* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [5G Security](https://www2.paloaltonetworks.com/blog/network-security/category/5g-security/)
* Prevent Bad Signals From ...

# Prevent Bad Signals From Harming Network Availability

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fsp-prevent-bad-signals-harming-network-availability%2F)  
[](https://twitter.com/share?text=Prevent+Bad+Signals+From+Harming+Network+Availability&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fsp-prevent-bad-signals-harming-network-availability%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fsp-prevent-bad-signals-harming-network-availability%2F&title=Prevent+Bad+Signals+From+Harming+Network+Availability&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2018/02/sp-prevent-bad-signals-harming-network-availability/&ts=markdown)  
\[\](mailto:?subject=Prevent Bad Signals From Harming Network Availability)  
Link copied  
By [Dzmitry Reshytnik](https://www.paloaltonetworks.com/blog/author/dzmitry-reshytnik/?ts=markdown "Posts by Dzmitry Reshytnik")  
Feb 27, 2018  
5 minutes  
[5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)  
[MNO](https://www.paloaltonetworks.com/blog/tag/mno/?ts=markdown)  
[mobile network operators](https://www.paloaltonetworks.com/blog/tag/mobile-network-operators/?ts=markdown)  
[mobile network security](https://www.paloaltonetworks.com/blog/tag/mobile-network-security/?ts=markdown)

A recent Palo Alto Networks blog [post](https://www.paloaltonetworks.com/blog/2017/10/sp-secure-mobile-roaming-just-time-roam-like-home/) described GTP protocol attacks on both the control and user planes, highlighting the importance of full visibility on higher layer protocols to prevent delivery of malware to mobile devices. But another harmful effect of malware is not as well-known: attacks on mobile network signaling protocols. Signaling attacks can be devastating to network availability and invisible to the end user.

In the mobile network industry, we see a huge variety of signaling protocols; the most commonly used include SS7 (2G and 3G networks) and Diameter (4G networks) running over SCTP. In the initial phase of globalization of mobile networks, security of these and other signaling protocols was not an issue -- there were few service providers; they were interconnected via purpose-built network GRX (later [IPX](https://en.wikipedia.org/wiki/IP_exchange)); and smartphones and Android malware did not yet exist. Now, we know signaling protocols have a lot of vulnerabilities as they were not designed to today's standards of security.

For example, today the IPX network comprises over 40,000 nodes, and this figure is growing fast. Even this network itself has vulnerabilities. Engineers from BICS, one of the biggest GRX/IPX operator worldwide, conducted [research](https://www.pcworld.com/article/2357381/global-mobile-roaming-hub-accessible-from-the-internet-and-vulnerable-researchers-find.html) that revealed 5500 nodes accessible from the internet in a global interconnect network. This means that bad guys can get access to those nodes, and that can become dangerous.

Similar to application-based attacks (e.g., a Mirai botnet attack), the [disrupted service](https://www.reuters.com/article/us-deutsche-telekom-outages/deutsche-telekom-attack-part-of-global-campaign-on-routers-idUSKBN13O0X4) of several service provider networks in Europe and the Middle East, signaling-level attacks can be targeted against either an end-user or service provider infrastructure. And this is really happening today.

One of the big cases illustrating signaling infrastructure vulnerabilities happened in Europe against one of the largest mobile carriers, which also owns more than 10 mobile networks in Europe and Asia. In this case the network was down, due to receiving the malformed message via SS7 network. In another example, an [attack was launched](http://www.ibtimes.co.uk/ss7-hack-cyber-thieves-exploit-worldwide-mobile-network-flaw-drain-bank-accounts-1620014) against end users, where SS7 vulnerabilities were used to "drain" bank accounts.

As the problem has grown, [GSM Association](https://www.gsma.com/) started to put in place SS7 and Diameter security recommendations[\[1\]](#_ftn1){#\_ftnref1} in order to help service providers protect their networks and customers. (Official documents are published on GSMA website and accessible for the members.)

Let's briefly look at a signaling network's protocol stack and name a couple of the main attack types. The image below shows protocol stacks for SS7 over IP (SIGTRAN) and Diameter.

