Unauthorized APN attacks and APN filtering

Access Point Name (APN) filtering checks GTP-C messages to determine if a roaming subscriber is allowed to access a specified external network (also known as APN).

create-session-request and ‟create pdp request” GTP message types contain an APN IE in the header of a GTP packet. The APN IE consists of an external network-ID (for example, Nokia.com). Optionally, the APN IE can include a unique ID that identifies the operators' PLMN.

APN filtering prevents malicious UEs from initiating a ‟Create PDP/session Request” flood attack toward the PGW/GGSN for invalid or disallowed APNs.

The AA GTP filter can be configured to perform APN filtering to restrict roaming subscribers' access to specific external networks.

An APN filter, an IMSI prefix, and an SGSN Address pool can be used together to filter GTP packets as shown in the following example.

An APN filter entry can also be optionally combined with an SGSN or SGW IP address (or IP address prefix list) to further restrict allowed APN access by configured SGSN or SGW nodes.

*A:Dut-C>config>app-assure>group>
+---gtp-filter <gtp-filter-name> [create]
|   +---imsi-apn-filter //NEW and all its children attributes
|   |   +---default-action {permit|deny} //default permit
|   |   +---entry <entry-id: 1031..2030> create
|   |   |       + apn <string 0|1..32 characters>
|   |   |       |---no apn
|   |   |       + src-gsn ip-prefix-list <ip-prefix-list>
|   |   |       + src-gsn <ip address prefix>
|   |   |       |---no src-gsn
|   |   |       + action {permit|deny} //default permit
|   |   +---no entry <entry-id>

An APN filter and an IMSI prefix filter (see Unauthorized PLMN access—IMSI prefix filtering) can be used together to filter GTP packets.

By default, AA FW allows all of the APNs.