Time Markov Chain (CTMC) for coexistence during disaster scenarios.

The study [11] tackled DDoS attacks in LTE-A networks with an algorithmic load balancing defense, efficiently distributing voice and data resources. Simulations showed enhanced traffic efficiency and resource optimization without extra infrastructure. Future studies will investigate the algorithm's real-world performance in LTE networks.

LTE/LTE-A research utilizes tools like LTE-Sim and NS-3 to simulate downlink scheduler algorithms, crucial for radio resource management. Zinno et al. [14] can choose platforms based on study focus and traffic conditions. NS-3 offers tutorials and source codes, while LTE-Sim has strong community support. Both are compatible with open-source Linux for easy installation.

Do et al. [15] optimized NB-IoT and LTE paging coexistence by designing a method to calculate Paging Occasions and creating a Paging store to handle 200-300 messages per second, improving efficiency.

Hara et al. [16] developed a semi-supervised learning method using an Automatic Adversarial Encoder (AAE) to identify failure causes in LTE eNodeB base stations. The method, utilizing unlabeled data, achieved 94% accuracy with eNodeB log data from a service provider, outperforming traditional techniques in F1 score. With a labeled dataset of 220-270, it obtained 94% accuracy; for each category with more than 50 labeled data points, it scored above 91% accuracy.

Previous researchers proposed various DDoS mitigation techniques, but none isolated the malicious traffic in a separate channel to avoid the attack's impact on regular traffic. In this context, we propose using an isolation channel as a solution for DDoS attacks.

This paper aims to explore the challenges and effects of DDoS attacks on M2M and H2H traffic in LTE-A/NB-IoT networks, contributing the following:

(1) Introducing a novel IBT that allocates dedicated bandwidth for malicious M2M traffic to protect networks.

(2) Analyzing the impact of DDoS attacks on both H2H and M2M traffic.

(3) Providing empirical evidence and simulation-based validation demonstrating the effectiveness of IBT in mitigating DDoS attacks on M2M traffic.

We propose analyzing time-frequency resources and their correlation with data rates for M2M and H2H traffic to assess LTE-A and NB-IoT bandwidth capabilities and limitations. In LTE-A, a 10 ms radio frame is divided into ten 1 ms subframes, each split into two 0.5 ms slots, with seven symbols per slot. Time-frequency resources are organized as follows:

(1) Resource Element (RE): 15 KHz sub-carrier for one symbol.

(2) Resource Block (RB): 180 KHz, 12 sub-carriers for one slot.

(3) Physical Resource Block (PRB): 180 KHz, 12 sub-carriers for one subframe.

Consequently, a PRB has 7×12×2 = 168 REs, whereas an RB has 7×12 = 84 REs. Furthermore, the smallest unit that can be allotted for a User Equipment (UE) to send or receive data is represented by a PRB. Studying the maximum data rates in standard LTE-A and NB-IoT technologies is critical, especially when one considers a disaster scenario when over 52,000 UEs are projected to attempt to communicate their payloads concurrently.

NB-IoT technology with its limited bandwidth (180 KHz) and low data-rate (150 Kbps) must meet all IoT requirements with more than 52000 M2M devices per cell. In this context, network saturation cannot be avoided with the threat of DDoS attacks that use botnets to overload the network with massive malicious requests.

(1) During normal cycle traffic, LTE-A networks employ 99 PRBs to fulfill H2H requests.

(2) While NB-IoT networks use 1 PRB only to serve M2M requests.

By doing our calculations, NB-IoT networks can provide a maximum data rate of (150 Kbps). Now, if we know that a Mirai attack speed is about 600 Gbps, we conclude that NB-IoT network will be overloaded when facing such attacks.

This section analyzes real-life cyber-attacks on M2M devices using case studies and 3GPP technical reports. It highlights the integration of LTE-A and NB-IoT technology to manage M2M requests and ensure smooth operations. The study is structured into groups, following 3GPP GERAN TR's parameter sets, and assumes three groups attacking an LTE network simultaneously in a DDoS attack scenario.

5.1 Rationale for parameter selection

The simulation parameters for device numbers, payload sizes, and transmission rates were carefully chosen based on typical M2M traffic patterns documented in real-world case studies and 3GPP technical reports.

(1) Device Count: The number of devices in each group reflects common IoT deployment scenarios, such as small-scale environments with 150 devices (Group 1), medium-sized deployments with 200 devices (Group 2), and large-scale setups with 900 devices (Group 3). These groupings capture a range of potential device densities.

(2) Payload Size: Payload sizes (50-200 Bytes) align with common sensor data characteristics, such as readings from accelerometers and gyroscopes, which generate compact messages optimized for low-power, low-bandwidth transmission.

(3) Transmission Rates: The transmission rates (ranging from 1 message per hour to 100 messages per day) mimic the behavior of periodic IoT reporting, where sensors transmit data based on event-driven or scheduled intervals. This ensures that the parameters realistically simulate typical M2M traffic under normal conditions.

As an example, During Normal Cycle: Group Data Transmission Analysis details:

Group 1:

• Devices: 150

• Payload Size: 200 Bytes

• Transmission Rate: 1 message per hour

Daily Data Calculation:

200 Bytes × 24 messages=4800 Bytes

Data Rate Calculation:

(4800 Bytes / 86400 Sec) × 8 bits × 150 devices =66.666 bps

Data Rate in kbps= 66.666 / 1024 = 0.0651 kbps.

