You are on page 1of 8

Jamming Commercial Satellite Communications During Wartime

:
An Empirical Study
Hank Rausch
CACI, Inc
hrausch@caci.com

Abstract
Satellite Communications parameters—Carrier to Noise
Ratio, Bandwidth, Power, and Frequency—were
recorded for approximately 500 satellite communication
carriers continuously, over a period of 16 months.
These carriers support communications for military
operations in the current Iraq war. Communications
outages during this period were logged and the reason
for outage was determined. Some outages caused by
electromagnetic interference are shown to have
characteristics that would be expected if these carriers
were being subjected to a hostile denial of service
attack.
Keywords:
commercial
satellite
communications, jamming, denial of service attack,
hostile interference.

1. Overview
Commercial satellite communications play an
increasingly vital role in military operations. During
Operation Desert Shield/Desert Storm (1990-91),
military use of satellite communications was 1 Mbps per
5000 combatants. By Operation Iraqi Freedom (2003),
this ratio had increased to over 51 Mbps per 5000
soldiers [1]. Other sources put the figure at 3,200
Mbps for 132,000 combatants in Iraq today, for a ratio
of 121 Mbps per 5000 combatants [2]. Simply put, it
would be impossible to conduct modern warfare as it is
done
today
without
commercial
satellite
communications. This stems from two unrelated trends:
(1) The evolution of command and control mechanisms
to ever smaller units of action, creating exponential
growth in the numbers of communications links
required to sustain operations; and (2) inadequate
procurement of military satellite communications,

which failed to keep up with the burgeoning demand.
These two factors explain why today, 84% of satellite
communications supporting operations in Operation
Iraqi Freedom is provided by commercial satcomm [3].
This reliance on commercial satellites—leased
transponders from Intelsat and Eutelsat, for example—
brings with it an attendant vulnerability. These satellites
are not hardened to protect against malicious
interference, or jamming. The potential exists that vital
military communications could be severed or reduced at
a critical time, due to unauthorized transmission to the
satellite by an adversary.
Recent authors have
highlighted this vulnerability, specifically as it relates to
the military’s use of commercial satellites [4]. The
Congressional Research Service makes this point
explicitly in a recent report to Congress:
“…a
growing
dependence
on
space
communications may also become a critical
vulnerability for Net-Centric Warfare” [3].
The potential for this type of attack is known and
has been acknowledged [5], but up to now empirical
evidence for it has been lacking.
This paper presents empirical evidence of all types of
interference, including that by suspected hostile
adversaries, observed during ongoing operations in
Operation Iraqi Freedom (OIF). As a contractual clause
in the provision of leased satellite bandwidth to the U.S.
military, it was required to monitor and record the
spectral shape, power level, and carrier to noise ratio on
a continuous basis for all commercial transponders
leased to the military. This data was collected from
July, 2004 to November, 2005 and all instances of
degraded communications catalogued and analyzed.
The evidence suggests that unauthorized interference
is a small but significant subset of all types of satellite
communications problems experienced. Within this
subset, the cause of the majority of interference events

Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06)
0-7695-2564-4/06 $20.00 © 2006

