Mobile operators don’t know enough about threats facing their network and they aren’t being proactive enough, says Arbor Networks’ Tom Bienkowski
Fuelled by their subscribers’ insatiable demand for smarter mobile devices and multimedia content, mobile network operators (MNOs) have seen tremendous growth in mobile traffic on their networks.
Along with this growth, MNOs face the ever-increasing challenge of maintaining the availability and performance of their mobile network and services to enhance their customers’ quality of experience.
It is thus essential that MNOs have solutions in place to proactively recognise traffic patterns that threaten the availability and performance of their mobile network infrastructure and services.
With the advent of wireless access to the Internet from mobile devices, attackers naturally see this as a huge open-door opportunity to initiate attacks. Generally, this wrongful activity has two main impact points:
- End-user mobile devices: Short Message Service (SMS) toll fraud, SMS phishing (SMSishing) and mobile malware are examples of how a miscreant can use the latest mobile devices (i.e., smartphones, tablets) or end-users themselves to lure victims to bogus websites or services, where they can be exploited for the attacker’s financial gain.
- MNO’s infrastructure and/or services: Distributed denial of service (DDoS) attacks can have a direct impact on targeted infrastructure, or they can impact infrastructure (and available capacity) simply due to the increased traffic volume or session load. DDoS attacks can lead to poor network performance, impact many subscribers’ services, damage brand reputation and even cause customer churn.
In mobile networks, DDoS attacks can be sourced from the Internet or from mobile service users:
- From the Internet: These attacks have been around for a number of years. For example, botnets composed of thousands of compromised PCs on the Internet can launch DDoS attacks against the mobile network infrastructure. These types of attacks impact the state tables in firewalls, the performance of GGSNs (Gateway GPRS Support Node) or the availability of services running in mobile network data centres including Domain Name System (DNS) infrastructure, Web portals, etc.
- From mobile users/devices: MNOs are starting to face threats on their mobile network from their own subscribers or devices. With the growth in app stores and mobile applications – many of which do not have any sort of security oversight or control – compromised devices connected to the mobile network (i.e. smartphones, tablets, M2M, laptops using 3G dongles) are participating in botnets and launching DDoS attacks from the wireless side of the mobile network. These types of threats consume precious radio spectrum and capacity on shared radio access network (RAN) infrastructure and can impact overall network performance.
Not all threats to mobile networks, their service performance and availability, are malicious in nature. Mobile applications are the reason why the amount of mobile data traffic continues to increase. MNOs have little to no control over which mobile apps their subscribers install and use. To make matters worse, many mobile apps do not take into account that they communicate over networks that operate differently from traditional fixed-line IP networks – especially during recovery scenarios.
This can cause major problems when popular mobile apps, used by millions of subscribers, undergo maintenance or encounter issues. For example, when a critical component of a social media application (i.e, a core communication server) becomes inaccessible, it can cause subscriber devices or servers to initiate a retry/recover routine that can trigger huge spikes in mobile data and control-plane traffic. Such a traffic storm, though not malicious in nature, looks and acts like a DDoS attack on a mobile network because it affects all mobile subscribers, not just the users of this particular application.
Arbor Networks 8th annual Worldwide Infrastructure Security Report (WISR), which is based on survey data from 130 network operators and service providers around the world, includes evidence of both malicious and non-malicious threats to mobile network operators who participated in the survey. The majority of operators who suffered non-malicious incidents relating to poorly-behaving applications took a reactionary stance toward detection and mitigation, with over 30 percent indicating that they had to perform a reactive analysis of the problem.
This is an unfortunate statistic, but is a direct result of the consumer broadband-based business model that mobile providers work within. Each subscriber contributes a relatively small amount of revenue to the provider, and every time the subscriber calls into the provider help desk, that revenue is offset for some time by cost. There is little incentive to put measures in place that could result in that subscriber calling in less often. Hence, the more reactive approach. This model is likely to change if/when attacks impact the mobile network itself.
How big is the mobile network threat?
There’s more than anecdotal evidence that these threats are occurring and are having an impact on mobile networks and the services they provide. This years’ WISR data highlights the growing threat to mobile networks very clearly:
34 percent suffered a customer-visible outage due to a security incident, a 64 percent increase over the prior year.
57 percent do not know what proportion of subscriber devices on their networks are participating in botnets or other malicious activity.
60 percent have no visibility into traffic on their packet cores, resulting in unseen threats that cannot be prevented or contained.
45 percent do not know if DDoS attacks are targeting their Internet Gi infrastructure.
28 percent observed DDoS attacks targeting their wireless network, while 25 percent don’t know if such attacks occurred due to a lack of visibility.
16 percent reported outbound attack traffic from subscribers, but 25 percent can’t tell if subscribers are originating DDoS traffic due to a lack of visibility.
A large factor facing MNOs today is a lack of visibility and an overall lack of proactivity, as the WISR data above illustrates. Sixty percent of mobile operators lack visibility into the traffic on their mobile/evolved packet cores.
The risk to these operators is clear: unseen threats cannot be prevented or contained. Of those who have visibility into traffic on their mobile packet core, the majority use counters and statistics available directly from the mobile infrastructure itself, while one-third use vendor-supplied probe-based monitoring solutions. The remainder use third-party probes or a flow-monitoring device to visualise traffic.
Many mobile devices are now as powerful as some laptop computers, with dual-core CPUs, gigabytes of memory and high-speed wireless interfaces. The malware problem in the mobile space is quite real, and large-scale malware activity – with thousands of active participants -could have a devastating impact on the resources of a wireless infrastructure.
Given the speed of evolution in mobile technologies and the increased dependence on mobile networks, mobile operators are having to upgrade their infrastructure to maintain competitiveness. At the same time, they should implement threat detection and monitoring solutions to protect themselves and their customers.
Tom Bienkowski is director of product marketing at Arbor Networks
What do you know about Internet security? Find out with our quiz!