Group 2:

• Devices: 200 Accelerometer Sensors

• Transmission Rate: 8 messages per day per sensor

• Payload Size: 100 Bytes per message

Daily Data Calculation:

100 Bytes × 8 messages=800 Bytes

Data Rate = (800 Bytes / 86400 Sec) × 8 bits × 200 devices =14.814 bps

Data Rate in kbps = 14.814 / 1024 = 0.0144 kbps.

Group 3:

• Devices: 900 Gyroscope Sensors

• Transmission Rate: 100 messages per day per sensor

• Payload Size: 50 Bytes per message

Daily Data Calculation:

50 Bytes × 100 messages = 5000 Bytes

Data Rate Calculation:

(5000 Bytes / 86400 Sec) × 8 bits × 900 devices = 416.67 bps

Data Rate in kbps = 416.67 / 1024 = 0.407 kbps.

Total Data Rate = 0.0651 + 0.0144 + 0.407 = 0.487 kbps.

By comparing the total data rate of 0.487 kbps with the maximum NB-IoT data rate of 150 kbps, we conclude that NB-IoT technology can operate smoothly during a normal cycle with no congestion problems.

5.2 During attack

In a DDoS attack scenario on M2M devices, the attacker transforms devices into "zombies" to send synchronized payloads. Three attacks are calculated:

(1) Attack1:

$\text { Data rate }=(200 \text { Bytes } \times 8 \text { bits } \times 150 \text { devices }) / 1024=234 \text { kbps }$

(2) Attack2:

$\text { Data rate }=(100 \text { Bytes } \times 8 \text { bits } \times 200 \text { devices }) / 1024=156 \text { kbps }$

(3) Attack3:

$\text { Data rate }=(50 \text { Bytes } \times 8 \text { bits } \times 900 \text { devices }) / 1024=351 \text { kbps }$

NB-IoT technology is expected to face significant degradation and congestion issues during DDoS attacks, as evidenced by comparisons of attack storms (234 kbps, 156 kbps, 351 kbps) and maximum NB-IoT data rate (150 kbps).

5.3 IBT solution

The NB-IoT network has seen significant improvements following the implementation of IBT, resulting in a robust 300 kbps data rate. This capacity is crucial in handling DDoS attacks, as recorded data rates during attacks ranged from 234 kbps to 351 kbps. This solution effectively mitigated the impact of the first and second attacks.

7.1 Comparison of regular and attack impact

Below is the equation that describes the Impact Rate (IR) of a DDoS attack over normal traffic:

$\mathrm{IR}=\left(\frac{\mathrm{RR} \text { in Regular }-\mathrm{RR} \text { in DDoS attack }}{\mathrm{RR} \text { in Regular }}\right) \times 100$                (1)

This equation calculates the impact rate as a percentage, showing the drop-in success rates during an attack compared to normal conditions:

(1) VoIP Traffic: Success rate drops from 95% to 39%, with an impact rate of 58%.

(2) Video Traffic: Success rate falls from 73% to 23%, with an impact rate of 68%.

(3) M2M Traffic: Success rate decreases from 61% to 31%, with an impact rate of 49%.

These results highlight a significant negative impact on VoIP, video, and M2M services during the attack, with a sharp decline in success rates across all traffic types Figure 7.

7.png

Figure 7. Comparison of regular and attack impact

7.2 Comparison of attack results and ibt solution performance

To calculate the improvement between "Attack Results" and "IBT Solution Results," you can use the following formula:

$\text { Improvement } =\left(\frac{R R \text { in IBT }-R R \text { in DDoS attack }}{R R \text { in DDoS attack }}\right) \times 100$                  (2)

Improvement in VoIP Traffic:

Improvement (VoIP) = (90-39/39) ×100≈130%

Improvement in Video Traffic:

Improvement (Video) = (47-23/23) ×100≈104%

Improvement in M2M Traffic:

Improvement (M2M) = (46-31/31) ×100≈48%

These "Improvement" values indicate the percentage change in "Results IBT" compared to "Results Attack" for each traffic type, as illustrated in Figure 8.

To provide a quantitative analysis of the improvement achieved by the IBT scheme, we calculated the improvement rate for each traffic type. The improvement rate represents the percentage increase in performance when comparing attack scenarios with and without the IBT scheme.

8.png

Figure 8. Comparison of attack results and IBT solution performance

$\text{Average Improvement Rate} =\left(\frac{\text { Sum of Improvement Rates }}{\text { Number of Traffic Types }}\right)$                   (3)

Maximum Improvement Rate:

The highest improvement rate among all traffic types.

$\text{Average Improvement Rate} =\left(\frac{\text { 130+104+48}}{\text { 3}}\right)=\text { 94}\%$                   (4)

Maximum Improvement Rate: 130%

For VoIP traffic, the improvement rate was 130%, while video traffic showed an improvement rate of 104%, and M2M traffic achieved a rate of 48%. On average, the IBT scheme improved network performance by 94% across all traffic types, with the maximum improvement observed in VoIP traffic at 130%. These results highlight the significant effectiveness of the IBT scheme in mitigating the impact of DDoS attacks on various traffic types.