GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members

Official Document FS.21 - Interconnect Signalling Security Recommendations

Interconnect Signalling Security Recommendations

Version 2.0
20 December 2017

This is a Non-binding Permanent Reference Document of the GSMA

Security Classification: Confidential - Full, Rapporteur, Associate and Affiliate

Members
Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is confidential to the
Association and is subject to copyright protection. This document is to be used only for the purposes for which it has been supplied and
information contained in it must not be disclosed or in any other way made available, in whole or in part, to persons other than those permitted
under the security classification without the prior written approval of the Association.

Copyright Notice
Copyright © 2017 GSM Association

Disclaimer
The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept
any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information contained in this document.
The information contained in this document may be subject to change without prior notice.

Antitrust Notice
The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.

V2.0 Page 1 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Table of Contents
1 Introduction 4
1.1 Overview 4
1.2 Scope 4
1.3 Abbreviations 4
1.4 References 6
1.4.1 GSMA Permanent Reference Documents 6
1.4.2 Other References 7
2 Risk Assessment 8
2.1 Basis of Assessment 8
2.1.1 Likelihood 8
2.1.2 Impact 8
2.2 Location Tracking 9
2.2.1 Attack Description 9
2.2.2 Risk Assessment 9
2.2.3 Evidence of Occurrence 10
2.3 Call and Text Message Interception 11
2.3.1 Attack Description 11
2.3.2 Risk Assessment 11
2.3.3 Evidence of Occurrence 12
2.4 Fraud 13
2.4.1 Attack Description 13
2.4.2 Risk Assessment 14
2.4.3 Evidence of Occurrence 14
3 Response and Controls Implementation 15
3.1 Passive Monitoring 15
3.2 Active Testing / Auditing 15
3.3 Implement SMS Home Routing 16
3.4 Filtering on STPs and End Nodes 16
3.5 Implement SS7 Firewall 16
3.6 Implement Diameter Firewall 17
3.7 Implement Advanced Analytics 18
3.8 Consider other Interconnect Signalling Protocol Vulnerabilities 18
3.9 Co-existence of existing networks and SDN/NFV 18
4 Business Case 19
5 RFI/RFP Recommendations 19
6 Use of IP network layer information in Signalling Firewalls 21
6.1 Introduction 21
6.2 Deployment Model 22
6.2.1 Integrated or Separated 22
6.2.2 IP Traffic Routing Options 22
6.3 Combining Information from Different Layers 23
6.3.1 Usage of IP layer Information 24

V2.0 Page 2 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

6.3.2 Usage of IP Firewall Events 24

6.3.3 Implementation Models 27
6.3.4 Combinational Challenges 28
Annex A Document Management 29
A.1 Document History 29
A.2 Other Information 29

V2.0 Page 3 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

1 Introduction

1.1 Overview
Mobile network operators (MNOs) have historically treated all signalling messages received
from outside the network as trusted and necessary. As access to and use of the signalling
networks has evolved, interconnect signalling protocols such as Signalling System number 7
(SS7), Diameter, and the GPRS Tunnelling Protocol (GTP) have been discovered to be
vulnerable to exploitation, potentially enabling attackers to perform eavesdropping, service
denial, location tracking and fraud. The GSMA has produced recommendations for mobile
operators to mitigate these risks and prevent attacks by monitoring and filtering signalling
traffic, leading to greater protection for their customers and businesses. This document
provides a risk-based introduction to the topic in a non-technical manner.

1.2 Scope
This document highlights key risks associated with interconnect security vulnerabilities, and
outlines suggested MNO responses to these risks. This document does not describe
technical vulnerabilities, potential attacks or controls in detail. Instead, it highlights the
technical reference documents available from GSMA on interconnect signalling security, and
how they can be used to support an operator response.

This document also contains recommendations on what factors should be included in a

business case for investment in interconnect signalling security, and some tips on what to
include in a request for information/proposal (RFI/RFP).

Finally this document describes the use of IP network layer information in signalling firewalls
to provide adequate protection against sophisticated signalling attack scenarios like starting
with an IP network layer attack on the interconnection followed by sending Location Update
requests in SS7 Mobile Application Part (MAP) or Diameter to a certain port.

1.3 Abbreviations
Term Description
API Application Programming Interface
AVP Attribute Value Pair
CAMEL Customized Applications for Mobile networks Enhanced Logic
CC Command Code
CRM Customer Relationship Management
DEA Diameter Edge Agent
DoS Denial of Service
EPC Evolved Packet Core
FASG Fraud and Security Group
FMS Fraud Management System
GPRS General Packet Radio Service
GT Global Title
GTP GPRS Tunnelling Protocol

V2.0 Page 4 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Term Description
HLR Home Location Register
ICMP Internet Control Message Protocol
IMSI International Mobile Subscriber Identity
IPFIX IP Flow Information Export
IPX Internet Protocol Exchange
LTE Long Term Evolution
MAP Mobile Application Part
MNO Mobile Network Operator
MSC Mobile Switching Centre
MSISDN Mobile Station International Subscriber Directory Number
MTAN Mobile Transaction Authentication Number
MTP Message Transfer Part
NFV Network Functions Virtualization
OPC Originating Point Code
OS Operating System
OSI Open Systems Interconnection
PRD Permanent Reference Document
RFI/RFP Request for Information / Proposal
SS7 Signalling System Number 7
SCCP Signalling Connection Control Part
SCTP Stream Control Transmission Protocol
SDN Software-Defined Networks
SIGTRAN Signalling Transport
SIP Session Initiation Protocol
SMS Short Message Service
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol
SS7 Signalling System 7
STP Signal Transfer Point
TCP Transmission Control Protocol
TCAP Transaction Capabilities Application Part
UDP User Datagram Protocol
VLR Visited Location Register
XML Extensible Markup Language

V2.0 Page 5 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

1.4 References

1.4.1 GSMA Permanent Reference Documents

Several permanent reference documents (PRDs), as summarised below, are available from GSMA that provide detailed analysis and
recommendations on different aspects of interconnect signalling security. These documents aim to provide operators with practical
recommendations to implement interconnect security controls.

