In the evolving landscape of mobile networks, new vulnerabilities are emerging across 3G and 4G infrastructures, and 5G is likely to follow. Protecting only the Gi interface is no longer sufficient for service provider security.
Until recently, the Gi-LAN connecting the Evolved Packet Core (EPC) to the internet was seen as the most exposed part of a service provider’s network and was typically defended with Gi-firewalls and anti-DDoS systems. Other EPC links were considered difficult targets because attacking them required specialized vendor knowledge. Hackers generally preferred softer targets, so developers and carriers prioritized protections for the most obvious entry points while relying on network complexity as a deterrent.
That assumption no longer holds. The expertise required to attack EPC components from alternative interfaces is becoming more widespread. Mobile endpoints are being infected at an alarming rate, allowing attacks to originate from within the network. Malware campaigns such as Gooligan, Pegasus, and Viking Horde made headlines in 2016, and mobile ransomware attacks surged by about 250 percent in the first quarter of 2017. These trends demonstrate how threats are shifting from isolated incidents to systemic risks.
Securing the EPC has become essential as LTE adoption and the Internet of Things (IoT) expand. LTE networks reached 647 commercial deployments in 2017, with hundreds more planned. As LTE rolls out, IoT deployments have accelerated, creating a substantial new revenue stream for enterprises and a market forecast to grow significantly over the coming years. This rapid expansion increases the attack surface, and service providers must adopt a holistic security posture to address it.
Mobile service providers connect to the outside world through three primary data paths: the internet via the S/Gi-LAN; partner networks that support roaming users; and links carrying traffic from radio towers. Each path presents distinct security challenges and attack vectors. Historically, the internet connection was the primary focus for defenses because DDoS attacks frequently targeted the Gi link. Those volumetric attacks could often be mitigated with scalable firewalls and DDoS protection services.
The expanding attack surface
The threat landscape is changing rapidly, and attacks can now originate from multiple connectivity points. While academic research has long warned that partner networks and radio access networks (RANs) could be exploited, these scenarios are no longer hypothetical: they are happening in the wild. Concurrently, the exponential growth of IoT devices increases the risk that compromised devices will be weaponized against service provider networks.
Botnets such as WireX and its variants have been discovered and dismantled after causing disruptions. So far, these botnets primarily targeted hosts on the public internet, but they illustrate how easily large pools of compromised devices can be leveraged. It is only a matter of time before attackers aim such resources at EPC components.
Multiple weak points exist within EPC architectures. Elements that were once isolated behind proprietary protocols now operate over standard IP, UDP, or SCTP transports and are therefore susceptible to straightforward denial-of-service techniques. The overall attack surface is substantially larger than in the past, and legacy security approaches are inadequate to manage these risks.
Signaling storms and DDoS attacks can be produced by malicious actors or even by legitimate devices that malfunction. For instance, a faulty protocol implementation in an IoT device can generate excessive signaling traffic and cause outages that mirror deliberate attacks.
Securing the service provider network
To protect service provider networks, organizations must strengthen defenses against DDoS and signaling attacks. A layered approach combining S/Gi firewalls and dedicated DDoS mitigation systems is essential. Traffic policing and throttling (TPS) should be applied across enterprise IT, including both on-premises and cloud infrastructures, to make mitigation of multi-terabit attacks feasible.
Deploying advanced tools that can detect and block targeted attacks on EPC elements is critical. Effective solutions should support granular deep packet inspection and behavioral analysis to identify spoofing, impersonation, and signaling-based exploit attempts. Such capabilities help security teams detect subtle attack patterns and enforce policies that prevent unauthorized or anomalous traffic from disrupting core services.
In summary, defending against terabit-scale volumetric attacks from the internet remains important, but service providers must go further. Adopting full-spectrum security that protects the entire infrastructure—including internet-facing links, partner and roaming interfaces, and RAN-related connections—is imperative. This holistic stance reduces exposure, mitigates internal and external threats, and helps ensure continuity of service as mobile networks and IoT ecosystems continue to grow.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend co-located industry expos covering IoT, blockchain, AI & big data, and cyber security to explore the future of enterprise technology.