Network flooding attacks, malformed packets and port scans are examples of DoS attacks that can be carried out using a compromised eNB/FAP. AA FW provides inspection of SCTP (the protocol used to communicate to MME). Such inspection includes checking for SCTP protocol ID, source/destination ports, PPID, SCTP chunk checking and malformed SCTP packet (such as checksum validation).
SCTP chunk checking includes checking for:
invalid length values (frames with invalid length value are dropped regardless of the chunk type)
data chunks with length value that is too small to accommodate PPID (such frames are dropped as invalid/badly formed)
data chunks with length value that is too large for chunk (such frames are dropped as invalid/badly-formed)
For S1-MME traffic, the operator can configure various AA actions:
Drop packets with invalid checksum, src/dest IP or port numbers (malformed Packet protection) by appropriately configuring session filters or error-drop [event-log <event-log-name>] AQP actioncommand.
Use the SCTP-Filter command for PPID filtering.
Rate limit the amount of S1-MME traffic (flooding protection) in terms of Bandwidth (bits/sec), using AA bandwidth policers.
Limit the number of concurrent SCTP flows (flooding protection) using AA flow count policers.
Limit the SCTP flow setup rate (flows/sec) to protect against DoS flooding using AA flow rate policers.
Drop fragmented packets or drop out of order fragmented packets using the fragment-drop {all | out-of-order} AQP action command.
The actions above can be applied per eNB/FAP IP address or per MME (to control aggregate traffic per MME).