Scribd
Upload
41 views13 pages

Method Antispoof

method-antispoof1

Uploaded by

patil.punda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
41 views13 pages

Method Antispoof

method-antispoof1

Uploaded by

patil.punda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

GSM Association

RESTRICTED
Official Document IR.71

Official Document
IR.71

SMS SS7 Fraud Prevention


3.0.0
05 August 2004

Security Classification Category:


Restricted to: Members X
Information Category: Roaming
Document Owner: IREG
Document Classification: Non-binding Permanent Reference Document

Restricted
This document is subject to copyright protection. The GSM MoU Association (“Association”) makes no representation, warranty or
undertaking (express or implied) with respect to and does not accept any responsibility for, and hereby disclaims liability for the accuracy or
completeness or timeliness of the information contained in this document. The information contained in this document may be subject to
change without prior notice. Access to and distribution of this document by the Association is made pursuant to the Regulations of the
Association.
GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

GSM Association References:


 IR.70 SMS SS7 Fraud
 BA.43 SMS Handbook
 AA.50 SMS Fraud Criteria

Document History

Version Date Description


1.0.0 June 2004 Produced by Matthieu FOUQUET Bouygues Telecom (France)
1.1.0 July, 15th 2004 First update, Measurement based on AA.50 Fraud Criteria
2.0.0 July, 20th 2004 IR.70 SMS Fraud Reference Change
2.0.1 July, 20th 2004 Final Draft after SMS Fraud Call conference
3.0.0 5 August 2004 Version for approval after T-Mobile Comments

Copyright Information

© Copyright of the GSM Association 2004

RESTRICTED 3.0.0 Page 2 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

Table of Contents

1. EXECUTIVE SUMMARY.......................................................................................................4
2. TECHNICAL EXPLANATION...............................................................................................5
3. IDENTIFYING FAKING/SPOOFING.....................................................................................6
3.1 FAKING CASE.......................................................................................................................6
3.1.1 SCCP Own Address / MAP Own Address Measuring [1.1.1 Own Address Criteria]...6
3.1.2 Incorrect Operator Link Set Detection [1.1.2 Incorrect Operator Link Criteria]............6
3.1.3 Measuring the number of Unexpected 'End' Messages [1.1.3 Unexpected 'End
Message Criteria]......................................................................................................................6
3.1.4 Measuring the Load Traffic for a Specific Period [1.1.4 Abnormal Load Criteria]........7
3.1.5 UDTS message Measurement [1.1.5 No Address Found Criteria]..............................7
3.1.6 Compare MAP and SCCP addresses [1.1.6 MAP Only Fake Criteria]........................7
3.1.7 Measuring the number of illegal message content [1.1.7 Illegal Message Contents
Criteria] 8
3.1.8 Measuring the number of "unidentified Subscriber" and “unknown Subscriber” Cause
Value messages [1.1.8 MAP error 'unidentified subscriber' Criteria]........................................8
3.1.9 Measuring per Agreement [1.2.1 Invoice Validation Criteria]......................................9
3.1.10 Measuring the number of "SRI_For SM" Messages.................................................9
3.1.11 Compare SRI_For_SM and Forward Short Message Procedures...........................9
3.2 SPOOFING CASE................................................................................................................10
3.2.1 Invalid MSISDN Calling Number [2.1.1 MSISDN Criteria].........................................10
3.2.2 SMS MO traffic Measurement...................................................................................10
3.2.3 Compare Location updating messages with the number of SMS Submitted [2.1.3
Unusual Traffic Pattern Criteria].............................................................................................10
4. SOLUTION FOR THE PREVENTION.................................................................................11
4.1 CONTROL OF C7 NETWORK ACCESS...................................................................................11
4.2 SCCP / MAP POLICING ON GSM NETWORK.......................................................................11
4.2.1 SRI For SM................................................................................................................11
4.2.2 Forward Short Message............................................................................................12
4.3 CHECK THE CALLING MSISDN FOR SMS MO....................................................................12
4.4 COMPARISON BETWEEN VLR LOCATION AND STORED MSC ADDRESS..................................12
APPENDIX A – ABBREVIATIONS...............................................................................................13

RESTRICTED 3.0.0 Page 3 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

1. Executive Summary

This document sets out ways for operators to identify Faking and Spoofing on their networks and
makes recommendations on ways both individual operators and the GSM Industry as a whole
may contain the issue in the short term.