![Signal1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/02/Signal1.png)

**SS7 Vulnerabilities:** A major issue regarding SS7 is that it can allow access to end-user SMS, location and even call by getting certain MAP messages from another node in the SS7 network (which can have a legitimate use case). And, as this protocol is not using authentication methods to authorize a neighboring node, it becomes vulnerable while allowing impersonation of network nodes and/or network partners in roaming interconnect. Based on this vulnerability many attacks against end users can be executed, including fraud, credential theft, eavesdropping, location tracking, SMS and call spoofing, etc. (A good overview of attack types is provided in this SANS Institute [white paper](https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225).)

**SCTP DoS Attacks** : Main attacks against infrastructure are denial-of-service attacks that are trying to exploit (the underlying for Diameter and SS7) specific messages on Diameter and SS7 protocols. This attack cannot be stopped by L3/L4 firewalls, as they are not able to see and block messages of higher layer protocols. And with [more roaming traffic](http://europa.eu/rapid/press-release_MEMO-17-885_en.htm), it is expected there will be more and more threats as a result of difficulties in identifying what should be blocked, and what should be allowed.

So, what is needed to solve these issues?

**Improve visibility**: The security platform should be able to see much higher in the protocol stack than L3/L4. It should be able to understand which applications SS7 and Diameter traffic are delivering (i.e., MAP for SS7 or S6a for Diameter protocols.) An important pre-requisite here is to execute SCTP stateful inspection and protocol validation, which also helps to protect against SCTP DOS attacks.

**Reduce the attack surface**: The security platform should be able to allow only legitimate applications. If the connection is between HSS and MME, it should only be allowed to run S6a applications. On the SCTP level, it should be possible to determine which higher layer protocols are running on it and apply filtering based on so-called PPID (payload protocol identifier).

\*\*Allow communication only with connected network nodes:\*\*There could be several nodes standing behind the same IP address in an SS7 network, so it's important to implement filtering based on the real identifier of node in the SS7 infrastructure -- also known as "global title."

With these requirements satisfied, a service provider can apply message filtering to prevent DoS on SS7 and Diameter nodes as well as attacks against end users. An example of this is Category 1 messages in SS7. These are messages that should normally only be received from within the same network, and not on interconnect links from other networks. Additionally, security functions become an integral part of signaling nodes themselves: Signaling Transfer Points and Diameter Signaling Controllers.

A next-generation security platform that takes the measures listed above can stop the majority of real-world attacks and protect signaling elements and network service availability.

Palo Alto Networks recently released additional enhancements to its Signaling Protection capabilities. Palo Alto Networks Next-Generation Security Platform for service providers provides comprehensive and consistent signaling protection, including GTP and SCTP security functions. The next-generation security platform provides deep application layer visibility, consistent policy enforcement and identification of already-infected devices.

For more information, please download our solution brief: [Extended Application Layer Visibility across Multiple Mobile Network Peering Points](https://www.paloaltonetworks.com/resources/techbriefs/application-layer-visibility-mobile-network).

[\[1\]](#_ftnref1){#\_ftn1} FS.11 "SS7 Interconnect Security Monitoring and Firewall Guidelines"; FS.19 "Diameter Interconnect Security"; IR.82 "SS7 Security Network Implementation Guidelines"

*** ** * ** ***

## Related Blogs

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Raising the Bar for Mobile Network Security](https://www2.paloaltonetworks.com/blog/2018/02/sp-raising-bar-mobile-network-security/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Establishing a New Approach for 5G Security](https://www2.paloaltonetworks.com/blog/2018/11/sp-establishing-new-approach-5g-security/)

### [Mobility](https://www.paloaltonetworks.com/blog/category/mobility/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Look What's Riding Your Network](https://www2.paloaltonetworks.com/blog/2018/02/look-whats-riding-network/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### The Right Approach to Securing 5G](https://www2.paloaltonetworks.com/blog/2020/05/network-securing-5g/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### What Does It Mean to Be "5G-Ready"?](https://www2.paloaltonetworks.com/blog/2019/01/what-does-it-mean-to-be-5g-ready/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Differentiating With 5G Security: How Mobile Service Providers Can Become Secure Business Enablers](https://www2.paloaltonetworks.com/blog/2019/01/differentiating-5g-security-mobile-service-providers-can-become-secure-business-enablers/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language