You can prepare against SS7 Denial of Service (SS7 DoS) using a SS7 vulnerability scanner such as PTA.
We had an interesting request recently :
Identify the Network Elements of the SS7 network which are exposed on the International and National perimeter to identify exposed Global Titles, Point Codes and SubSystem Numbers of all of these equipment so that the operator can evaluate which one to block in case of DoS attack without affecting the security of the network.
Mission result
That was a very fruitful exercise with useful results for both the operator and us. Here are a few take aways from the mission:
- SS7 is resilient on the links, but not on the Network Elements themselves. If one NE crash or is unavailable from high traffic, it goes down independently of the number of links it may be using for SS7 interconnection
- HLR Front End are usually responding quite well to “dumb” DoS with SS7 MSU flooding. Some don’t do well at all against malformed MSU (Be it SCCP, TCAP or MAP) where Front End crash each one after another.
- Naturally, exposures of Network Element differs between International and National interconnects.
- Surprisingly, exposures for the same Network Element in the same perimeter (typically International) is very different depending on the different upstream SCCP provider. This affects a lot what vision the attacker will have of the systems.
- Organizationally, some operators are much more ready than others to deal with these kind of attacks. The one that are the most ready are the ones who have CERT-like Telecom Security teams which encompass many different kind of people: Telecom Engineering, Operations, Roaming team member, IT CERT, Group security, etc…
Preparation is everything in this domain as when you are hit by these attacks, you have very little time for reaction while the network is going down and revenue stopping. And you’ll get much more pressure than some fraud being used. That’s the difference between fraud and security. Fraud will hurt you. Security breach can kill you.
