The rising threat of GTP attacks - is your GRX/IPX connection secure?
Overview
In today’s world everything seems to revolve around privacy, security and challenges of protecting personal information, Apps, services and network infrastructure from a variety of threats. L7 DoS attacks, credential hijacking/stuffing and use of sophisticated botnets pose a significant risk for businesses and Service Providers. Besides mitigating OWASP top 10 to protect their apps and subscribers, Mobile Network Operators must take necessary steps to secure their backbone Packet Core (EPC). Diameter, SIP and various types of GTP protocols are used for communication between NEs inside and between EPCs. GTP-U is also used to carry subscriber’s mobile traffic throughout the EPC and out to the Internet. EPC of a standalone Service Provider is usually considered being secure enough with the exception of Gi interface between PDN gateways (PGW) and the Internet. Gi is locked down with some sort of Gi firewall. However, a rare MNO would isolate itself and its subscribers by staying disconnected from other MNOs. National and international roaming is a significant part of MNO’s revenue and one of the major services available to subscribers since the inception of mobile networks. Sometimes MNOs are directly interconnected with other MNOs using S5/S8 interface. It is a fairly secure connection as it uses P2P infrastructures like site VPNs and use of MPLS. More often, however, Operators opt to connect to IP exchange(s) (IPX)/ GPRS exchange(s) (GRX) that offer a simultaneous interconnection with a multitude of other MNOs and act as GTP and/or Diameter intermediaries that route or forward messages based on pre-determined criteria. IPX/GRX is considered being the “weakest link” by some security researchers. One of them has published a study back in 2015 that showed various ways of attacking MNOs using GTP-C messages, prompting associations like GSMA to issue security guidelines otherwise known as GSMA PRD FS.20, that describe threats, risks and mitigation techniques of such attacks.
Types of attacks
GTP eavesdropping
If an IPX/GRX infrastructure is compromised, a potential attacker can snoop into passing GTP traffic and gain valuable subscriber information. For example, User Location information can be exposed if ‘MS Info Change Notification' Requests are sent between Visited PMN and Home PMN.
Other important information that can be exposed to the attacker is subscriber APN credentials. Those credentials are transmitted in clear-text and are part of PPP set-up procedure.
Pic 1. GTP snooping
Generation of malicious GTP messages
Besides just parsing the transiting GTP traffic, an attacker can generate malicious requests and cause significant damage to subscriber sessions, billing and Denial of Service on a specific SGW(s). Vectors of potential attacks include but are not limited to:
- DoS attack on all subscribers served by the same SGW is made possible through generation of GTP messages containing increased Recovery information element (IE)
- Information gathering through sending fake ‘Delete Session Request’ which must be answered by receiving NE
- Unauthorized access to an APN by impersonating a Visited PLMN SGW and sending a message to Home PLMN PGW with Selection Mode IE set to ‘Verified’ i.e. indicating that HLR has approved the access of this UE to the specified APN
- Billing fraud and impersonation of another subscriber by specifying another subscriber’s IMSI in Session Setup Request
- Redirect existing GTP-U tunnel to another PGW by sending Update PDP Context Request message and specifying new TEID Data
- DoS attack on all subscribers served by the same SGW board by sending Delete PDN Connection Set Request with a valid FQ-CSID
Pic 2. GTP active attack
Flood of malicious GTP messages
One of the serious concerns of any MNO is the potential network outage and service degradation due to an exhaustion of IP addresses assigned to a particular PGW, and this vulnerability can be exploited by sending a flood of ‘Create Session Request’ messages to that PGW
Pic 3. GTP flood
Active message suppression
Message suppression and dropping poses a risk for subscribers as it can cause legitimate ‘Delete Session Request’ messages to never reach Home PGW, keeping subscriber’s PDP context active in VPLMN.
Pic 4. Message suppression
Active message suppression and modification
As with active suppression, an attacker can modify or drop and recreate GTP requests and/or answers. As a possible attack vector, a legitimate ‘Session Setup Response’/‘Create Session Response’ is modified to include a ‘Cause’ IE value other than “Request Accepted”, “New PDP type due to network preference” or “New PDP type due to single address bearer only". This behavior causes Denial of Service for affected subscribers.
Pic 5. Message modification
Securing IPX/GRX connections with F5 GTP Firewall
With the amount of potential attacks it's clear that MNOs need to protect their roaming interfaces and secure entire EPC infrastructure and exposed network elements. Measures like typical network and NE hardening i.e. separation on most layers and use of traditional L4 FW are not extremely effective against GTP (or any type of L7) attacks. An intelligent Application-layer Firewall, on other hand, will ensure GTP attacks are implausible by using a set of rules that inspect GTP traffic, check for protocol compliance, examine various Information Elements inside the message and possibly make an external NE signaling call, before deciding to block or allow the message to travel into Home network.
F5 GTP Firewall uses AFM module to perform protocol compliance, protect from DoS attacks and secure network infrastructure with Intrusion Prevention Service (IPS) while GTP Session Director (GTP-SD) allows for flexible examination of various parts of GTP messages, implementation of custom rules and extensive logging and visualizations.
GTP is here to stay, so are the security challenges associated with IPX/GRX. My colleague Peter Nas wrote an excellent post on GTP and 5G and why every MNO has to secure its GTP roaming interfaces.
Pic 6. F5 GTP Firewall
Stay tuned for the next post where I will review F5 GTP Firewall solution