Everything that could be implemented within three-months time is considered as Short Term
Containment.

Note: PRD IR.70 SMS SS7 Fraud and AA.50 SMS Fraud Criteria must be read before this
document. PRD IR.70 SMS SS7 Fraud contains the SMS Fraud scenarios and technical
definitions. AA.50 SMS Fraud criteria list the different criteria in order to identify a fraudulent
Operator.

RESTRICTED 3.0.0 Page 4 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

2. Technical Explanation

Technical descriptions and definitions could be found in the PRD IR.70 SMS SS7 Fraud White
Paper.

RESTRICTED 3.0.0 Page 5 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

3. Identifying Faking/Spoofing

All the measurement based on the AA.50 SMS Fraud Criteria is indicated with the same
numbering plan.

Examples:
 SCCP Own Address Measuring [1.1.1 Own Address Criteria].

 More definition can be found in the AA.50 document

3.1 Faking Case


3.1.1 SCCP Own Address / MAP Own Address Measuring [1.1.1 Own Address Criteria]
Operators should measure, the number of SMSs received with a SCCP Calling party address or
SC OA Address (incoming internat. SS7 traffic), which is Operator's own source address. This
type of messages only occurred in case of Mobile number portability. Just one received message
with own address indicates fraud (SMS fake).

This measurement could be made using:


 Counter and statistic table in the MSC/VLR or in STPs (On interconnection links)
 The toll ticketing system
 A specific SS7 supervision based on C7 probes

All these solutions are already available for a large part of manufacturer.
3.1.2 Incorrect Operator Link Set Detection [1.1.2 Incorrect Operator Link Criteria]
This case is only relevant with multiple international connections between different SS7 Carriers.

Operators should check on the interconnection links the incoming SS7 messages per partners. If
some messages are using interconnection links, which should not be used for that particular
partner, it means that there is a possibility of fraud (Except for rerouting due to outage or specific
event).

This measurement could be made using:


 Counter and statistic table in STPs (On interconnection links)
 A specific SS7 supervision based on C7 probes

All these solutions are already available for a large part of manufacturer.
3.1.3 Measuring the number of Unexpected 'End' Messages [1.1.3 Unexpected 'End Message
Criteria]
Operators should measure the number of TCAP End messages received for transactions he did
not originate. The number of unexpected 'End' messages should be analysed for a specific
period and per Roaming or SMS Inter working partners.

This measurement could be made using:


 Counter and statistic table in SMSCs
 A specific SS7 supervision based on C7 probes (on STPs or SMSCs links)

All these solutions are already available for a large part of manufacturer.

RESTRICTED 3.0.0 Page 6 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

3.1.4 Measuring the Load Traffic for a Specific Period [1.1.4 Abnormal Load Criteria]
Operators should measure the number of SMSs received from each SMS-C for a specific period.
If the number of SMS received from a specific SMS-C is abnormal for the specified period, there
may be a problem. This problem could be related to a special event (New year day for example)
or be due to a faking case. A third party could have used this SMS-C address.