IEEE

is both easy to conduct and harder to prosecute. results in complete cessation of effective communications. Broadcast communications carrier signals generally have carrier to noise ratios of 20 dB or more. as the two signals are mixed. John MacDougal. an additional artifact of commercial satellite communications is that since they are geostationary. in a subset of these interference events the cause could not be determined. Background Commercial geosynchronous communication satellites are susceptible to a denial of service attack by hostile electromagnetic interference. 2. The foreign signal also raises the noise floor of that transponder. This can be done with a comparable VSAT with comparable power supply as the victim terminal. they are used for the majority of ad-hoc. it is retransmitted along with any legitimate signals that are present on the transponder. the effect of decreasing signal to noise ratio beyond a certain threshold is effectively complete cutoff. disruption of a high power broadcast service requires like equipment. The effect of current encoding techniques is that a small decrease in carrier to noise ratio—in some cases only 1-2 dB. Downlink jamming is relatively easily detected and dealt with. So in general. Typical carrier to noise ratios are in the range of 6 to 10 dB above the noise floor. This is not the case for full duplex point to point communications using socalled Very Small Aperture Satellite Terminals (VSATs). dubbing himself “Captain Midnight”. using a commercial broadcast site [6].S. 2002 the outlawed cult Falun Gong successfully broadcast over 10 channels being aired by Chinese TV on Sinsoat-1. semi-permanent communications needed by U. These terminals are almost always receive-power limited. It is reasonable to deduce that at least some of these events were in fact hostile communications denial of service attacks. Forces in land operations. This interference can be present at the local receiver (downlink jamming). 2003. Consequently. these events all had similar “attack profiles. which in turn reduces the carrier to noise ratio of all legitimate carriers. degradation of these carriers would require transmit equipment of a like nature—antennas of large aperture—9m or more—and power amplifiers rated in the thousands of watts. even in cases where it does not directly mask the legitimate carrier. These terminals typically use antennas varying in size from about 1 meter to several. or directed at the satellite and mixed with or overriding the valid carrier (uplink jamming). Finally. an interfering signal only needs to be (approximately) one-half powerful as the target signal to completely disrupt communications. if a foreign signal of the appropriate carrier frequency is introduced. they are easily targeted with rudimentary equipment. Since most small aperture satellite receive sites are (in general) receive power limited. The vulnerability of commercial satellites to uplink jamming lies in the nature of their construction and operation: A transponder on the satellite accepts microwave energy within a specified range and retransmits it at the downlink frequency. Furthermore. Indeed. Uplink jamming. a receiver attempting to detect and demodulate the legitimate carrier will be unable to do so. Typical transmit power is a few watts. all documented cases of interference with a commercial broadcast have involved another commercial broadcast site. another transponder. However. the transponder acts as a simple repeater.” and in all cases they disrupted military communications. using traditional direction finding and triangulation techniques. Consequently. Voice of America broadcasts to Iran were suspected of being jammed by Cuban authorities [8]. During the period July 6 to July 14. from what was once an essentially error-free channel. In a series of attacks between 23 and 30 June. They did this from Taiwan. Recall that due to advanced coding techniques. broadcast over HBO’s satellite service on Galaxy 1 for about 4 minutes. this foreign signal may degrade or sever all communications on the transponder. This paper presents an analysis of these attacks.was eventually found and determined to be non-hostile. In 1986 a disgruntled satellite dish vendor and parttime teleport operator. where he worked part-time. Because they are easy to set up and tear down. forcing units to relocate their communications to another satellite.00 © 2006 IEEE . to do this [7]. or a different part of the same transponder. it is only necessary to transmit on the designated carrier frequency with a continuous wave (unmodulated) signal at the elevation and azimuth for the target satellite. He used the 30 foot dish at Florida’s Central Teleport. The power required to degrade or sever communications depends on the carrier to noise ratio of the signal being targeted. Depending on the bandwidth of the targeted signal. This effect is intensified by the tremendous encoding gain employed in current commercial satellite communication modulation protocols. No special processing or filtering is done. on the other hand. and concludes with a consideration of ways to mitigate this type of attack. No tracking equipment is needed. usually a maximum of 4 meters. depending on weather conditions. If the foreign signal is of sufficient carrier to noise ratio. Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20.

