By Ronald Sens, EMEA director at A10 Networks
In the evolving landscape of mobile networks, we are beginning to see new vulnerabilities open up through 3G and 4G networks, and it is more than likely that 5G will follow this same fate. Protecting only this Gi Interface is no longer enough for service provider security.
Until recently, the Gi-LAN connecting the EPC (Evolved Packet Core) to the internet was considered to be the most vulnerable part of the service provider network and was protected via Gi-Firewal and anti DDoS systems. The rest of the EPC links were considered difficult targets for hackers because advanced vendor-specific knowledge was required for a successful attack. Since the typical hacker prefers a soft target, defensive measures weren’t a priority for developers or carriers. Network complexity was a defence in itself.
However, the requisite know-how to attack EPC from other interfaces is now becoming much more common. The mobile endpoints are being infected at an alarming rate, and this means that attacks can come in from the inside of the network. The year 2016 saw a leap in malware attacks, including headline-makers Gooligan, Pegasus, and Viking Horde. Then the first quarter of 2017 saw a leap in mobile ransomware attacks, which grew by 250 percent.
The need for securing the EPC is tied to advances like LTE adoption and the rise of IoT, which are still gaining speed. LTE networks grew to 647 commercial networks in 2017, with another 700 expected to launch this year. With the adoption of LTE, IoT has become a reality—and a significant revenue stream for enterprises, creating a market expected to reach £400 billion by 2022. The time to take a holistic approach to securing the service provider networks has arrived.
There are three primary data paths connecting mobile service providers to the outside world. The first of these is a link to the internet through S/Gi LAN. Next is a link to a partner network that serves roaming users. Last, there is a link for traffic coming from towers. The security challenges and the attack vectors are different on each link. Until recently, the link to the internet was the most vulnerable point of connectivity. DDoS attacks frequently targeted the service provider’s core network on the Gi Link. These attacks were generally volumetric in nature and were relatively easy to block with highly scalable firewalls and DDoS mitigation systems.
The Expanding Attack Surface
The threat landscape is rapidly changing, and attacks can come from other points of connectivity. This has been theoretical until recently; while numerous academic research papers have been published in the past decade suggesting that attacks from partner networks or radio access networks (RANs) were a possibility, those threats are no longer merely an intellectual exercise: they are real. At the same time, the rapid rise of IoT is exposing the threat of malicious actors taking control and weaponising devices against a service provider.
Multiple botnets, such as WireX and its variants, have been found and taken down. So far, these attacks have targeted hosts on the internet, but it’s just a matter of time until they start attacking Evolved Packet Core (EPC) components.
There are multiple weak points in EPC and its key components. Components that used to be hidden behind proprietary and obscure protocols now reside on IP, UDP, or SCTP, which can be taken down using simple DoS attacks.
The attack surface is significantly larger than it used to be, and legacy approaches to security will not work.
A DDoS Attack, like a signaling storm, against an individual entity can be generated by a malicious actor or even a legitimate source. For example, a misbehaving protocol stack in an IoT device can cause an outage by generating a signaling storm.
Securing the SP Network
To secure the SP Network, businesses must improve their defences against DDoS attacks. The best way to achieve this is by utilising an S/Gi Firewall solution and a DDoS mitigation solution. TPS should also be deployed in your enterprises’ IT Security on-premise and cloud infrastructures. With all of these solutions in place it becomes easier to mitigate multi-terabit attacks.
Utilising powerful tools that can improve these defences, can help detect and mitigate, or stop, a number of advanced attacks specifically against EPC. The tools being used should also allow for a granular deep packet inspection to protect against user impersonation by means of spoofing, network impersonation, and signalling attacks to security professionals.
To summarise, in addition to mitigating and stopping terabit-scale attacks coming from the internet and utilising stateful firewall services, it is imperative for enterprises to up their security measures by using full-spectrum security that protect the whole infrastructure of your business.