Skip to content

5G virtualization use case

This lab explores the setup and configuration of a virtualized 5G architecture, including the 5G core network, radio access network, and user equipment (UE). We will use Docker to deploy Free5GC, and develop attack scenarios.

Preferably use a VM with 50GB of disk.

Install the 5G core network environment

We will deploy the Free5GC core network using Docker Compose. Docker Compose simplifies the configuration and networking between containers.

Step 1: Install mongodb on host:

The first step consists in installing MongoDB, you can follow the documentation to do so.

Installing MongodB dependencies: 

sudo apt-get install gnupg curl
curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
--dearmor


echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list

sudo apt-get update
sudo apt-get install -y mongodb-org
sudo systemctl start mongod
sudo systemctl status mongod

Step 2: Set up Free5gc

  1. Build docker images from local sources
git clone https://github.com/free5gc/free5gc-compose.git
cd free5gc-compose/base
git clone --recursive -j `nproc` https://github.com/free5gc/free5gc.git
cd ..
sudo make all
DOCKER_BUILDKIT=0 docker-compose -f docker-compose-build.yaml build

In case the sudo make all command fails, modify the Dockerfile by adding environement variables at the beginning: ENV GOPROXY=direct ENV GOSUMDB=off ENV GONOSUMDB=*

  1. Run free5gc
DOCKER_BUILDKIT=0 docker-compose -f docker-compose-build.yaml up -d

You can now see the containers running: 

docker ps

Step 3: Explore with Free5gc

  1. Understand the behavior of the functions

Choose one component among this list:

  • AMF (Access and Mobility Management Function): Manages user registration, authentication, and mobility in the 5G core.
  • SMF (Session Management Function): Handles PDU session establishment, modification, and release, and manages IP address allocation.
  • UDM (Unified Data Management): Stores and manages subscriber data and handles authentication credentials.
  • PCF (Policy Control Function): Provides policy rules for quality of service (QoS) and charging based on network and subscriber context.

Inspect the logs from this function: 

docker logs <service>

For example to see the logs from the SMF: 

docker logs smf

Question 1

  • Analyze the logs.

  • Identify key messages and their purpose (e.g., user registration, GTP tunnel creation, etc.).

  • Identify interactions between this component and others.

  1. Access the free5gc webUI to add users

First retrieve the IP address of the webUI: 

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webui

Then access it on your browser: 

<Webui_IP>:5000

By default, credentials are: 

Username: admin
Password: free5gc

  1. Adding new subscriber:

There are two options to add a new subscriber: - Directly create subscriber in create subscriber page - Create profile first, then create subscriber with the profile

Following the first option, click SUBSCRIBERS -> CREATE.

Edit the Subscriber's data and click CREATE, here you can configure the:

  • Network Slicing Configuration
    • SST/SD (Slice/Service Type and Slice Differentiator)
    • DNN (Data Network Name) Configuration
      • AMBR (Aggregate Maximum Bit Rate)
        • Maximum total uplink/downlink bitrate limits
      • Default 5QI (5G QoS Identifier)
        • Default Quality of Service identifier
        • GBR type (5QI values: 1-4, 65-67, 71-76)
        • Non-GBR type (5QI values: 5-9, 69-70, 79-80)
      • Flow Configuration
        • IP Filter
          • Source/destination IP address ranges
          • CIDR Format (eg: "140.113.0.0/16")
        • Precedence
          • Priority of flow rules (lower value means higher priority)
        • 5QI (Flow-specific QoS identifier)
          • Non-GBR flows: Best effort traffic, no bandwidth guarantee
          • GBR flows: Guaranteed bit rate for specific services
        • Uplink GBR/MBR (Guaranteed/Maximum Bit Rate)
          • Applicable for GBR 5QI flows
        • Downlink GBR/MBR (Guaranteed/Maximum Bit Rate)
          • Applicable for GBR 5QI flows
        • Flow-Based Charging Config

Check that the new subscriber was added.

You can also update the docker-compose.yaml file manually: 

  ue:
    container_name: ue
    image: free5gc/ueransim:latest
    command: ./nr-ue -c ./config/uecfg.yaml
    volumes:
      - ./config/uecfg.yaml:/ueransim/config/uecfg.yaml
    cap_add:
      - NET_ADMIN
    devices:
      - "/dev/net/tun"
    networks:
      privnet:
        aliases:
          - ue.free5gc.org
    depends_on:
      - ueransim
IP CORE NETWORK: 192.168.156.128

Question 2

Have a look to the configuration to add the UE.

