It’s no secret that the core of modern mobile switching
networks is based on the Internet Protocol.  What’s interesting is that
simple network attacks that have been largely mitigated at the data center
are finding their way into the mobile core networks.  Two examples of this
are port scans and TCP SYN floods from the Internet all the way through the
mobile core and to the mobile devices themselves.  The scans have the
side-effect of waking up thousands of smart phones at once, causing high CPU
on the Radio Network Controllers (RNC) and Serving GPRS Support Nodes (SGSN).
This in turn may lead to network congestion and even network outages. This
article looks at how the mobile core architecture is susceptible to these
attacks and suggests strategies for mitigation.

Running without Firewalls

Mobile switching networks are similar to a typical Internet
data center with some interesting exceptions.  First, instead of servers at
the back end, they have mobile clients (handsets).  While network traffic is
typically initiated from those handsets toward the Internet, nearly all
operators allow connections initiated from outside the mobile network to
come in, for various reasons.  In one example, an enterprising downstream
customer had turned a series of smartphone handsets into security cameras
which he would rent out to his customers who then viewed them by initiating
web connections from outside the network to the handsets themselves.  In
that example, the handsets really

are
operating as little servers.

However, one very significant difference between a typical
data center and a mobile network is that instead of there being thousands of
servers, the mobile network has millions of handsets.  With 32% of these
handsets being smartphones# capable of running multiple applications
simultaneously, the number of concurrent connections that the network must
support quickly climbs into the tens of millions.  Conventional network
firewall technology does not readily scale at this level so many mobile
switching networks have been running without them, developing new
architectures along the way.

Flow of Network Attacks

A second significant difference is a much larger control
plane in a mobile network versus a typical data center.  Control plane
signaling is made up of policy control, the auditing of subscriber data and
the mobility management of subscribers as they move from one location to
another within their home network or roaming to another roaming partner’s
network.  While the operator’s policy control and auditing architecture may
be fairly modern, the mobility management infrastructure is often a


rework
of legacy equipment which frequently has scalability issues in today’s usage
environment.

Consider the example of a subscriber’s handset in idle mode (PMM-Idle).
When a connection initiated from the Internet enters the network addressed
to the IP address of the handset, the SGSN will page for address in the last
known routing area.  The RNCs servicing the routing area will also page for
the handset and the size of the routing area can be as big as a very large
city. When the handset is finally located, a signaling connection will be
established between the handset and the SGSN. After this signaling
procedure, the handset will be in connected mode (PMM-Connected) and at this
time data can flow between the handset and the Internet. The overhead of
this signaling procedure is what causes congestion in an operator’s network
during an attack.

Table 1 – Control Plane response to single port scan
packet in the dataplane

Table 1 shows that to deliver packet data to an idle mode
handset will require approximately 12 signaling messages in the RNC.

Effect of Network Attacks

A multiplier of 12 signaling messages per data connection
doesn’t seem like so much overhead, especially when the connection may be
long lived and have hundreds or thousands of packets within it.  The above
example appeared to be slightly atypical in the sense that:

• 
  The handset was idle
• 
  A connection was coming
  
  to
  it from the Internet

As long as this case stays atypical, the signaling event
overhead remains inconsequential.  But this is where the network attacks
start to cause trouble.  Two common network attacks, port scans and SYN
floods, both mimic incoming connections.  Port scans in particular use a


range
of destination IP addresses as they search for hosts, meaning that they will
affect a different handset with each packet.

If a moderately sized port scan of 1,000 packets-per-second
gets into the mobile network during busy hour from the Internet, it will
trigger a cascade of additional 12,000 signaling messages per second to the
RNCs as the network attempts to locate and connect handsets across the
network.  SYN floods can have the same effect, but they are typically sent
at much higher rates, though with fewer destination addresses.  Both attacks
are extremely common and they move the example from the

atypical
to the

pathological.

If operators RNCs or SGSNs cannot scale to handle this type
of attacks, it may lead to network congestion or outages. And even if these
nodes are scalable, it would be unwise to waste precious and expensive radio
resources to such attacks.

Solutions

In IPv4 networks, one method to solve these problems is use
network-address-translation (NAT) technology to protect the traffic.
 However NAT has its own set of disadvantages.  It is difficult to NAT tens
of millions of connections, especially when operators are required to audit
address changes.  Also, as networks move to IPv6, NAT is not an option and
the handsets again become exposed to the Internet.

The scalability limitations of conventional firewall
technology are forcing mobile operators to consider alternate mitigation
methods of these attacks.  Some operators have talked about preventing
connections coming into the mobile network from the outside, but they are
finding that this stance is not acceptable to their subscribers or their
internal managed services departments that are relying on incoming traffic
to sell services downstream. As operators migrate to a new architecture
where voice is data, connections initiated from outside the mobile network
may be inevitable.

Other operators are finding new ways to configure a device
already in their network to perform firewall services.  High-capacity
application delivery controller (ADC) devices, for example, can use the
tried and true technique of SYN cookies to defend against SYN flood attacks.
 For port scans, the mobile network operators are using dynamic,
programmable scripts on the ADC as whitelists against which to compare the
incoming connections.

Conclusion

All mobile operators are moving to the new world of LTE,
where everything, including voice, is network traffic.   This vision will
still rely on radio networks and IP-based control planes that will still be
vulnerable to network attacks.  More smartphones will translate to more
concurrent connections, keeping conventional firewall technology out of the
mobile network.  And, as the networks move towards an all-IPv6 model,
network security will become an even greater challenge since 100% of all
handset will be visible to the Internet and will be potential attack
targets. Expect the current threat situation to project into the LTE
environment and for network operators to continue to find more ways to
squeeze better network security out of the high-capacity networking devices
they already have. 

About the Autho

About
the Company

See our Converge! One Minute Videos