Source address spoofing (also known as Overbilling Attacks) is initiated by a malicious UE that hijacks (spoofs) an IP address of another UE and invokes a download from a malicious server on the Internet. After the download begins, the malicious UE exits the session. The UE under attack, which is receiving the download traffic, gets charged for traffic it did not solicit.
AA FW associates the GTP-C message’s End user address IE with the GTP-U packets to make sure the packets carried in the upstream have the correct source IP address (inner IP within the GTP-U tunnel). When the UE address is negotiated within the PDP Context creation handshake, all the packets originating from the UE that contain a different source address are detected by AA FW and dropped.
To enable UE IP anti-spoofing protection, the operator must enable validate-source-ip-addr:
*A:Dut-C>config>app-assure>group>
+---gtp-filter <gtp-filter-name> [create]
| +---validate-source-ip-addr
By default, validate-source-ip-addr is disabled.