Ref Doc Number Title Summary

Provides substantial background on how to handle SS7 messages on the edge of the
network. It describes the handling of the whole SS7 stack, while putting emphasis on the
GSMA PRD SS7 and SIGTRAN Network
[1] MAP protocol level, where attacks are most common. It includes an SS7 and Signalling
FS.07 Security
Transport (SIGTRAN) security analysis and provides a set of countermeasures that can
be deployed i.e. filtering rules and other security approaches.
Describes how to monitor and to block SS7 traffic to detect and prevent against attacks.
It describes how to effectively monitor traffic, how long to monitor for, and how to classify
incoming MAP messages that are arriving on the interconnection interface. It also
SS7 Interconnect Security describes suspicious SMS activities and recommended SS7 firewall rules for the
GSMA PRD
[2] Monitoring Guidelines and Firewall handling of MAP and Customized Applications for Mobile networks Enhanced Logic
FS.11
Guidelines (CAMEL) vulnerabilities. Based on the recommendations in this document, an MNO
should be able to judge if an SS7 MAP or CAMEL message received at the
interconnection interface is legitimate or not, and apply appropriate firewall rules to
protect its network.
This document outlines general SS7 security measures, including measures specific to
GSMA PRD SS7 Security Network SMS security, and the possible enforcement point for each measure. It should be seen
[3]
IR.82 Implementation Guidelines as a toolbox for MNOs, as not every measure mentioned in this document can be
deployed in every network.
This document describes potential Diameter-related interconnection attacks and
recommended countermeasures. It covers routing attacks, denial of service, location
GSMA PRD
[4] Diameter Interconnect Security tracking and other types of Diameter based interconnection attacks, plus attacks related
FS.19
to Diameter/SS7 interworking. Potential future threats are also described. It also
describes recommended Diameter firewall rules for the handling of Command Code

V2.0 Page 6 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Ref Doc Number Title Summary

(CC) and Attribute Value Pair (AVP) vulnerabilities. Based on the recommendations in
this document, an MNO should be able to judge if a CC received at the interconnection
interface is legitimate or not, and apply appropriate firewall rules to protect its network
Describes GTP vulnerabilities and the types of attacks a mobile network is exposed to
GSMA PRD GPRS Tunnelling Protocol (GTP)
[5] via the GRX/IPX network or the Internet. It also describes mitigation strategies and
FS.20 Security
countermeasures
GSMA PRD SMS Firewall Best Practices and Provides high level guidelines to help operators implement and manage policies for SMS
[6]
SG.22 Policies firewalls and to provide suggestions, where appropriate, on possible corrective actions.
GSMA PRD
[7] SMS SS7 Fraud Defines SMS fraud cases and provides the technical definitions for each case.
IR.70
GSMA PRD Describes ways for operators to identify the SMS SS7 attacks described in IR.70 on their
[8] SMS SS7 Fraud Prevention
IR.71 networks and makes recommendations on how to prevent such attacks.
Inter-operator IP Backbone Security Defines security requirements for service providers and Internet Protocol Exchange
GSMA PRD
[9] Requirements for Service and Inter- (IPX) providers, covering internal security of the IPX network, security between different
IR.77
operator IP Backbone Providers IPX provider networks, and IPX-related security in service provider networks
Describes how Long Term Evolution (LTE) and Evolved Packet Core (EPC) networks
can interwork to provide roaming services for users. Part of the document describes
GSMA PRD LTE-related security measures, providing an LTE counterpart to PRD IR.82. It contains a
[10] LTE and EPC Roaming Guidelines
IR.88 security toolbox for Diameter, Stream Control Transmission Protocol (SCTP), GTP and
interface specific recommendation e.g. S6a, S9, S8. It also tackles legacy interworking,
SMS security and charging and policy related security aspects

1.4.2 Other References

Ref Doc Number Title
[11] RIFS#3 Doc 004 Gateway MSC Bypass

V2.0 Page 7 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

2 Risk Assessment
This section summarises the following attack types considered to represent the highest
threats to MNOs and their customers;

 Location Tracking
 Call and Text Message Interception
 Fraud

MNOs are encouraged to at least mitigate these threats, which will position them well to
evolve their mitigation strategy to cover a broader range of threats over time.

Detailed descriptions of potential attacks against SS7 MAP, Diameter and GTP are
contained in GSMA PRDs FS.07 ‎[1], FS.19 ‎[4] and FS.20 ‎[5] respectively. Note that there
may be several different ways of carrying out an attack, and an attacker can adjust his attack
method depending on how a network responds to initial attack attempts. Also those
documents contain further threats e.g. DoS and cryptographic key material theft.

The content of this section is focussed on SS7 MAP, as that is the protocol subject to most
research and analysis at present. To a large extent the same risks via SS7 MAP apply in a
similar way to Diameter as described in ‎[4], and thus not repeated here. Descriptions of the
Diameter-based attacks scenarios and their taxonomy can be found in ‎[4]. The full list of
Diameter Command Codes (CCs) and Attribute Value Pairs (AVPs) that could be used to
perform Diameter-based attacks can be found in Appendix A of ‎[4]. Several approaches may
be possible, using variations or subsets of the CCs and the AVPs specified there.

In addition, the risks should also be considered in the context of other protocols (e.g. GTP
(see ‎[5]), RADIUS and Session Initiation Protocol (SIP)).

2.1 Basis of Assessment

The following approach is used in this document for rating risks.

2.1.1 Likelihood
Defined as the probability of occurrence within one year with a material frequency, likelihood
is defined as low, medium or high as follows. MNOs may wish to make a more precise
individual assessment based on local factors.

Rating Description
Low Risk is unlikely to materialize, or will materialize with low frequency
Medium Risk is likely to materialize at some point or will materialize with a moderate frequency
High Risk is highly likely to materialize at some point or will materialize with a high frequency

Table 1 – Risk Likelihood Scale

2.1.2 Impact
Impact could manifest itself in a number of ways (legal/regulatory, reputational, financial,
operational and strategic), therefore the impact in each area is classified separately as low,

V2.0 Page 8 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

medium or high. MNOs may wish to make a more precise individual assessment based on
local factors.

Impact Type Description

Regulatory or legal breach that could lead to disciplinary action, fines, or
Legal/regulatory
cessation of service.
Reputation Damage to the image of an MNO, or a specific product/service.
Financial Financial loss for the MNO, per year, as % of annual revenue
Loss or reduction of operational service for the MNO, or increased effort to
Operational
maintain service
Strategic Loss or reduction of capability to achieve the MNO's strategic objectives.

Table 2 - Impact Types

2.2 Location Tracking

2.2.1 Attack Description

This attack type determines the location of targeted subscribers on a one-off or repeated
basis without their permission and without the authorisation of their MNO. Location tracking
can be performed by an attacker based anywhere globally knowing just the targeted
subscriber’s mobile phone number, and queries can return location information down to the
individual mobile cell level.

Finding a targeted victim’s location may be the end goal of an attacker, or it may be the first
step of another attack type (e.g. call interception).

The full list of MAP messages that could be used to perform SS7-based attacks can be
found in Appendix A of ‎[2]. Several different attack approaches may be possible, using
variations or subsets of the messages specified there. The taxonomy of the attacks can be
found in ‎[1].