What specific security configures are in place?

Deploy attack scenarios

The following scripts perform PFCP attacks using the Python libraries scapy and faker. It allows you to randomly generate traffic on the network using the IP addresses provided as parameters.

The script requires the following Python libraries: - scapy - faker

Step 0: Setup

Update and refresh repository lists:

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.8
sudo apt install python3-pip -y
pip3 install scapy
pip3 install faker

The following parameters are used by the script: 1. PFCP_CP_IP_V4: The IPv4 address of the PFCP control plane (SMF). This parameter is provided as a command-line argument. 2. PFCP_UP_IP_V4: The IPv4 address of the PFCP user plane (UPF). This parameter is provided as a command-line argument. 3. N3_IP_V4: The IPv4 address of the N3 interface network. This parameter is provided as a command-line argument. 4. GNB_IP_V4: The IPv4 address of the gNB. This parameter is provided as a command-line argument. 5. UE_IP_V4: The IPv4 address of the UE. This is currently generated randomly, along with the Session ID.

The required parameters can be passed into the script as command-line arguments.

Attack 1: PFCP flood flag

The Packet Forwarding Control Protocol (PFCP) is a 3GPP protocol used at the N4 interface (see Figure 8) of the 5G core network, between the control plane and the user plane.

As a reminder, the Session Management Function (SMF) is responsible for PDU (Packet Data Unit) sessions. It handles the establishment, maintenance, and termination of user sessions within the 5G core network. The SMF manages user plane resources and interacts with the User Plane Function (UPF) to ensure proper tunnel management and that packets are correctly routed and transmitted.

The User Plane Function (UPF), for its part, is responsible for routing and transmitting data. It establishes and manages user tunnels.

Description of the attack

The PFCP Flood attack is instanciated from the SMF of the 5G core network.

The target of this attack is the UPF, which handles processes and forwards user data to the Data Network (DN).

The goal of this flood attack is the exhaustion of the UPF's resources to handle legitimate Session Establishment Requests and Heartbeat Requests. This will potentially hinder the capability of the 5G core to successfully formulate new Protocol Data Unit (PDU) sessions between clients and DN. Essentially, this attack is implemented on the N4 interface, and the impact can be observed in the intermediate interfaces. The Session ID (SEID) is randomized for each session establishment request.

You can execute the script: 

sudo python3 pfcp-flood-flag.py <PFCP_CP_IP_V4> <PFCP_UP_IP_V4> <N3_IP_V4> <GNB_IP_V4>

To get IP address from the containers, you can use the following command: 

docker exec <service> ip addr show

For example: 

docker exec nrf ip addr show

Question 3

Inspect the logs from the UPF function.

We observe that Free5Gc is affected, but in a way different from what was initially expected. While we anticipated that the UPF would no longer be able to respond to legitimate session establishment requests and would be unable to create PDU sessions, it turns out that only its routing functions were affected. Any user connected before, during, or after the attack still has an active session, but their packets do not reach the internet.

Attack 2: PFCP session deletion flag

Description of the attack

This attack consists in lauching a Denial of Service (DoS) via PFCP Session Deletion. Using Scapy, a Python library that allows us to manipulate, generate, and analyze network packets, we were able to create a script to generate PFCP packets.

We start with an SMF that is considered compromised, and we execute this scenario toward the UPF. The generated packets are saved in a pcap file and replayed in real-time using tcpreplay, a tool designed for this use case.

The goal of this attack is to disconnect a targeted user device from the internet. The user device is not disconnected from the Radio Access Network or the 5G core network, but only from the internet. This attack is implemented on the N4 interface, and its impact is seen at the N6 interface level.

You can execute the script: 

sudo python3 pfcp-session-deletion-flag.py <IP_SRC> <IP_DST> <INTERFACE>

The <IP_SRC> is the IPv4 address of the PFCP control plane (SMF), the <IP_DST> is the IPv4 address of the PFCP user plane (UPF), and the <INTERFACE> is the interface from which the maliious packets will be sent (likely n4 between the UPF and the SMF).

Question 4

Inspect the logs from the UPF function.

After sending the packet to the UPF, we can see in the logs that the UPF deletes the session. The user will no longer have internet access, and the UPF will show errors but will do nothing about it.