Community Groups Rewards Enterprise

Defense Against GTP Overbilling Attacks

mhkabir1952
mhkabir1952  Diamond  (1)
7 years 10 months ago  View: 3323  Reply: 1
1F

Similar to traditional IP network communications, in mobile packet services, host servers on the MS and PDN have their IP addresses. Generally, the IP address of the host server (such as the Web server or media stream server) on the PDN is fixed and visible to the General Packet Radio Service (GPRS). In addition, the host server provides various packet services for the MS. Generally, the IP address of the MS is dynamically obtained.

The procedure for generating GTP overbilling attacks is as follows:

  1. After activating the GTP service, MS A obtains IP address 10.10.10.10 from the GGSN and requests lots of packets from the hosts on the Internet.

  2. After requesting lots of packets, MS A immediately logs out before packet transmission is complete. After that, MS A returns IP address 10.10.10.10 to the GGSN. The GGSN discards the packets from the Internet for being unable to search out GTP tunnels.

  3. After activating the GTP service, MS B obtains IP address 10.10.10.10. After that, the GGSN re-searches out GTP tunnels. Thus, the packets from the Internet are sent to MS B and charging on MS B is implemented. Though MS B does not request these packets, it pays for all packets. In this case, the overbilling occurs.

The key to defend against overbilling attacks is to prevent the packet data that the Internet responds to MS A from reaching the GGSN. Thus, the Eudemon needs to identify and discard the traffic before the GGSN receives these packets, that is, overbilling attacks need to be defended against on the Gi interface. GTP runs on Gn and Gp interfaces, but not on the Gi interface. Thus, the Gi interface cannot obtain the end message of all GTP tunnels. Therefore, the information about the session deactivation of the user needs to be identified on the Gn interface. Then the Eudemon B on the Gi interface is notified to filter the packet data that the Internet responds to the user, as shown in Figure 1.

Figure 1:  Networking diagram of defending against GTP overbilling attacks in interworking mode

In addition, a single Eudemon can defend against GTP overbilling attacks without interworking with another device. As shown in Figure 4-3, the Eudemon supports both the Gn and Gi interfaces, which reside in different virtual firewalls. Logically, the Eudemon equals to two devices. When the Gn interface receives the logoff information of the MS, the IP address of the MS is recorded in the logoff IP address list. Then the Gi interface detects the received non-GTP packets. If the IP address of any packet matches an IP address in the logoff IP address list, the packet is discarded.

Figure 2:  Networking diagram of defending against GTP overbilling attacks in stand-alone mode
Comment| Reply
Favorite Favorite (0) | Like |Report
foisal
foisal  Gold 
7 years 10 months ago
2F

Thanks for your Excellent Post.

Comment| Reply
|Report
Reply
Return New post Share

Hot Group

Fixed Network Info Community
Members:9595   Posts:9360
Wireless Network Info Community
Members:2501   Posts:11275
Support HedEx User Group
Members:14004   Posts:4898
Core Network Info Community
Members:1125   Posts:14720
Network OSS Club
Members:4641   Posts:1596
Information For
Consumers
Enterprises
Carriers
Journalist
Suppliers
Job Seekers
About HUAWEI
Corporate Information
Corporate Governance
Executives
Bond Investor Relations
Sustainability
Cyber Security
Publications
Annual Report
News & Events
Latest News
Media Kit
Media Contact
Security Bulletins
Events
Huawei| Huawei Connect| Support| Privacy| Terms of Use
Contact Us:hworld@huawei.com
Follow Huawei Connect :
Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.