infoTECH Spotlight Magazine

infoTECH Magazine

Feature Story

April 01, 2011

The DDoS Security Threat to Mobile Networks

This article originally appeared in the April 2011 issue of InfoTECH SPOTLIGHT


Due to the increased usage of 3G mobile devices like smartphones or PCs with air cards, that are accessing Web 2.0 applications for video and social network type of experiences, the amount of data traffic traversing mobile broadband networks is growing at a phenomenal rate. Cisco (News - Alert), for example, predicts mobile data will grow 66 times by 2013.

To meet this skyrocketing demand, mobile operators have been making major investments in their network infrastructures, such as from 3G to LTE (News - Alert), and their focus has been on service creation and overall user experience. They operate in a highly competitive market where service differentiation and customer satisfaction are key elements in increasing customer loyalty and average revenue per user (ARPU).

Unfortunately, the security posture of mobile networks has not evolved along with the growth of the data networks themselves. With some notable exceptions, many mobile/fixed wireless network operators appear to have security postures approximating those of wireline operators eight to 10 years ago.


According to Arbor Networks 2010 Worldwide Infrastructure Security Report, the fastest-growing category of ISPs – mobile and fixed wireless operators – may be the least prepared in terms of network visibility, control and overall ability to defend themselves and their customers against attack. The culmination of survey responses, the report contains industry-wide data that spans roughly a 12-month period from 3Q 2009 through 3Q 2010. Mobile and fixed wireless operators reported that they have little visibility into data traffic on their networks. Data from the report includes the following:

  • Nearly 60 percent of respondents indicated they have limited or no visibility into the network traffic of their wireless packet cores.
  • 46 percent of respondents stated that they have experienced visible customer outages during the survey period due to security incidents on their networks. Based upon the previously mentioned deficits in network visibility, this number may be underreported.

In a sense, mobile operators have become accidental ISPs. In a few short years, they have invested in, and transformed their businesses from voice carriers into providers of mobile data and video experiences. The most basic element underpinning these investments is the very availability of the networks and services themselves. As they transition to all-IP networks and become data-centric, mobile operators are becoming data center operators. The number one security threat to the availability of an Internet Data Center (IDC (News - Alert)) is distributed denial of service attacks (DDoS). This is increasingly true for mobile operators.

Multi-tenant environments like IDCs are prime targets for DDoS attacks because of the potential to cause collateral damage across multiple customers. Attacks are also changing rapidly, moving from volumetric-based, where they try to simply overwhelm the connection with data, to more sophisticated application layerDDoS attacks that target specific services. Application layer DDoS attacks are not high-bandwidth and therefore difficult to identify, threatening a myriad of services. A significant number of mobile network operators indicated in the survey that they experienced application-layer DDoS attacks directed at their supporting ancillary infrastructure elements. These elements include DNS servers, Web portal servers, SMTP servers, Diameter servers and even GTP tunnels and SMS gateways. Additional data from the report includes:


  • 56 percent of respondents indicated that their ancillary support infrastructure such as Web portals, DNS and other related services have been adversely affected by DDoS attacks over the 12-month survey period.
  • 44 percent indicated that mobile handsets or end-customer computers with wireless connectivity have been affected by DDoS attacks.
  • 50 percent of respondents indicated that they have observed outbound/crossbound DDoS attacks originating from infected subscriber nodes. Given the network visibility deficits described above, this statistic may also be understated.
  • 22 percent of respondents indicated that stateful firewalls and/or stateful NAT devices on their networks have been adversely affected by DDoS attacks during this period.

From a security standpoint, mobile network data growth is a game changer. Hackers look for opportunity and they see plenty in mobile networks – from the infrastructure itself, to the ubiquity of connected devices, to users who load them with personal and sensitive information. Mobile operators are struggling with the availability of limitless botnets with ever increasing bandwidth, the vulnerability of the infrastructure itself and with few network control points. As this year’s Worldwide Infrastructure Security Report demonstrates, mobile operators need better ability to see malicious traffic on their networks and be able to influence it in such a way that protects them and their customers.

TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.

Edited by Stefania Viscusi