2.2.2 Risk Assessment

2.2.2.1 Likelihood
High – this risk is highly likely to materialize at some point or will materialize with a very high
frequency. This assessment is based on the following:

 Many MNOs have detected messages used for location tracking through their
monitoring programmes.
 There are third party location tracking services advertised and discovered on the
DarkWeb as well as the public Internet. These services use SS7 network access to
provide global location tracking services without the knowledge of the MNOs that
provide service to the targeted subscribers.
 Only the subscriber Mobile Station International Subscriber Directory Number
(MSISDN) is needed to retrieve the subscriber’s International Mobile Subscriber
Identity (IMSI), serving Mobile Switching Centre (MSC)/ Visited Location Register
(VLR), and the Home Location Register (HLR) addresses.
 The risk of location tracking is expected to remain high or increase in future due to:

V2.0 Page 9 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

 Continued ease of access by unauthorised parties to the SS7 network (e.g.

through irresponsible SS7 global title leasing practices by some MNOs) or by
hacked and not hardened network elements;
 Increased general awareness of unaddressed vulnerabilities from research output
and media coverage; and
 Reduced cost, effort and knowledge needed to perform attacks due to the
development of tools and services facilitating or automating attacks.

2.2.2.2 Impact
Type Rating Notes
Legal/regulatory Medium Breach of customer data privacy laws. Potential for disciplinary
action by regulator and/or legal action by victim.
Reputation High Potential for national or international damage to brand and
reputation. Mainstream media coverage likely, especially if
victims have a public profile.
Financial Low No direct financial impact. Potential for indirect financial impact
as a result of legal/regulatory action.
Operational Low Potential increased load on network nodes if receiving high
volumes of illegitimate messaging.
Strategic Low Damage to reputation may hinder progress towards strategic
objectives.

Table 3 - Location Tracking via SS7 – Impact Assessment

2.2.3 Evidence of Occurrence

Advanced location tracking services have been found and reported within the GSMA Fraud
and Security Group (FASG) that track subscribers within various countries around the world.

See also:

 https://wikileaks.org/hackingteam/emails/emailid/20790
 https://www.adaptivemobile.com/blog/tracking-the-trackers
 Vodafone Summary of SS7 Cat1 misuse (RIFS Doc 17_ 012)
 Improvements to Deutsche Telekom reporting approach (RIFS Doc 17_008)
 Orange SS7 Vulnerability Audit Results (RIFS Doc 9_15)

V2.0 Page 10 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Figure 1 – Screenshot from Dark Web highlighting location tracking service activity

2.3 Call and Text Message Interception

2.3.1 Attack Description

This attack type provides the attacker with access to the contents of calls and text messages
of the targeted subscriber, and with the ability to redirect mobile-originated calls to any
destination. The primary attack motives are as follows:

 Call interception for eavesdropping: This involves the retrieval of network and
subscriber information for targeting, and the manipulation of MAP messages, as well
as subscriber profiles on the VLR. This is a classic man-in-the-middle attack for
eavesdropping of voice calls and SMS.
 SMS hijacking: This attack may be used by hackers when they are hacking
subscriber banking or credit card accounts and need to reset the targeted
subscriber’s account passwords. The two-factor authentication methods used by
these institutions when resetting passwords allow hackers to intercept the SMS,
without any knowledge by the victim.
 Call hijacking: Calls may be rerouted to the attacker’s network for the purposes of
artificial inflation of traffic (traffic pumping) and inter-carrier fraud. Interactive voice-
response (IVR) recordings may be used to trick the caller into remaining on the line
as long as possible.

The full list of MAP messages that could be used to perform SS7-based attacks can be
found in Appendix A of ‎[2]. Several different attack approaches may be possible, using
variations or subsets of the messages specified there. The taxonomy of the attacks can be
found in ‎[1].

2.3.2 Risk Assessment

2.3.2.1 Likelihood
High – this risk is highly likely to materialize for a MNO or will materialize with a very high
frequency. The overall likelihood of call and text message interception attacks taking place
on a network is high, especially as an attack may be carried out from anywhere in the world.
The proportion of customers affected is likely to depend on the attack type, as follows:

V2.0 Page 11 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

 Individuals with a high profile and/or influence (e.g. in politics, business,

entertainment, sport) are the most likely targets for call eavesdropping due to the
value of the information that may be gained by the attacker. However, all subscribers
are exposed to this risk and may be targeted for attack depending on the perceived
value of the information that they hold for the attacker.
 The likelihood of a subscriber being subject to an SMS interception attack is high,
especially if personal details belonging to the targeted subscriber have already been
obtained by the attacker (e.g. via phishing, customer data breach) as part of a larger
attempt to compromise a bank account or other service account held by the targeted
subscriber.
 Since the motivation for call hijacking is to artificially inflate traffic volumes, the
attacker may seek to perform a large-scale attack, maximising the number of call
redirects and affected subscribers.

2.3.2.2 Impact
Type Rating Notes
Legal/regulatory High Breach of privacy could result in regulatory fines as well as
penalties and assessments from lawsuits.
Reputation High Potential for national or international damage to brand and
reputation. Mainstream media coverage likely, especially if
victims have a public profile.
Financial Low No direct impact unless this is artificial inflation of traffic (traffic
pumping), in which case inter-carrier fraud may result in lost
revenues paid out to fraudulent carriers.
Operational Low No impact on the operation of the network given the target is an
individual, and thus the signalling traffic is low. However, attacks
may disrupt the business and result in resources being pulled
from normal work to respond.
Strategic Medium Damage to reputation and loss of public trust in ability of MNO to
provide privacy for calls and SMS may hinder progress towards
strategic objectives.

Table 4 – Call and SMS Interception via SS7 – Impact Assessment

2.3.3 Evidence of Occurrence

There is evidence that commercial service providers and malicious attackers are exploiting
these weaknesses. See the links below.

 “For $20M, These Israeli Hackers Will Spy On Any Phone On The Planet”
http://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-
ulin-ss7/#5e8633057595
 Bulgarian company - Global Innovator in Wiretapping
https://bivol.bg/en/bulgarian-company-global-innovator-in-wiretapping.html

V2.0 Page 12 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Figure 2 – Screenshot from Dark Web service provider

2.4 Fraud

2.4.1 Attack Description

Several types of fraud, referred to in ‎[1] as “illegitimate charge”, can be perpetrated against
MNOs and/or their customers by exploiting SS7 MAP vulnerabilities. Potential fraud
scenarios include:

 Transfer of prepaid credits from subscriber to attacker

 Altering subscriber profile in HLR to change prepaid account to post-paid
 Billing one subscriber’s services to another
 Provisioning high-value services for subsequent fraudulent abuse
 Restoration of barred services or suspended subscriptions
 Artificial inflation of traffic via call redirection (as described in section ‎2.3)
 Triggering fraudulent mobile money service transactions (via USSD)
 Intercepting bank mTan (Mobile Transaction Authentication Number) to perform
banking fraud
 Access to bitcoin purse via compromised e-mail account SMS password reset.

Besides these attacks, SMS fraud is also possible, as described in ‎[7] and ‎[8]

 SMS faking/spoofing
 SMS phishing/spam.

The full list of MAP messages that could be used to perform SS7-based attacks can be
found in Appendix A of ‎[2]. Several different attack approaches may be possible, using
variations or subsets of the messages specified there. The taxonomy of the attacks can be
found in in ‎[1].