as would a downlink jammer. it is now possible to analyze at least a subset of the commercial satellite bandwidth used for military communications. military. we can certainly determine that communications were impacted. and that even when they do they almost never record and archive transponder or carrier characteristics. In most cases these alarms were due to an authorized site transmitting without prior coordination with the satellite provider.00 © 2006 IEEE . This set of events is categorized according to source. Fortunately. alarms were also generated if an unexpected carrier appeared. is shown in Figure 1. and consequently many military terminal operators are unaware or unappreciative of the significance of minimizing cross polarization. Consequently forensic analysis of past suspected attacks has been impossible. These values were compared to expected values. A subset of unknown interference events. and an alarm created at a central monitoring site when measured values differed significantly. Uplink jamming is made an even more significant threat by the fact that a threat jammer can be anywhere in the uplink footprint of the transponder. Data Gathering Leased commercial satellite transponders were monitored as part of a contractual requirement in the provision of commercial satellite services to the U. A vital step in setting up a terminal for allowed transmission is to zero out the “cross polarization” component of one’s terminal. or uplink jamming. In military use of commercial satellites. Susceptibility to this sort of information warfare has been understood in the abstract for some time. or operate only on a limited duty cycle. Contributing to this difficulty is the fact that commercial satellite providers do not monitor all their transponders all the time. in the absence of information about the transmitter in these instances. to definitely say that jamming was occurring. occupied bandwidth. In these instances. Typically. A spectrum analyzer was connected to the Low Noise Block Downconverter (LNB) or Low Noise Amplifier (LNA) of each antenna. but in a subset of these cases the source of the unauthorized carrier was unknown. A screen capture of a monitored carrier. The signal was digitized. and each carrier attribute—power level. Rather. by rotating the transmit feed horn. Failure to do this properly results in excessive power on the other pole. to date there has been little documentation of actual attacks using these techniques. In addition. and to make an assessment of the relative threat of hostile interference. and to restore communications. However. Commercial satellites all use polarization separation to maximize the use of available carrier bandwidth. This is so because for a significant portion of commercial bandwidth provided during the current Iraq War. presumably being used by other customers. making it very hard to triangulate.S.The extent to which VSAT terminals are vulnerable to this type of interference is shown by the large number of instances of unintentional self jamming that occur in military use of commercial satellite bandwidth. and center frequency—was recorded. Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20. and that the nature of interference conformed to how an attacker would be expected to behave. This threat can be made even more difficult to eliminate because the jammer can be mobile. This subset of interference events is further classified according to origin. Military satellites. all of which severely degraded communications. 3. do not use polarization separation. detailed spectral plots of the interference were taken and all efforts were made to determine the source. on both the horizontal and vertical polarizations. or both. It is proposed here that one reason for this lack of documentation is that it is difficult to isolate bona fide interference attacks from other forms of communication degradation in general. This illustrates how easy it would be to do so on purpose. What follows is an analysis of all instances of communications degradation that occurred during the period July 2004 to October. with parameters monitored. and specifically from other forms of interference. potentially thousands of square miles. carrier to noise ratio. The evidence is only circumstantial. it concentrates its energy in a focused beam. is then analyzed for their similarity to what would be expected to be a traditional attack profile. This was done by a worldwide network of teleports with receive antennas located in the downlink footprint of the leased transponder. leaving a subset caused by interference. However. a contractual clause stipulated that these communications be monitored and the RF parameters recorded continuously. 2005. operating at their normal transmit frequencies and powers. it is commonplace to have to respond and attend to several cases a week where a terminal is inadvertently cross-polarized. This dataset provides us with an opportunity to investigate and determine whether instances of jamming occurred. in general. Geolocation of the threat jammer while he is on the air is made difficult due to the directional nature of the uplink transmission—it does not broadcast out in a wide pattern. communications are carried out simultaneously on identical carrier frequencies. the user terminals act as jammers themselves. In short. in that it is not possible.

