The mobile network: A threat snapshot
Tom Bienkowski, director of product marketing, Arbor Networks
Fueled by their subscribers' insatiable demand for smarter mobile devices and multimedia content, mobile network operators (MNO) are seeing tremendous growth in mobile traffic on their networks. In addition, MNOs face the challenge of maintaining the availability and performance of their mobile network and services to enhance their customers' quality of experience. Failure to do so can result in service level agreement (SLA) credits, damage to brand reputation and customer churn—all of which impact the top and bottom lines of their business. It is essential that MNOs have solutions to proactively recognize traffic patterns that threaten the availability and performance of their mobile network infrastructure and services.
With the advent of wireless access to the internet from mobile devices, attackers see this as a huge open-door opportunity to initiate attacks. Generally, this wrongful activity has two main impact points: end-user mobile devices or a direct hit against the MNO's infrastructure/services.
In mobile networks, distributed denial-of-service (DDoS) attacks can be sourced from the internet or from mobile service users:
From the Internet: These attacks have been around for many years. Botnets composed of thousands of compromised PCs on the Internet can launch DDoS attacks against the mobile network infrastructure. These attacks impact the state tables in firewalls, the performance of GGSNs or the availability of services running in mobile network data centers including DNS infrastructure, and web portals.
From Mobile Users/Devices: MNOs now face threats on their mobile network from their own subscribers or devices. With the growth in app stores and mobile applications—many of which do not have any security oversight or control—compromised devices connected to the mobile network (i.e., smartphones, tablets, M2M, laptops using 3G dongles) are participating in botnets and launching DDoS attacks from the wireless side of the mobile network.
Not all threats to mobile network and service performance and availability are malicious in nature. Mobile applications are why the amount of mobile data traffic continues to increase. MNOs have little to no control over which mobile apps their subscribers install and use. To make matters worse, many mobile apps do not take into account that they communicate over networks that operate differently from traditional fixed-line IP networks—especially during recovery scenarios.
This can cause major problems when popular mobile apps undergo maintenance or encounter issues. For example, when a critical component of a social media application becomes inaccessible, it can cause subscriber devices or servers to initiate a retry/recover routine that can trigger huge spikes in mobile data. This traffic storm looks and acts like a DDoS attack on a mobile network because it affects all mobile subscribers, not just the users of this particular application.
Arbor Networks' 8th annual Worldwide Infrastructure Security Report (WISR), which is based on survey data from 130 network operators and service providers around the world, includes data related to the detection of poorly implemented mobile user applications. The data shows evidence of both malicious and non-malicious threats to mobile network operators. The majority of operators who suffered non-malicious incidents relating to poorly-behaving applications took a reactionary stance toward detection and mitigation, with over 30 percent indicating that they had to perform a reactive analysis of the problem. About 8 percent detected the problem using probe-based monitoring solutions and about 15 percent used counters or statistics on mobile infrastructure to detect the problem. More than half (54 percent) reported not having seen any issues of this type.
This is an unfortunate statistic, but is a direct result of the consumer broadband-based business model that mobile providers work within. Each subscriber contributes a small amount of revenue to the provider, and every time the subscriber calls into the provider help desk, that revenue is offset by cost. There is little incentive to put measures in place that could result in that subscriber calling less often; hence, the more reactive approach.
A large factor facing MNOs today is a lack of visibility and proactivity. According to the WISR report, 60 percent do not have any visibility into the traffic on their mobile packet core. Only 33 percent only have visibility into the user data/plane, and 27 percent only have visibility into the control plane.
The risk to these operators is clear: unseen threats cannot be prevented or contained. Of those who have visibility into traffic on their mobile packet core, the majority use counters and statistics available directly from the mobile infrastructure itself, while one-third use vendor-supplied probe-based monitoring solutions. The remainder use third-party probes or a flow-monitoring device to visualize traffic.
Many mobile devices are now as powerful as some laptop computers. The malware problem in the mobile space is quite real, and large-scale malware activity could have a devastating impact on the resources of a wireless infrastructure. Given the speed of evolution in mobile technologies and the increased dependence on mobile networks, mobile operators need to upgrade their infrastructure to maintain competitiveness. Simultaneously, they should implement threat detection and monitoring solutions to protect themselves and their customers.