Cyber Defense – extend the perimeter with MEC DDoS Solution

From Jan 30 to Feb 2 2016, Telecom Austria’s mobile infrastructure was subjected to a DDoS attack. The attack affected subscribers of Telekom and spanned its 2G, 3G and 4G networks.

Denial of service (DoS) is a common type of cyber-attack. As the name implies, the attack renders online resources and communication services unavailable to intended users. Distributed denial of service (DDoS) attack is a more sophisticated form for DoS attacks, which are launched from multiple connected devices from different locations across the network in an attempt to take it down.

The wide spread impact and high visibility of a successful DDoS, makes it a popular weapon of choice for hacktivists, cyber vandals and anyone else looking to make a point or champion a cause. DDoS assaults often last for days, as in the case of Telecom Austria, making them extremely destructive in terms of revenue loss, consumer trust, and long-term reputation damage.

The volume number of DDoS attacks is on the rise according to Arbor Networks 2016 report. The majority of mobile networks are experiencing these attacks on a monthly basis with 28% reporting more than 20 attacks per month.

DDoS attacks targeting Gi/SGi mobile network

The same report stated that 38% of mobile operators reported that they have experienced core network related security incidents that led to customer-visible outage – a significant rise for the previous year.

Application errors resulting in Denial of Service

While malicious attacks pose an imminent security threat to mobile networks, innocent application errors can also wreak havoc causing signaling storms, spikes in DNS traffic, network congestion issues and even network outage. In fact, 52% of mobile operators have experienced such problems including the case of NTT DoCoMo.

On January 25, 2012, voice and data services on the DoCoMo network, Japan’s largest operator, were interrupted for more than four hours, due to an application error. As many as 2.52 million users experienced glitches after a surge in wireless traffic on DoCoMo’s switching equipment. With 5 service disruptions in 8 months, regulators have ordered the company to take steps to prevent a similar service disruption.

 LTE Network vulnerabilities

There a several factors, which render new data-intensive LTE networks vulnerable to attacks:

Increased signaling: The signaling requirements, between the EUTRAN and the EPC in the 4G architecture, are about 40% higher per LTE subscriber than 3G networks. Since the LTE architecture is flat, all the signaling traffic generated at the EUTRAN flows to the MME. If the signaling load – either benign or malicious – exceeds the provisioned capacity of the MME, then service may be compromised. This in essence, is a vulnerability that can be targeted for DoS attacks.

All IP: Unlike 2G and 3G services, which use TDM and ATM backhaul, LTE uses IP-based backhaul. As more IP-based communications is introduced to mobile infrastructures, the more it becomes vulnerable to Internet-based attacks. Since less than 5 percent of “smart,” mobile devices run security software, we are seeing a dramatic increase in malware targeting user devices.

Microcells: To boost local capacity in face of the increasing consumption of data and movie content, MNOs deploy of public-access microcell base stations in public areas such as shopping centers, shared offices and more. These small devices placed in areas accessible to the public cannot be physically secured in the same way as a conventional base station, giving attackers a potentially easier entry point from which to attack the network.

Guaranteed bandwidth: LTE delivers voice, data and video over IP with specific QoS management to ensure appropriate bandwidth allocation and latency requirements. A spike in demand, whether malicious, erroneous or real, may cause delays and even network overloads.

Taking a closer look at the dynamics of DDoS

DDoS attacks use sheer volume of devices to assault the targeted network infrastructure. They attempt to over-load its resources with vast quantities of traffic to a point of collapse. The attacks are typically launched from large clusters of connected devices (e.g., cellphones, PCs or routers) infected with malware.

The centralized nature of the mobile network architecture serves to exacerbate the attack force. Starting from different locations as smaller waves, by the time the volumetric attack reaches the core network it has amassed tsunami proportions rendering the core network system powerless. This scale of attack cannot be stopped by the narrow “surface” of the exiting GI defenses. It is bound to crash.

Expanding the perimeter to counter attacks

Most security solutions are based on a perimeter defense approach. This line of defense sensitive filters incoming traffic and prevents potential threats from reaching core network resources. In the case of a volumetric attack, however, the sheer volume rather than specific content causes the defense perimeter to crash. Within a matter of seconds targeted network elements are incapacitated as well.

To effectively mitigate DDoS attacks, mobile operators need to expand the defense perimeter. Our goal is to meet the volumetric attack with in multiple fronts, where each defense system is tasked with blocking a smaller attack and preventing it from gaining momentum. Mobile Edge Computing (MEC) provides the ideal infrastructure within the mobile network for deploying an extended defense perimeter.

cyber defense - extend the perimeter with Mobile Edge Computing DDos Solution

MEC platforms like Saguna Open-RAN bring an open computing environment into the radio access network (RAN) – away from sensitive core network. Based on the ETSI industry standard, the MEC platform offers highly granular traffic steering capabilities to locally operated MEC applications.

By operating the radio Edge, the DDoS defense solution is “hit” by smaller, yet noticeable volumes of traffic during the attack. It is then able to disable the source of attack while alerting the core network about the imminent source of danger. This approach enables earlier attack detection and prevention. Furthermore, extended security perimeter is the only place in the mobile network that can secure peer-to-peer communications and traffic from public microcells.


The conclusion should be clear. We are facing growth in malware and increased threats targeting poorly-protected devices, increasing device and service diversity and sensitivity, and critical services like VoLTE, which are dependent 4G availability. These trends make it necessary to expand our line of defense using MEC to ensure that LTE networks not just highly efficient and available, but also secure.