Home
/
Blog
/

Using P1 Telecom Auditor to fight SS7 Denial of Service (SS7 DoS)

The invaluable role of P1 Security's Telecom Auditor (PTA) in ensuring SS7 security, explained through a specific request by an operator.

Product news
Oct 9, 2012
Using P1 Telecom Auditor to fight SS7 Denial of Service (SS7 DoS)

You can prepare against SS7 Denial of Service (SS7 DoS) using a SS7 vulnerability scanner such as PTA.

We had an interesting request recently :

Identify the Network Elements of the SS7 network which are exposed on the International and National perimeter to identify exposed Global Titles, Point Codes and SubSystem Numbers of all of these equipment so that the operator can evaluate which one to block in case of DoS attack without affecting the security of the network.

Mission result

That was a very fruitful exercise with useful results for both the operator and us. Here are a few take aways from the mission:

  • SS7 is resilient on the links, but not on the Network Elements themselves. If one NE crash or is unavailable from high traffic, it goes down independently of the number of links it may be using for SS7 interconnection
  • HLR Front End are usually responding quite well to “dumb” DoS with SS7 MSU flooding. Some don’t do well at all against malformed MSU (Be it SCCP, TCAP or MAP) where Front End crash each one after another.
  • Naturally, exposures of Network Element differs between International and National interconnects.
  • Surprisingly, exposures for the same Network Element in the same perimeter (typically International) is very different depending on the different upstream SCCP provider. This affects a lot what vision the attacker will have of the systems.
  • Organizationally, some operators are much more ready than others to deal with these kind of attacks. The one that are the most ready are the ones who have CERT-like Telecom Security teams which encompass many different kind of people: Telecom Engineering, Operations, Roaming team member, IT CERT, Group security, etc…

Preparation is everything in this domain as when you are hit by these attacks, you have very little time for reaction while the network is going down and revenue stopping. And you’ll get much more pressure than some fraud being used. That’s the difference between fraud and security. Fraud will hurt you. Security breach can kill you.

Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.