in the same time period (7/04-10/05). 2005. consisting of over 7M discrete parameters recorded since monitoring operations began in April 2003. but because the effects Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20. it is useful to categorize first all alarms. Figure 2 shows the average number of carriers monitored per month. and specifically potentially hostile attacks. The volume of data collected is therefore huge. which itself is further evidence of the increasing reliance of military operations on commercial satellites. 500 450 400 350 300 250 200 150 100 50 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Figure 1: Monitored carrier with parameters shown Figure 2: Average Number of Carriers Monitored per Month (7/04-10/05) The scale of these monitoring operations is quite large. Figure 3 shows the number of alarms created by the monitoring system during this time period. the number of actual alarms is much higher. It can be seen that the number of problems tracked to resolution is much smaller—on the order of 50 times less—than the number of alarms generated by those carriers. This chart shows that satellite communications are subject to many types of problems. 3500 3000 2500 4. A very few carriers also used spread spectrum modulation techniques. 2004 to November. involving (to date): 16 worldwide teleport sites. most of which are transitory and correct themselves quickly. with the vast majority being Single Channel per Carrier (SCPC) with QPSK modulation. but also included here are communications supporting operation in other theaters. then the subset of these alarms caused by unauthorized interference. It can be seen that the number of carriers monitored increases each month. but some broadcast carriers are included and the data also contains a few multiple access networks using Time Division Multiple Access (TDMA). These carriers were generally several Mbps in bandwidth and constituted one-half of a full duplex point to point communications link.few tens of kHz to 27 Mbps. and over 500 individual carriers. The reason for this is that many alarm conditions are transitory and correct themselves before troubleshooting efforts are required. It is this body of data that is the source for this study.00 © 2006 2 . along with records of each alarm and actions taken to correct the alarm. It is possible that the alarms shown in figure 3 contain some hostile interference events. Results 2000 To understand the scope of the problem of unauthorized communications interference. trouble tickets are created only when a carrier exceeded nominal parameters for a set amount of queries (usually within a six minute period). some 46 separate monitor antennas. and then the subset of these events for which the source is unknown and deemed potentially hostile. The study focuses on a subset of this data collected from July. Modulation also varies. when detailed records of troubleshooting efforts were retained. To reduce operator workload. This information is stored in a database. this chart represents the number of trouble tickets opened. In fact. The vast majority of these carriers provided communications in support of Operation Iraqi Freedom (>80%). over 100 discrete transponders. but range from a 1500 1000 500 0 1 IEEE 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Figure 3: Alarms per month for monitored carriers Figure 4 shows the subset of the alarms indicated in Figure 3 that were actual problems that were tracked over a period of time to resolution.

So figure 4 provides the best picture of events that terminate or degrade satellite communications long enough to be a real problem.7%)**.0%). Maintenance (M) (15. Hardware Related (HW) (23. only 9. ASI **Maintenance refers only to those cases where a station went off the air for maintenance without notifying the satellite provider. and it was subsequently determined that the transmit station intended to do so but did not notify the satellite provider beforehand. 15 of the 21 documented cases interfered Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20. Figure 5 is a breakdown of all problems identified in figure 3 according to cause. Interference (I) (9.8% of satellite communications problems for the monitored carriers were due to unauthorized interference.5%). This is not the case with the other sources of interference. Power (P) (16. 70 60 50 40 15 13 11 9 7 5 3 1 30 20 10 0 Figure 4: Satellite communications problems per Month Not all of these events are unauthorized interference. In the subset of 50 cases of interference where communications is terminated or degraded. Scheduled maintenance with prior notification did not trigger an alarm.were so brief. it was possible to determine the cause for 29 cases. so identification of the interference source is not an issue. Causes are categorized as follows: End of Mission (EOM)* (13. Weather (Wx) (14. Terminal operators inadvertently transmitting on the wrong frequency or pole caused 5 cases. where carriers on the adjacent satellite bleed onto one another. *End of Mission refers to the condition where a carrier has gone off the air apparently for no cause. these events are a minority. where a lineup or equipment problem at the operators own terminal generated RF energy that interfered with his receive signal. in fact.9%). This can be seen in figure 5. In 3 of the cases the source was adjacent satellite interference. For starters. Lineup Ot her Self Unk Xpol eom hw int main Figure 6: Classification of interference events according to origin pwr unk wx Figure 5: Classification of satellite communication problems according to cause This leaves 21 cases during the monitoring period where the interference degraded or terminated military communications and for which the cause was unknown. oftentimes because they did not receive the current lineup (Lineup problems).2%). and troubleshooting efforts were initiated.) Fortunately. it was possible to determine a cause for the interference. A breakdown of these events according to geographic region is shown in figure 7. 3 cases were caused by known events that are not captured by the above classification.8%) and Unknown (U) (6. This represents a total of 50 separate cases over the monitoring period. Some type of selfinterference caused 5 other cases. In summary.00 © 2006 IEEE . Certain common attributes of these cases makes one infer that it is possible that a hostile operator intentionally caused the interference. In 12 cases the cause of the interference was a terminal that was authorized to transmit to the satellite but had an improper polarization setting and therefore was bleeding energy into the opposite pole (Cross-polarization. In the majority of these cases. further troubleshooting was not done. it is easy to spot the offender since a cross polarized terminal will have some (usually the bulk) of its energy on the correct pole.9%). The results of this classification are shown in Figure 6. or Xpol.