V2.0 Page 13 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

2.4.2 Risk Assessment

2.4.2.1 Likelihood
Medium: Although not yet reported within GSMA by MNOs, this risk is likely to materialize,
given the financial incentives for attackers and the continuous evolution of methods to
commit fraud. As some operators deploy SMS home routing, the likelihood of a successful
attack decreases.

Identification of SS7 exploitation as the root cause of the fraud and reporting of this within
the industry could be delayed if the targeted MNO is not familiar with interconnect security
risks, performing SS7 monitoring or active in industry bodies such as GSMA FASG.

SMS fraud is common, and most MNOs are already actively managing the associated risks.
This topic is documented separately (see ‎[7] and ‎[8]).

2.4.2.2 Impact
Type Rating Notes
Legal/regulatory Low Potential for legal action against MNO by victims of fraud.
Reputation Medium Damage to perceived integrity of mobile services and to billing
as a result of unauthorised changes and charges on targeted
customer accounts.
Potential for national or international reputational impact.
Mainstream media coverage likely, especially if victims have a
public profile.
Financial High High. Potentially significant loss of service revenue. Potential
financial loss due to settlement with roaming and interconnect
partners. Potential abuses and losses on mobile money
services. Potential for indirect financial impact as a result of
legal/regulatory action via affected customers.
Operational Low Potential increased load on network nodes if receiving high
volumes of illegitimate messaging. Fraudulent attacks may
disrupt the business and result in resources being pulled from
normal work to respond.
Strategic Medium Reputational damage may hinder progress towards strategic
objectives.

Table 5 - Fraud perpetrated via SS7 – Impact Assessment

2.4.3 Evidence of Occurrence

Several fraud scenarios perpetrated through the manipulation of MAP messages have been
reported by researchers and validated by MNOs. At the time of writing, one incident of
MTAN interception to enable banking fraud has been reported within FASG. However,
identification of SS7 exploitation as the root cause of fraud and reporting of this within the
industry could be delayed in other cases if the targeted MNO is not familiar with interconnect
security risks, is not performing SS7 monitoring or is not active in industry bodies such as
GSMA FASG.

SMS-based fraud (faking, spoofing, spam, phishing) is commonly reported within FASG.

V2.0 Page 14 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

3 Response and Controls Implementation

A MNO’s response to each threat can be incremental. To decide on what response is most
appropriate for them, MNOs are recommended to evaluate each approach outlined below for
their own network under the following headings:

 What is the risk tolerance of the company?

 What are the gaps in current coverage?
 What skill sets will be required to implement appropriate measures?
 What changes will be required to the network / signalling architecture?
 What is the impact on existing network elements?
 What are the costs for initial implementation, and ongoing operations and
maintenance?
 What signalling visibility exists, and what is required?
 What level of protection will a control provide now, and how might that change in
future (on the assumption that attacks will evolve).

3.1 Passive Monitoring

Introducing monitoring of interconnect signalling traffic is a first step towards understanding
what level of illegitimate traffic is being received (or sent from) the mobile network and its
results can be used to assess the priorities for further action.

MNOs usually already have network monitoring capabilities in place, so introducing

monitoring should not involve any significant investment or risk. However, most probes
measure performance and QoS of the core network, and are not monitoring traffic across the
interconnect links, so some redeployment or reconfiguration may be necessary.

The SS7 international signalling carrier used by a MNO may be able to perform monitoring of
international interconnects on behalf of the MNO (for a charge, but it requires no capital
investment by the MNO). This approach wouldn’t cover national interconnect, which would
still need to be performed by the MNO. Note that some MNOs may prefer to perform all
interconnect monitoring (national and international) in-house, so that alerting and alarming
can be linked directly to the network operations centre and be fully managed internally.

3.2 Active Testing / Auditing

A MNO can arrange (e.g. with an external service provider, or another entity within a
corporate operator group) for a set of expected and unexpected interconnect signalling
messages to be sent to its network, so that it can monitor and report on the results (what
messages are permitted, what actions are triggered, what response is provided). This allows
the operator to understand the vulnerabilities that exist within its network, and to prioritise
next steps. Building capabilities for continuous external auditing will provide ongoing
assurance.

Caution should be taken to ensure that testing does not negatively impact the production
network, and the use of laboratory test environments is recommended to evaluate e.g. new
configurations. FS.19 ‎[4] contains network penetration testing and auditing
recommendations for Diameter than can be applied generally to any interconnect protocol.

V2.0 Page 15 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

3.3 Implement SMS Home Routing

In addition to protecting against SMS faking and spam, SMS home routing prevents the IMSI
of the subscriber from being disclosed in response to SRI for SM messages (SS7), Send-
Routing-Info-for-SM-Request (SRR) messages (Diameter) and conceals the fact that a
subscriber may be roaming.

Although SMS home routing impedes the distribution of the IMSI via SS7 and Diameter, it
doesn’t protect the network against vulnerabilities where the attacker has found alternative
means for access to the IMSI. See GSMA PRD FS.11 ‎[2] section 3.7 for further details about
how SMS home routing can be bypassed in certain scenarios to exploit SS7 vulnerabilities,
and see FS.19 ‎[4] section 3.3.7.2 and section 5.5.1 for attacks via Diameter made easier if
home routing is not effective. Hence the operator may wish to consider using a SS7 firewall
and/or Diameter firewall solution to protect the network, based on the assumption that the
attackers have access to the IMSI.

3.4 Filtering on STPs and End Nodes

Some signal transfer points (STPs) and end nodes support filtering capabilities, and allow
white listing of permitted messages and blocking of messages that should never be
received. It may be possible to define rules that allow MNOs to control who has access to
the network, and what level of access they should be allowed, across multiple SS7 protocol
layers. Some end nodes and STPs may require upgrades or additional filtering features to
be added to support these capabilities.

Each network may be different and may allow the receipt of certain messages to support
specific services. Some investigation of why certain non-standard SS7 messaging (incoming
or outgoing) should remain with all or a subset of roaming /interconnect partners may be
necessary, and a white list should be established to continue permitting receipt of those
messages to avoid disruption to the related services.

3.5 Implement SS7 Firewall

A SS7 firewall can be a standalone appliance, part of a combined SS7 and Diameter firewall,
or SS7 firewall functions can be implemented on STPs and end nodes. The SS7 firewall
functions should be implemented at the network edge as messages enter the network for
optimal message processing. This is basic network access control. An example of
capabilities should include:

 Blocking messages with no MAP OpCode present or containing unused OpCodes

 Stateful checks of Transaction Capabilities Application Part (TCAP) transactions to
detect TCAP dialogue irregularities
 Stateful checks and blocking/modification of application part messages (e.g. MAP,
CAMEL)
 Consistency checks of the information in messages across SS7 layers
 Real time monitoring of all protocols that could enable attacks if other signalling
protocols are supported (e.g. MAP, Diameter, SIP, RADIUS, and GTP)
 Global Title (GT) based monitoring and blocking
 Full analytics combining signalling with customer relationship management (CRM)
system and fraud management system (FMS) data for full context

V2.0 Page 16 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Different deployment options for SS7 firewall functions are possible. The following factors
should be considered by an MNO in consultation with its suppliers when deciding which
option to use:

 Latency introduced by firewall functions;

 Level of protection provided;
 Visibility and control provided;
 Resistance against failure; and
 Impact of malfunction.

