ATM Networks and Security
by Eva Bozoki - May 30, 2000
Although the principal advantages of ATM are its capacity for speed
and data volume and its flexibility, these factors represent a relatively
small and transient security enhancement over traditional communications
structures and come with a level of complexity that raises new security
issues. A strong argument for integration of security functions within
the ATM environment exists for this reason: Tremendous volumes of data
can be compromised in a shorter period of time and with less risk of
exposure to the attacker than in slower communications mechanisms transmitting
smaller message packages.
The following two types of attacks involve the unauthorized monitoring
of or tampering with an ATM communication. These attacks would require
physical installation of a rouge device on the network:
EavesdroppingSimply capturing and recording a cell
with an ATM analyzer, similar to catching an IP packet with a packet
analyzer and inspecting the message. (The ATM analyzer is a device
that is capable of capturing, displaying, analyzing, and possibly
editing and replaying an ATM cell.)
Modifying/replaying the messageCapturing and repeatedly
replaying the transmitted information. A variation of this attack
involves capturing, modifying (the payload), and replaying the transmitted
information. There is no inherent data integrity checking in the
ATM protocol. The speed of ATM data transmission makes this type
of attack on the fly extremely difficult.
When no time stamps or sequence numbers are associated with ATM
cells, it is possible to replay the same message or part of a message.
Redirection and denial of service can occur if switches are compromised,
either by taking over one switch and then using it to launch attacks
on the others, or by breaking into the control interface of one or more
switches and tampering with their switching tables or other internal
functions. Denial of service attacks can also be
mounted by exploiting the weaknesses
RedirectionIf an ATM switch is compromised, the attacker
can change the virtual channel designation in the cell header, actually
hijacking the cell and (randomly or systematically) sending it to
an unintended destination. One form of this attack would switch
cells so that a particular user would always use a higher-quality
A particularly onerous aspect of this type of attack is that the
attacker's presence is discernible only during transmission; no
trace of evidence remains when the message session is concluded.
A modified form of redirection attack to which ATM is particularly
vulnerable involves generating unauthorized copies of transmissions
to third parties, following a "hostile insertion," as
MasqueradingThe attacker falsifies its identity (called/calling
party and connection identifiers) during the setup phase (signaling)
of the connection. In particular, the SETUP message provides the
calling party's phone number and, optionally, its ID. In a masquerading
attack, these information fields are changed by the attacker.
Sabotage/denial of service attacksThese attacks make
no attempt to capture or otherwise manipulate data; however, they
effectively disrupt ATM messages between communicating parties,
and therefore blockthe resource from authorized users. Any of the
following mechanisms can result in the disruption of ATM traffic
with little or no evidence of the attacker's activity:
Through insertion in the custodial chain, the ATM pathway can
be "dropped" between authorized custodial points. For
instance, an attacker can modify a signal so that it results in
a forced reset of one of the switches.
The switch databank can be modified or erased.
An incursion into a switch can disrupt or delete the path table,
leaving authorized parties unaware of the attack, its source,
what time it occurred, or the result of the communications effort
unless another means of receipt verification is employed.
However, this would eliminate a principal advantage inherent in
ATM (speed), and would impose additional administrative burden.
An attacker can flood a switch or switches in the path by repeatedly
sending irrelevant signals to it, thus creating a heavy computational
load within the switch and resulting in inflated storage requirements.
In either event, performance of the switch (and, by extension,
the ATM network) suffers.
An attacker can send a RELEASE or DROP PARTY signal to any intermediate
switch, thereby disconnecting the virtual connection.
An attacker can send a RESTART signal to an end user that de-allocates
all resources associated with the virtual circuits.
An attacker can delay CALL PROCEEDING or CONNECT ACKNOWLEDGE
message so that they are not received within the required time
span after the SETUP signal, and thus effectively disconnect the
One of the primary architects of OpenCable, Michael
Adams, explains the key concepts of this initiative in his book
Broadband, Second Edition
by George Abe
Introduces the topics surrounding high-speed networks
to the home. It is written for anyone seeking a broad-based familiarity
with the issues of residential broadband (RBB) including product
developers, engineers, network designers, business people, professionals
in legal and regulatory positions, and industry analysts.