The darker trace shows the current (real time) trace. The lighter trace is the “maximum hold” trace of the spectrum analyzer. Secondly. in 5 of the 21 cases. it has swept out approximately the upper 15 Megahertz of the transponder.with reception by a terminal in Southwest Asia.00 © 2006 IEEE . Figures 9a through 9c show the temporal behavior of another sweeping carrier. i. and the max hold trace shows that in the past. showing a historical record of the highest amplitude recorded by the spectrum analyzer in that frequency. This is an actual screen capture of a sweeper in action. in almost half (9 of 21). and thus can easily raise the noise floor of an authorized carrier to the point that authorized communications are terminated. in fact satellite operators frown on allowing its use. it is the perfect jammer. high C/N CW carrier can be seen at approximately 11. Significantly. This is significant as in general there is little reason to ever intentionally transmit a CW carrier. the cause was documented as a continuous wave (CW) carrier. Figure 9a: Example sequence of a narrowband sweeping carrier t=0 Figure 9b: Example Sequence of Narrowband Sweeper.e. A narrowband. it is more effective to concentrate that power in a high C/N unmodulated carrier than spread it across a wider spectrum. an unmodulated one. The reason is that a narrowband CW carrier can have a much higher carrier/noise ratio than a modulated one. Users attempting to receive a signal on this part of the transponder would experience intermittent outages when the sweeper transmitted on the same frequency. For a given amount of power available at the transmit antenna. the unauthorized carrier varied its center frequency within a set band—a “sweeper”. Figure 8: Example of a sweeping interfering carrier 16 14 12 10 Total Unk Inter f er ence Sweepi ng Car r i er s 8 CW car r i er s 6 4 2 0 SWA Eur ope CONUS PAC Figure 7: Classification of unknown origin interference events according to geographic region and characteristics Furthermore and most damningly. The behavior of a sweeping CW carrier can be seen in figure 8. t= +25 minutes Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20. every single one of these events occurred to carriers where the receive terminal was in Southwest Asia. This is indicative of potential jammer behavior.1 kHz. During normal operation the only time a satellite operator will allow a CW carrier to be transmitted is during initial lineup of the terminal. In effect.