An analysis of signalling firewall deployment models is contained in Error! Reference

source not found..

A MNO’s signalling carrier may be able to provide a firewall function for the operator.

It is preferable to have flexible programming capabilities for SS7 firewall rules and the
capability to screen messages across the multiple layers of the SS7 stack. This will offer
MNOs the ability to protect their networks against discovered SS7 vulnerabilities. FS.11 ‎[2]
contains recommended SS7 firewall rules. FS.11 also contains recommended SS7 firewall
data logging formats, to facilitate integration of the signalling firewall with other technical
elements for analytics and reporting, and for sharing information between MNOs.

A MNO may also wish to consider deploying an SMS firewall. See SG.22 ‎[6] for SMS firewall
best practices and policies.

3.6 Implement Diameter Firewall

A Diameter firewall can be a standalone appliance, part of a combined SS7 and Diameter
firewall, and/or Diameter firewall functions can be implemented on Diameter Edge Agents
(DEAs) and end nodes. An example of capabilities should include:

 Sets of Diameter firewall rules for:

 Diameter Category 0: Fundamental filtering like rule for “Unexpected AVP”

 Diameter Category 1: Basic filtering like rule for “Command Code values not
allowed/supported on the Point-of-Interconnect”
 Diameter Category 2: Robust filtering like rule for “Command Code where the
target IMSI relates to one of the protected network’s own subscribers”
 Diameter Category 3: Advanced filtering like for rule for “Comparing last seen
Location Update with the Origin-Host and Origin-Realm in received messages”

 Specific rules for Diameter protocol vulnerabilities:

 Non-3GPP vendor specific AVPs: Verify if non-3GPP vendor specific AVPs are
allowed between networks
 Nesting level of grouped AVPs: Control of maximum nesting level of grouped
AVPs over interconnection interfaces
 Encoding risks of AVPs: For example, checks to determine if an AVP has been
defined as UTF8 String, OctetString, DiameterIdentity and/or if an address format

V2.0 Page 17 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

contains purposely manipulated contents with the objective to introduce

unintended behaviour
 Signalling risks of AVPs: Control on the use of the CC and information included in
an AVP or combination of AVPs
 Diameter filtering evasion and business logic manipulation attacks: Checks on
vulnerabilities like AVP doubling and AVP type manipulation and exploitation

 Additional capabilities like the possibility to define customized filtering rules.

 An interworking function in networks using both SS7 and Diameter for the handling of
international mobile roaming services
 Full analytics combining signalling with customer relationship management (CRM)
system and fraud management system (FMS) data for full context

It is preferable to have flexible programming capabilities for Diameter firewall rules and
capabilities to screen vendor specific AVPs, cross-check AVPs transferred at multiple
nesting levels of Grouped AVPs and perform profiling checks based on correlating
messages. This will offer MNOs the ability to protect their networks against newly-discovered
Diameter vulnerabilities. GSMA PRD FS.19 ‎[4] contains recommended Diameter firewall
rules. FS.19 also contains recommended Diameter firewall data logging formats, to facilitate
integration of the signalling firewall with other technical elements for analytics and reporting,
and for sharing information between MNOs.

3.7 Implement Advanced Analytics

Advanced analytics is critical to identifying new attacks and understanding the impact on
subscribers. Combining signalling data with subscriber data can provide context to an attack,
potentially identifying an important customer rather than just an IMSI. The business case for
investment in analytics may be strengthened if the analytics solution (e.g. big data
implementation) can also provide value to other business functions.

Defending against some attacks may require the use of analytics, such as analysing
UpdateLocation messages to ensure they are coming from a legitimate source. However,
analytics is not necessary to assess the message type and other parameters used to
determine if these messages should be allowed into the network.

3.8 Consider other Interconnect Signalling Protocol Vulnerabilities

Also the GPRS Tunnelling Protocol (GTP) is being used for interconnections. It is used for
signalling to control packet data sessions of subscribers and it is used to transport packet
data traffic of subscribers. Like SS7 and Diameter, GTP interfaces are also exposed to
external networks. MNOs need to consider applying controls to protect their network. Checks
by the existing network elements, as well as introduction of a GTP firewall at the network
edge to the GRX/IPX network are recommended. Details on GTP security, attacks,
exposure, and countermeasures can be found in FS.20 ‎[5].

3.9 Co-existence of existing networks and SDN/NFV

As MNOs begin the deployment of network function virtualization (NFV) (and later software-
defined networks (SDN)), the very nodes that are protecting the network will also need to be
virtualized. New attack vectors will be introduced through virtualization, so it is important to
understand the impact of virtualization.

V2.0 Page 18 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

There will most likely be a micro-service for security in an NFV environment that will provide
much of the functionality needed to protect the network core, but agnostic from the access
technology. This is an important consideration as it provides extended protection, but
because of the vulnerabilities we have seen to date, security will have to exist in both the
virtual network function and as a micro-service.

4 Business Case
Points that could be developed and included in a business case for investment in
interconnect signalling controls are provided below:

 The primary factor in a business case is protection of the MNO brand and reputation
by providing customer data privacy.
 Telecommunications interconnect signalling management should adhere to best
practices that are considered normal in IT (e.g. traffic filtering, minimum access
control at all layers).
 Protection against the risk of fraud conducted by exploiting SS7 vulnerabilities can
drive the business case. In addition to fraud risks to traditional mobile services, fraud
risks to mobile money services that use SMS or USSD should be highlighted.
 The evidence available from passive and active testing can justify further
investigation, filtering, and investment.
 The risks of denial of service (DoS) attacks and network outages due to SS7-based
attacks should be included, but is strongly dependent on the actual geopolitical
climate and varies between operators.
 SS7 vulnerabilities undermine any two-factor authentication that use SMS or USSD
as trusted communication channels. As described in section ‎2.3, SMS is often used
by banks and other traditional and online service providers for sending one-time
passwords or other identifiers used for resetting of account passwords. MNOs risk
losing this business if they cannot provide security for these messages.
 SMS home routing can enable revenue generation, so may be used as a revenue
item within a business case.
 Implementing SS7 messaging filtering can provide direct financial benefits to the
home network by preventing optimal routing fraud (reported by Orange in ‎[11]), also
supporting the business case.

