GPRS

GPRS features
The technical security offered by GPRS is very similar to that offered by GSM. Identity Confidentiality, Identity authentication, Confidentiality of both the user data and signalling (between the mobile and GPRS serving node-SGSN), and in addition to the GSM standard the security of the GPRS backbone.

GPRS threats

Border Gateway bandwidth saturation – a malicious operator that is connected to the same
GRX (whether or not they’re actually a roaming partner) may have the ability to generate a
sufficient amount of network traffic directed at a Border Gateway such that legitimate
traffic is starved for bandwidth in or out of the PLMN, thus denying roaming access to or
from the network.

DNS Flood – DNS servers on the network can be flooded with either correctly or
malformed DNS queries or other traffic thereby denying subscribers the ability to locate
the proper GGSN to use as an external gateway.

GTP Flood – SGSNs and GGSNs may be flooded with unauthorized GTP traffic that cause
them to spend their CPU cycles processing illegitimate data. This may prevent subscribers
from being able to roam, to pass data out to external networks via the Gi, or from being
able to GPRS attach to the network at all.

„Spoofed GTP PDP Context Delete – An attacker with the appropriate information, can
potentially craft a GTP PDP Context Delete message which will remove the GPRS Tunnel
between the SGSN and GGSN for a subscriber. Crafting other types of network traffic can
learn some of the information that must be known. If an attacker doesn’t care about whom
they are denying service, they can send many PDP Context Delete messages for every
tunnel ID that might be used.

„Bad BGP Routing Information – An attacker who has control of a GRX operators’ routers
or who can inject routing information into a GRX operators’ route tables, can cause an
operator to lose routes for roaming partners thereby denying roaming access to and from
those roaming partners.

„DNS Cache Poisoning – It may be possible for an attacker to forge DNS queries and/or
responses that cause a given user’s APN to resolve to the wrong GGSN or even none at all.
If a long Time To Live (TTL) is given, this can prevent subscribers from being able to pass
data at all.


GPRS threats solutions

Ingress and egress packet filtering – This will help prevent the PLMN from being used as
source to attack other roaming partners. If the mobile operator is connected to more than
one GRX or private roaming peering connections, then this will also help ensure that
spoofed roaming partner traffic cannot arrive on paths where that roaming partner is not
connected.

„Stateful GTP packet filtering – Only allow the traffic required and only from the sources
and destinations of roaming partners. This will prevent other PLMNs connected to the
same GRX from initiating many kinds of attacks. It will also prevent GSNs from having to
process traffic from PLMNs that are not roaming partners as well as illegal or malformed
traffic. Layer 3 and layer 4 stateful inspection is useful because it minimizes the exposure
of the GPRS network, GTP stateful inspection is critical to protect GSNs. A firewall that
supports GTP stateful inspection ensures that GSNs are not processing GTP packets that
are malformed, have illegal headers, or are not of the correct state. This prevents many
types of denial of service attacks and some others such as reconnaissance.

„GTP Traffic Shaping – In order to prevent the shared resources of bandwidth and the
GSN’s processor from being consumed by an attacker or a subscriber, GTP rate limiting
should be implemented. Layer 3 and layer 4 rate limiting should also be implemented to
address Denial of Service (DOS) attacks and ensure that bandwidth is appropriately
apportioned between GTP, BGP, DNS, etc.

„IPSec tunnels between roaming partners – A majority of confidentiality and authentication
issues are addressed by implementing IPSec between you’re the mobile operator PLMN
and that of the roaming partners. Generally, only GTP and DNS traffic should be allowed
over the IPSec tunnel. No traffic should be permitted from roaming partners that does not
arrive on the IPSec tunnel.

„Overbilling Attack Prevention - Juniper’s solution enables the GTP firewall to notify the Gi
firewall of an attack. The Gi firewall is then able to terminate the “hanging” sessions
and/or tunnels, thus cutting off the unwanted traffic. As such, this prevents the GPRS
subscriber from being “overbilled.” Again, this solution is not limited exclusively to the Gp
interface.