5.3 Demodulation Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20. determining which The following mitigations are recommended by this study: 5. the communications that these carriers support.1 Monitoring An active monitoring program for military communications over commercial satellites is virtually a necessity. are all consistent with the pattern that would be expected if an adversary were attempting to disrupt communications. always starting at the same time each morning. out of material failure or operator error. However. This supports the central thesis of this paper. and attributed to “inadvertent jammers”—non hostile players that. it should be clear that continuous space segment monitoring of commercial satellite communications is a necessity. Given the range of potential transponders to choose from.00 © 2006 IEEE . Without a monitoring program. In one case. The 500+ currently monitored carriers represent a fraction of the total number of carriers on commercial satellites. it is reasonable to deduce that at least some of them were due to hostile interference. inasmuch as they are transmitted in a common medium open to reception by anyone. The logged data available for this study was only available due to a specific contractual requirement to monitor and archive leased bandwidth. and then ceasing until the next day.5. the choice of potential satellites may be in the dozens and the number of transponders up to the 100+ range. it is impossible to keep some characteristics of these carriers secret—in fact the carriers themselves are in the public domain. Given the difficulties in maintaining satellite communications highlighted in this study. and specifically the military units and locations supported. t=+57 minutes 5. and intermittent operations. Figure 9c: Example Sequence of a Narrowband Sweeper. Duration of tickets ranges from 0. how does he/she know which one to jam? This highlights the absolute necessity of keeping the transmission plan that documents communication parameters secure. a sweeper’s behavior was quite regular. However. Even if the range of potential target carriers is limited to those commercial satellites with the correct longitude to support communications in a given theater. accidentally interfered with military communications. By their nature. The data from this study suggests that an adversary can disrupt communications on only a portion of a transponder at time. sweeping out a section of a transponder. Commercial satellite operators do not archive their transponder data and in many cases do not monitor it continuously at all. In some cases. must be kept secure. the root cause of many of the problems highlighted in this study would have been unknown. transmitting along a swept frequency for about an hour. 2 Operations Security The ticketing system that recorded these events gives a rough estimate of the duration of impact of these 21 unknown interference events. The next section will address ways to defend against this type of attack. even without the prospect of hostile interference. that military communications across commercial satellites are subject to hostile interference that is relatively easy to execute and difficult to troubleshoot. the sweeper or unauthorized carrier would stop transmitting and then retransmit again. This necessitates a decoupling or firewall between carrier characteristics needed for the satellite operator and operational information that would give an advantage to an adversary. high C/N signal. Combined with the fact that the vast majority of these cases occurred to communication supporting military operations in Southwest Asia.1 hours to two extremely long tickets (2446 and 2043 hours). Conclusions It has been shown that the origin of the majority of interference events (approximately 60%) were ultimately known. This behavior: Unmodulated. Throwing out these two instances—the tickets were probably kept open past the time the event cleared—reveals an average event duration of 85 hours.

in some cases an operator becomes “out of sync” with authorized communications plans and transmits a previously authorized carrier on an unauthorized part of a transponder. (2004) Congressional Research Service. Permanent Subcommittee on Investigations.. Exploiting Commercial SATCOM: A better way US Army War College 2003 Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA’06) 0-7695-2564-4/06 $20. June 2 [4] Gansler. for example. downloaded from http://www.signaltonoise.findarticles. Its use would greatly aid a monitoring agent in sorting out unintentional interference from potentially hostile actions. H. C. 2003 at http://www. and Technologies” Working Paper published on http://www. trends in Vulnerabilities. [2] Satellite Industry Overview: Satellites are Critical Global Infrastructure. and Ninnendijk. “Network Centric Warfare: Background and Oversight Issues for Congress”. Chicago. IL [3] Wilson.ndu.00 © 2006 IEEE .heritage. The ability to determine the modulation type and symbol rate of interfering carriers would significantly aid this process.interferers are benign and which are potentially hostile is a time consuming process. Committee on Government Affairs. would greatly aid the process of determining the source. His carrier characteristics—modulation and encoding type. “Cuban Jamming Demands A Firm Response” (2003) WebMemo #310 published July 22. 2005 GSA/FTS Network Services Conference.. References [1] Rayermann.org 6. and symbol rate—are known. GAO Report to the Ranking Minority Member. Senate August 2002 [6] Tanner.pdf by the National Defense University [5] GAO-02-781:Critical Infrastructure Protection: Commercial Satellite Security should be more fully addressed. S.htm on 10/22/05 [8] Johnson. The ability to demodulate this signal. 15-18 August 2005.com on 10/22/05 [7] The Story of Captain Midnight . The ability to determine that an interferer has.S. TDMA carriers can easily be mistaken for hostile interference. an 8PSK modulation type with a symbol rate of 1230 ksps. P. downloaded from http://www. Behind Falun Gong's satellite hack. Threats. J.edu/ctnsp/IaverMao03. U. For example. at least to the point of determining that it is a modulated carrier and not a CW —would allow a monitor to concentrate his/her efforts on actual hostile interferers.net/library/captmidn. “Information Assurance. Commercially available monitoring equipment exists that can perform this type of carrier characterization. J. as on a spectrum analyzer it appears that a narrowband carrier is sweeping out a section of bandwidth.