5 RFI/RFP Recommendations
If conducting a Request for Information (RFI) or Request for Proposal (RFP) for an SS7
firewall function, a Diameter firewall, a combined SS7 and Diameter firewall, or a GTP
firewall, operators need to ensure they are asking for solutions that will best meet their
needs today and in the future. The following factors should be considered:

 What attacks will the solution detect and what risks will it help to mitigate?
 What latency does the solution introduce in processing of signalling traffic?
This will be important as operators adopt 5G where latency requirements will be even
more stringent
 Does the solution include a strategy for supporting NFV?
 How will the discovery of new attacks (and respective new filtering rules) be handled?

V2.0 Page 19 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

 How will the solution respond and continue to ensure protection and normal operation
for the mobile network if it becomes subject to attack?
 What assurances regarding the reliability of the solution can be provided?
 How can the solution be scaled to match increasing network traffic without any loss in
performance or protection?
 How easy is it to configure the solution to meet the local environment/needs of the
operator and to maintain a set of rules as threats evolve?
 What features does the solution offer for handling rule violations e.g. warning, reject,
silently drop, feed to external systems?
 How does the solution support the preferred deployment model or the operator, or of
a corporate operator group?
 For SS7, how does the solution help the network to mitigate the attacks described in
PRD FS.07 ‎[1]?
Focus should be placed on defending against specific attacks, regardless of how they
are performed, rather than focusing on specific signalling message(s).
 For SS7, which of the recommendations in FS.11 ‎[2] and IR.82 ‎[3] that are relevant
and/or possible to implement in a particular mobile network, can be implemented via
the solution?
 For Diameter, how does the solution help the network to mitigate the attacks
described in PRD FS.19 ‎[4]?
Focus should be placed on defending against specific attacks, regardless of how they
are performed, rather than focusing on specific signalling message(s).
 For Diameter, which of the recommendations in FS.19 ‎[4] and IR.88 ‎[10] that are
relevant and/or possible to implement in a particular mobile network, can be
implemented via the solution?
 What protocols are supporting by the monitoring solutions (e.g. SS7. CAMEL, SIP,
Diameter, RADIUS, GTP)?
 Can the monitoring solution be integrated with the network operations centre? What
features (e.g. alarming, notification, map views) and interfaces are supported?
 What features does the monitoring solution provide to support analysis and sharing
(e.g. full protocol decode, export to .csv and/or .pcap files)?
 What features and/or workflows does the analytics solution provide to discover,
interpret, illustrate and/or predict (e.g. via machine learning) patterns in signalling
data? Can it be integrated with big data implementation, and what other systems can
it interface with?
 If the solution includes data mining and machine learning capabilities, what
algorithms does it use (e.g. Naïve Bayes Classifier Algorithm, K-Means Clustering
Algorithm, Linear Regression etc.)?
 What knowledge and experience does the solution vendor have in implementing
signalling solutions?
 What capabilities does the SS7 firewall solution have to filter different layer messages
within the SS7 protocol stack (e.g. Message Transfer Part (MTP), SIGTRAN,
Signalling Connection Control Part (SCCP), MAP)? Do these capabilities include
support of point code, subsystem numbers, global title, MSISDN, IMSI, and VLR
number?

V2.0 Page 20 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

 What cross-layer capabilities with the IP network does the Diameter firewall solution
have to filter different layer identities like cross-checking the IP source address and
the value of the Origin-Host?
 What performance history does the solution have in other mobile networks?
 What services are included as part of the solution? Do these services include
updating of SS7 and/or Diameter firewall rules?
 What is the roadmap for future development of the solution?

6 Use of IP network layer information in Signalling Firewalls

6.1 Introduction
This section describes considerations for the implementation of a signalling firewall as part of
the IP network layer. Mobile network operators will need to consider the different deployment
models that exist, and the different sets of functions that may be supported on such a
firewall. MNOs also need to consider the type of information that can be provided by the
network and the IP firewall’s transport protection mechanisms to a signalling-specific
application firewall (in this context for the signalling protocols Diameter and/or SS7).

‎ igure 3 provides an overview of typical attack vectors that apply to layers 3, 4 and 7 of the
F
Open System Interconnection (OSI) model and illustrates how protection can be provided by
IP firewall functions on layer 3 and layer 4, and by signalling-specific application firewall
functions on layer 7 for SS7 and Diameter.

Sample Attack Vectors Alternative Protections

PRD FS.19 for Diameter and

Layer 7 Application FW
PRDs FS.07 and FS.11 for SS7

TCP Attacks, SYN Attacks, DNS

Layer 4 IP Firewall
poisoning and SQL injection

Ping /ICMP Flood/Sniffing Layer 3 IP Firewall

Figure 3 – Overview of functions for the layers 3, 4 and 7

These guidelines highlight the IP firewall functions that are of potential value to the
protection schemes in the signalling-specific application firewall. For example, IP firewall
functions may be valuable in signalling attack scenarios such as port scanning at the IP
interconnection, followed by sending Location Update requests to a certain port.

These guidelines outline advantages and disadvantages of the different options that MNOs
will need to consider. In addition, signalling application firewall implementation
considerations are described in a vendor-agnostic manner.

Section ‎6.2 describes possible deployment models. Section ‎6.3 describes how IP layer
information can be used and combined with application layer information to increase the
protection level provided by a signalling-specific application firewall.

V2.0 Page 21 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

6.2 Deployment Model

6.2.1 Integrated or Separated

‎ igure 4 illustrates separated and integrated firewall deployment models. In the separated
F
model, the signalling-specific application firewall is a separate network element typically
situated next to a DEA for Diameter or a Signal Transfer Point (STP) for SS7, respectively.
In the integrated model, the signalling-specific application firewall is integrated in the same
physical network element as the IP firewall.

Separated Deployment Model Integrated Deployment Model

Visited Network Visited Network

Public Internet Public Internet

SIG TRAN SIGTRAN IP + Signaling

IP Firewall Application Firewall
D IAMETER D IAMETER

International Home Network International Home Network

Signaling
Application
DEA/STP DEA/STP
Firewall
National Home Network National Home Network
MME HSS MME HSS

STP STP

Figure 4 – Separated and Integrated Firewall Deployment Models

Integrating signalling-specific application firewall functions and IP firewall functions may

bring operational deployment advantages for MNOs, but may bring some performance
issues. Combining such functions in a single node is complex, especially given the specialist
knowledge required for signalling-specific application firewall development. One approach
for suppliers could be via information sharing via an API as described in section ‎6.3.3.1,
another approach to add IP firewall capabilities to signalling-specific application firewalls as
described in section 6.3.3.2.

6.2.2 IP Traffic Routing Options

The following deployment options for a signalling-specific application firewall, in terms of IP
traffic routing, will need to be considered:

6.2.2.1 Transparent server

In this deployment option, the signalling-specific application firewall does not perform IP
routing functions and is transparent for Transmission Control Protocol (TCP) / Stream
Control Transmission Protocol (SCTP) transactions.

