Sunday, July 15, 2012

Network Security in the Mobile Core: Port Scans to Mobile Devices

It’s no secret that the core of modern mobile switching networks is based on the Internet Protocol.  What’s interesting is that simple network attacks that have been largely mitigated at the data center are finding their way into the mobile core networks.  Two examples of this are port scans and TCP SYN floods from the Internet all the way through the mobile core and to the mobile devices themselves.  The scans have the side-effect of waking up thousands of smart phones at once, causing high CPU on the Radio Network Controllers (RNC) and Serving GPRS Support Nodes (SGSN). This in turn may lead to network congestion and even network outages. This article looks at how the mobile core architecture is susceptible to these attacks and suggests strategies for mitigation.

Running without Firewalls

Mobile switching networks are similar to a typical Internet data center with some interesting exceptions.  First, instead of servers at the back end, they have mobile clients (handsets).  While network traffic is typically initiated from those handsets toward the Internet, nearly all operators allow connections initiated from outside the mobile network to come in, for various reasons.  In one example, an enterprising downstream customer had turned a series of smartphone handsets into security cameras which he would rent out to his customers who then viewed them by initiating web connections from outside the network to the handsets themselves.  In that example, the handsets really are operating as little servers.
However, one very significant difference between a typical data center and a mobile network is that instead of there being thousands of servers, the mobile network has millions of handsets.  With 32% of these handsets being smartphones# capable of running multiple applications simultaneously, the number of concurrent connections that the network must support quickly climbs into the tens of millions.  Conventional network firewall technology does not readily scale at this level so many mobile switching networks have been running without them, developing new architectures along the way.

Flow of Network Attacks

A second significant difference is a much larger control plane in a mobile network versus a typical data center.  Control plane signaling is made up of policy control, the auditing of subscriber data and the mobility management of subscribers as they move from one location to another within their home network or roaming to another roaming partner’s network.  While the operator’s policy control and auditing architecture may be fairly modern, the mobility management infrastructure is often a rework of legacy equipment which frequently has scalability issues in today’s usage environment.
Consider the example of a subscriber’s handset in idle mode (PMM-Idle). When a connection initiated from the Internet enters the network addressed to the IP address of the handset, the SGSN will page for address in the last known routing area.  The RNCs servicing the routing area will also page for the handset and the size of the routing area can be as big as a very large city. When the handset is finally located, a signaling connection will be established between the handset and the SGSN. After this signaling procedure, the handset will be in connected mode (PMM-Connected) and at this time data can flow between the handset and the Internet. The overhead of this signaling procedure is what causes congestion in an operator’s network during an attack.
Table 1 - Control Plane response to single port scan packet in the dataplane
RNC Signaling Messages to locate an idle handset Signals Total
Paging messages 2 2
RRC Connection Setup 2 4
Security Function Setup 4 8
RAB assignment 4 12

Table 1 shows that to deliver packet data to an idle mode handset will require approximately 12 signaling messages in the RNC.

Effect of Network Attacks

A multiplier of 12 signaling messages per data connection doesn’t seem like so much overhead, especially when the connection may be long lived and have hundreds or thousands of packets within it.  The above example appeared to be slightly atypical in the sense that:

  • The handset was idle
  • A connection was coming to it from the Internet
As long as this case stays atypical, the signaling event overhead remains inconsequential.  But this is where the network attacks start to cause trouble.  Two common network attacks, port scans and SYN floods, both mimic incoming connections.  Port scans in particular use a range of destination IP addresses as they search for hosts, meaning that they will affect a different handset with each packet.
If a moderately sized port scan of 1,000 packets-per-second gets into the mobile network during busy hour from the Internet, it will trigger a cascade of additional 12,000 signaling messages per second to the RNCs as the network attempts to locate and connect handsets across the network.  SYN floods can have the same effect, but they are typically sent at much higher rates, though with fewer destination addresses.  Both attacks are extremely common and they move the example from the atypical to the pathological. If operators RNCs or SGSNs cannot scale to handle this type of attacks, it may lead to network congestion or outages. And even if these nodes are scalable, it would be unwise to waste precious and expensive radio resources to such attacks.


In IPv4 networks, one method to solve these problems is use network-address-translation (NAT) technology to protect the traffic.  However NAT has its own set of disadvantages.  It is difficult to NAT tens of millions of connections, especially when operators are required to audit address changes.  Also, as networks move to IPv6, NAT is not an option and the handsets again become exposed to the Internet.
The scalability limitations of conventional firewall technology are forcing mobile operators to consider alternate mitigation methods of these attacks.  Some operators have talked about preventing connections coming into the mobile network from the outside, but they are finding that this stance is not acceptable to their subscribers or their internal managed services departments that are relying on incoming traffic to sell services downstream. As operators migrate to a new architecture where voice is data, connections initiated from outside the mobile network may be inevitable.
Other operators are finding new ways to configure a device already in their network to perform firewall services.  High-capacity application delivery controller (ADC) devices, for example, can use the tried and true technique of SYN cookies to defend against SYN flood attacks.  For port scans, the mobile network operators are using dynamic, programmable scripts on the ADC as whitelists against which to compare the incoming connections.


All mobile operators are moving to the new world of LTE, where everything, including voice, is network traffic.   This vision will still rely on radio networks and IP-based control planes that will still be vulnerable to network attacks.  More smartphones will translate to more concurrent connections, keeping conventional firewall technology out of the mobile network.  And, as the networks move towards an all-IPv6 model, network security will become an even greater challenge since 100% of all handset will be visible to the Internet and will be potential attack targets. Expect the current threat situation to project into the LTE environment and for network operators to continue to find more ways to squeeze better network security out of the high-capacity networking devices they already have. 

About the Autho
David Holmes, Technical Marketing Manager, F5 Networks
About the Company
F5 Networks, Inc., the global leader in Application Delivery Networking (ADN), helps the world’s largest enterprises and service providers realize the full value of virtualization, cloud computing, and on-demand IT. F5® solutions help integrate disparate technologies to provide greater control of the infrastructure, improve application delivery and data management, and give users seamless, secure, and accelerated access to applications from their corporate desktops and smart devices. An open architectural framework enables F5 customers to apply business policies at “strategic points of control” across the IT infrastructure and into the public cloud. F5 products give customers the agility they need to align IT with changing business conditions, deploy scalable solutions on demand, and manage mobile access to data and services. Enterprises, service and cloud providers, and leading online companies worldwide rely on F5 to optimize their IT investments and drive business forward. For more information, go to
See our Converge! One Minute Videos



Post a Comment

See also