Bug #1477

RACH flood DoS

Added by laforge almost 5 years ago. Updated almost 5 years ago.

Um (MS-BTS) interface
Target version:
Start date:
Due date:
% Done:


Spec Reference:


On the RACH (part of the CCCH/BCCH), the number of RACH slots per unit of time is fixed. The maximum possible number of RACH slots with a single-timeslot CCCH is 200.

Furthermore, the number of available dedicated (control and traffic) channels is limited in any given cell.

As per the GSM specification, any newly-assigned dedicated channel has to stay assigned for 2 seconds, waiting for the MS to establish the radio link layer. Only after 2 seconds, the channel can be closed and re-used for other purposes.

If anyone can send more RACH requests (in 2 seconds) than the cell has dedicated channels, permanent resource exhaustion of dedicated channels will happen (in other words, a DoS).

As the RACH request can be hand-crafted by the attacker and sent at a timing chosen by the attacker, there is no possibility for the BTS to differentiate real from malicious RACH bursts.

This attack has been implemented in 2009 by Dieter Spaar, and has been publicly demonstrated at the Deepsec 2009 conference in Vienna.

Slides are available from


#1 Updated by admin over 10 years ago

  • Status changed from New to Closed
  • Resolution set to confirmed

#2 Updated by admin over 10 years ago

  • Status changed from Closed to Feedback
  • Resolution deleted (confirmed)

#3 Updated by laforge almost 5 years ago

  • Assignee deleted (laforge)

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)