V2.0 Page 22 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Advantages:

 It may be easier to add a signalling-specific application firewall to existing networks

using this deployment option because existing IP addresses and routing schemes
can be left unchanged.

Disadvantages:

 This deployment option limits the functionality of the signalling-specific application

firewall to simple filtering only capabilities, because when deployed as transparent
server, the signalling-specific application firewall is not actively involved in the
TCP/SCTP transactions. This might complicate implementation of protection against
advanced signalling attacks that may require active TCP/SCTP transaction
countermeasures.
 This deployment option may also limit the use of extra security features that may be
available on a signalling-specific application firewall (e.g. topology hiding, anticipated
future features to enhance Diameter end-to-end security).

6.2.2.2 Proxy server

In this deployment option, the signalling-specific application firewall acts as an IP routing
proxy and is terminating the TCP/SCTP transactions.

Advantages:

 This proxy server deployment option maximizes the protection capability and flexibility
that can be provided by the signalling-specific application firewall, because in proxy
mode it may actively intervene in the TCP/SCTP transactions to protect against
signalling attack vectors that are best mitigated with interceptions of the TCP/SCTP
transactions. It will also ease the implementation of additional security functions that
may be available on a signalling-specific application firewall in existing networks (e.g.
topology hiding, anticipated future features to enhance Diameter end-to-end security).

Disadvantages:

 This deployment scenario could complicate the inclusion of a signalling-specific

application firewall in existing network situations if existing IP addresses and routing
schemes need to be changed. This impact of the proxy server deployment model can
be avoided if the signalling-specific application firewall supports replication of existing
IP addresses.
 Terminating all of the TCP/SCTP sessions would expose the signalling-specific
application firewall to all TCP/SCTP layer attacks as well. The signalling-specific
application firewall would need to be able to handle layer 4 attacks as well.

6.3 Combining Information from Different Layers

A signalling-specific application firewall provides a different type of protection compared to a
traditional IP firewall since it works at the application layer.

Anomalies and attack vectors have been identified where hackers may use IP layer attacks
as a prerequisite for a subsequent attack against the signalling application layer. For
example, an attack may begin with an IP attack on the interconnect interface to discover

V2.0 Page 23 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

signalling nodes. Later, the information collected may be used to send Location Update
requests in SS7 MAP or Diameter or to send GTP messages to a certain port. DoS attacks
like “SYN Flood Attack” and “Internet Control Message Protocol (ICMP) Flooding” are the
most common type of attacks. The generalised four phase attack process (reconnaissance,
scanning, exploitation, post exploitation) can apply to IP layers 3 and 4 and to signalling on
layer 7 (application layer).

At present, there is no relationship between the events occurring on the IP network layer and
the protection functions performed by the signalling-specific application firewall. However,
there is potential value in using lower layer information (e.g. IP addresses and port numbers,
suspicious or malicious IP firewall event logs/records) to enhance the protection capabilities,
value and effectiveness of the signalling-specific application firewall. This is described in the
sections below.

6.3.1 Usage of IP layer Information

A signalling-specific application firewall using information available from the IP layer (e.g.
source IP address, port numbers) can provide cross-layer screening rules to identify
anomalies and generate warnings that are input to screening actions at the signalling
application layer. This approach can provide additional protection mechanism against:

 DoS attacks: Using IP layer information, the MNO could implement rate limiting based
on source IP address and a combination of Destination-Realm, Destination-Host,
Origin-Realm and Origin-Host.
 Range screening: The attacker may send a large range of messages e.g. to find
network nodes.
 Attacker Evasion Technique: The MNO could counteract spoofing attempts using on
source IP Address, Origin Realm and knowledge of the link where incoming
messages are received.
 Reconnaissance Attacks: The MNO could detect a Destination-Host, Destination
Realm and/or Application-ID sweep by an attacker.

6.3.2 Usage of IP Firewall Events

Attackers are likely to first build intelligence at the IP layer by probing the network with IP
and port sweeps to gather information and detect vulnerabilities. By taking relevant event
information from the IP firewall, MNOs will have better information about the likelihood and
nature of potential attacks, and be better equipped to introduce the necessary upper layer
defences via the signalling-specific application firewall.

The full integration of a traditional IP firewall and a signalling-specific application firewall in a

single node could be very complex and may not be feasible. An alternative approach could
be to use modular analytics functions that can combine events generated by firewalls
operating at different OSI layers. ‎Figure 5 shows this modular approach and the set of
involved functions.

V2.0 Page 24 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Sample Attack Vectors Alternative Protections Analytics for

combined
intelligence
PRD FS.19 for Diameter and
Layer 7 Application FW
PRDs FS.07 and FS.11 for SS7

Analytics for
TCP Attacks, SYN Attacks, DNS
Layer 4 IP Firewall combined
poisoning and SQL injection
intelligence

Ping /ICMP Flood/Sniffing Layer 3 IP Firewall

Analytics for
combined
intelligence

Figure 5 – Modular approach with overview of functions

The modules (i.e. analytics functions, IP firewall and signalling-specific application firewall)
could be co-located in a single node or could be separate. Some IP firewall features may be
part of the native operating system (OS) used by a signalling-specific application firewall
(which can also lead to IP firewall function performance benefits). In that case it is assumed
that the IP firewall and the signalling-specific application firewall modules are co-located.

Loopbacks are shown to indicate the need to update the blocking rules in the firewall
instances at the different signalling layers. Further loopbacks and interfaces between the
modules may also be implemented. Where to place the intelligence and in what direction the
data import and data export works, are deployment options and would depend on each
MNO’s network.

‎ able 6 provides a list of suspicious events coming from the IP layer that provide input for
T
the actions at the signalling layer.

Stream Details on IP Layer As input for Signalling Layer

DoS against IP  Limiting sessions based on  Identify GTs / DEA / sources and
firewall source IP address timing connected with this event
 Distributed DoS Attack  Blacklist, greylist, scoring, alerts
DoS against  SYN Flood attack  Identify GTs / DEA / sources and
network  Proxying SYN Segments timing connected with this event
 Device-level SYN flood  Blacklist, greylist, scoring, alerts
protection
 Establishing a connection with
SYN cookie active
 ICMP flooding
 User Datagram Protocol (UDP)
flooding
 Land attack
DoS against  Ping of death  Identify GTs / DEA / sources and
operating system  Teardrop attacks fragment timing connected with this event
(OS) level discrepancy  Blacklist, greylist, scoring, alerts

V2.0 Page 25 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Stream Details on IP Layer As input for Signalling Layer

