GTP Attack Types

GTP eavesdropping

If an IPX/GRX infrastructure is compromised, a potential attacker can snoop into passing

GTP traffic and gain valuable subscriber information. For example, User Location
information can be exposed if ‘MS Info Change Notification' Requests are sent between
Visited PMN and Home PMN.

Other important information that can be exposed to the attacker is subscriber APN
credentials. Those credentials are transmitted in clear-text and are part of PPP set-up
procedure.
Generation of malicious GTP messages

Besides just parsing the transiting GTP traffic, an attacker can generate malicious
requests and cause significant damage to subscriber sessions, billing and Denial of
Service on a specific SGW(s). Vectors of potential attacks include but are not limited to:

- DoS attack on all subscribers served by the same SGW is made possible through
generation of GTP messages containing increased Recovery information element (IE)

- Information gathering through sending fake ‘Delete Session Request’ which must be
answered by receiving NE

- Unauthorized access to an APN by impersonating a Visited PLMN SGW and sending a

message to Home PLMN PGW with Selection Mode IE set to ‘Verified’ i.e. indicating that
HLR has approved the access of this UE to the specified APN

- Billing fraud and impersonation of another subscriber by specifying another

subscriber’s IMSI in Session Setup Request

- Redirect existing GTP-U tunnel to another PGW by sending Update PDP Context
Request message and specifying new TEID Data

- DoS attack on all subscribers served by the same SGW board by sending Delete PDN
Connection Set Request with a valid FQ-CSID
Flood of malicious GTP messages

One of the serious concerns of any MNO is the potential network outage and service
degradation due to an exhaustion of IP addresses assigned to a particular PGW, and this
vulnerability can be exploited by sending a flood of ‘Create Session Request’ messages
to that PGW
Active message suppression

Message suppression and dropping poses a risk for subscribers as it can cause legitimate ‘Delete
Session Request’ messages to never reach Home PGW, keeping subscriber’s PDP context active
in VPLMN.

Active message suppression and modification

As with active suppression, an attacker can modify or drop and recreate GTP requests and/or
answers. As a possible attack vector, a legitimate ‘Session Setup Response’/‘Create Session
Response’ is modified to include a ‘Cause’ IE value other than “Request Accepted”, “New PDP
type due to network preference” or “New PDP type due to single address bearer only". This
behavior causes Denial of Service for affected subscribers.