 WinNuke attack indicators
 OS specific DoS vulnerabilities
IP Sweeps &  Address sweep  Suspicious GTs / DEA / sources
Ports  Port scan and timing connected with this
event
 UDP port scan
 Scoring, greylist, alert
 Routing options
 Could be an attack preparation
System Probe &  TCP header with SYN and FIN  Suspicious GTs / DEA / sources
Flag Set flags set and timing connected with this
 TCP header with FIN flag set event
 TCP header with no flags set  Greylist, scoring, alter
 Attack preparation
Evasion  SYN flag checking  Identify GTs / DEA / sources and
 IP source routing timing connected with this event
 Loose IP source route option for  Blacklist, greylist, scoring
deception  Could be preparation to ”cover up
tracks”
ICMP & SYN  Blocking ICMP  Identify GTs / DEA / sources and
Fragments  Fragment blocking timing connected with this event
 Large ICMP packets  Blacklist?
 SYN fragment
IP attacks  Incorrectly formatted IP options  Suspicious GTs / DEA / sources
 Unknown protocols and timing connected with this
event
 IP packet fragment
 Greylist, scoring, alter
 IPv6 packet fragment extension
header  Could be probing for later attacks

Table 6 – Suspicious Events coming from the IP Layer

MNOs should note that a blacklisting approach may too rigid and could cause problems
when there is a temporary problem in a partner network or a provisioning error. Hence a
scoring mechanism may be more appropriate to generate alerts for inspection. Using a
blacklist may be appropriate when manipulated and harmful contents are detected.

From a management perspective, the actions in the different modules (IP firewall, signalling-
specific application firewall, analytics) should be combined for visibility, reporting and
correlation, etc. Correlation between IP firewall events and signalling-specific firewall
functions at the application layer can help to:

 Detect suspicious GTs, Realms, DEAs based on the information provided by the IP
firewall, here the timing is needed to be able to correlate GTs and IPs etc.
 Define cross-layer screening rules (see section ‎6.3.1)
 Define blacklists.

As a result, a signalling-specific application firewall may then be able to provide:

V2.0 Page 26 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

 Better detection/protection capabilities against well-known attacks.

 Better detection capabilities for anomalies and suspicious events that aren’t
associated with well-known attacks
 Adaptable responses to prevent and mitigate threats
 Correlated reporting capabilities, resulting in better end-to-end visibility and a more
effective protection capability.

6.3.3 Implementation Models

MNOs may wish to consider the following two implementation models for information
provisioning by IP firewalls:

6.3.3.1 Information sharing via API

This model uses information sharing via an application programming interface (API), both for
IP firewall event reporting and for updating the filtering rules in the signalling-specific
application firewall:

For IP firewall event reporting, the IP firewall provides information via an API to the logically
separated signalling-specific application firewall. Export functions like IPFIX, SNMP or syslog
may be used to stream relevant IP layer 3 and IP layer 4 events and host profile information
to the signalling-specific application firewall.

To update filtering rules, one or more analytics modules generates and submits updates to
the signalling-specific application firewall via an API like Simple Object Access Protocol
(SOAP) using Extensible Markup Language (XML).

Advantages:

 This implementation model simplifies the operations and the management of IP layer
firewall functions because the IP firewall functions don’t need to be duplicated in the
OS native functions within the signalling- specific application firewall.
 This functional separation between the IP firewall and the signalling-specific
application firewall simplifies the implementation, administration and development of
these individual firewalls, due to the different knowledge and expertise needed for
management of each firewall type.
 This functional separation enables a combined implementation of separately selected
firewall implementation products from specialised vendors. Note that the model does
not preclude a grouping of software functions (e.g. on the same physical hardware, or
as containers within the same NFV cluster/silo).

Disadvantages:

 This implementation model requires technical integration of the APIs between the IP
firewall and the signalling-specific application firewall.
 Potential extra operational effort and costs of two products from different vendors.

6.3.3.2 IP Firewall functions added to Signalling-Specific Application Firewall

The model is based on implementation of part or all of the necessary IP firewall functions
(see ‎Table 6) within the signalling-specific application firewall.

V2.0 Page 27 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Advantages:

 It may be possible to solve the combinational challenges described in section ‎6.3.4

more easily.
 The technical integration between the IP firewall functions and the signalling firewall
functions is the responsibility of the firewall vendor, not the MNO.

Disadvantages:

 There may be duplication in provisioning and updating of the OS native IP firewall

functions within the signalling-specific application firewall and the between the
separate IP firewall.
 Potential delayed protection of IP firewall functionality in the signalling-specific
application firewall because the supplier needs to integrate upgrades of the IP firewall
capabilities instead of receiving updates of its filtering rules from the IP firewall via an
API.
 The signalling-specific application firewall implementation becomes more complicated
and costly due to the addition of the IP firewall functions.

6.3.4 Combinational Challenges

MNOs seeking to mitigate their interconnect security risks by combining information from
different layers will need to manage the following practical challenges:

 Timing: There may be a long delay (days, months) between when attackers collect
IP layer information and when they use it to perform signalling attacks. Correlating
this apparently unrelated attack activity to improve protection will be difficult.
 Naming: Another combination challenge will be the usage of different network entity
names and identities at the different layers like:

 Which IP address belongs to which GT and SS7 originating point code (OPC)?
 How should the solution deal with new identities that have not been seen before
(pointing to a possible falsified signalling source)?

 Synchronicity: Timing mismatches between different systems will make correlation

between records and export logs difficult. Approaches, like sliding time window
combined with machine learning can assist in identifying the correlation. Some basic
level of IP firewall functions may be needed in the signalling-specific application
firewall to overcome this challenge.
 Understanding Relationships: Understanding the relationships and dependencies
between different identities on different layers may take considerable effort.
 Maintenance Performing regular review and updating of the correlation patterns
between the application layer and lower layers (regardless of the implementation
model) will be necessary in order to ensure continued protection as attacks evolve.

V2.0 Page 28 of 29
GSM Association Confidential - Full, Rapporteur, Associate and Affiliate Members
Official Document FS.21 - Interconnect Signalling Security Recommendations

Annex A Document Management

A.1 Document History

Version Date Brief Description of Approval Editor / Company
Change Authority
1.0 10 Feb 2017 First version, developed Andrea Fellegara, Wind
within Roaming and Telecomunicazioni S.p.A.
Interconnect Fraud and PSMC Vincent Schaeken
Security (RIFS) subgroup. Adaptive Mobile;
David Maxwell, GSMA.
2.0 20 Dec 2017 Added content on use of IP Pieter Veenstra,
network layer information in NetNumber
signalling firewall. Added Rosalia D’Alessandro,
suggested capabilities for a FASG Telecom Italia
Diameter firewall, and firewall Imran Saleem,Saudi
RFI/RFP recommendations. Telecom Company
Silke Holtmanns, Nokia

A.2 Other Information

Type Description
Document Owner FASG
Editor / Company Andrea Fellegara, Wind Telecomunicazioni S.p.A.

It is our intention to provide a quality product for your use. If you find any errors or omissions,
please contact us with your comments. You may notify us at prd@gsma.com

Your comments or suggestions & questions are always welcome.

V2.0 Page 29 of 29