This measurement could be made using:

 Counter and statistic table in MSC/VLRs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.1.5 UDTS message Measurement [1.1.5 No Address Found Criteria]
a) UDTS "No Translation for this specific address" Measurement:
Operators should measure the number of UDTS generated with the cause value "No
translation for this specific address" for each SMS-C addresses that send a Forward
Short Message.
An abnormal level of UDTS could indicate that a SMS-C is sending SMS at random in a
range of MSC/VLR Global Title (Because the third party doesn't really know the real
addresses).

b) UDTS "Unequipped User"


Operators should measure the number of UDTS generated with the cause value
"Unequipped User" for each SMSC-C addresses that send a Forward Short Message.
An abnormal level of UDTS could indicate that a SMS-C is sending SMS with a wrong
SSN (Sub System Number).
This measurement could be made using:

 Counter and statistic table in MSC/VLRs or STPs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.1.6 Compare MAP and SCCP addresses [1.1.6 MAP Only Fake Criteria]
The MAP SMSC address should be compared to the SCCP address. There should be no
difference (GT range of sending network). This comparison could only be made manually at this
time.

Another method is to count for each SCCP and MAP addresses the number of Forward Short
Messages received. If there are discrepancies between SCCP and MAP SMS-C addresses, it
could be a faking problem.

This measurement could be made using:

 Counter and statistic table in MSC/VLRs or STPs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.1.7 Measuring the number of illegal message content [1.1.7 Illegal Message Contents Criteria]
Operators should also measure the number of message containing an illegal or illogical address
or parameter (For example, Service Centre Address equals to 111111)

RESTRICTED 3.0.0 Page 7 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

This measurement could be made using:

 Log file or specific traces in MSC/VLRs or STPs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.1.8 Measuring the number of "unidentified Subscriber" and “unknown Subscriber” Cause
Value messages [1.1.8 MAP error 'unidentified subscriber' Criteria]
When a SMS is sent to the MSC/VLR, if the Subscriber is not located to this area, the MSC/VLR
will answer by an "Unidentified Subscriber" message. An abnormal level of "Unidentified
subscriber" could indicate that the SMS-C sends the SMS without the location of the subscriber.

When a “SPAM attack” is sent to a range of MSISDNs, no matter the MSISDN is valid or not, the
HLR will answer by an “Unknown Subscriber” message. An abnormal level of “Unknown
Subscriber” could indicate SPAM (or faked SPAM).

This measurement could be made using:

 Counter and statistic table in MSC/VLRs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)

All these solutions are already available for a large part of manufacturer.

RESTRICTED 3.0.0 Page 8 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

3.1.9 Measuring per Agreement [1.2.1 Invoice Validation Criteria]


Operators should check the balance of the total of outgoing international SMSs against the
incoming total for each PLMN with a Roaming agreement. The two directions are usually
remarkably close in quantity unless one PLMN is generating Bulk SMS. For any unbalance, the
suspect source is notified and asked to resolve.

This measurement could be made using:

 Counter and statistic table in MSC/VLRs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)
 Billing system information

All these solutions are already available for a large part of manufacturer.
3.1.10 Measuring the number of "SRI_For SM" Messages
Operators should measure the number of SRI_For_SM messages received from each SMS-C
address (or from each network based on CC + NDC GT address).

Abnormal quantities indicate that a Spam attack is happening. Furthermore an abnormal number
of MAP<Send Routing Information for Short Message> without the matching number of SMs
detected (see section 3.2.2) indicates a “Faking Case”.

This measurement could be made using:

 Counter and statistic table in MSC/VLRs or STPs


 A specific SS7 supervision based on C7 probes (on MSC/VLRs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.1.11 Compare SRI_For_SM and Forward Short Message Procedures
The MAP message SRI_For_SM should not be used without closely associated MAP "Forward
Short Message" message.

Operators should compare the number of SRI_For_SM received with the number of Forward
Short Message received from each SMS-C address (or network). The Ratio should not exceed
2.5 (2.5 more SRI_For_SM than FSM Deliver messages per SMS-C).

Comparison between Forward Short Message and SRI_For_SM results an abnormal low level of
Forward Short Message: Indicates the “faking network”.

Comparison between Forward Short Message and SRI_For_SM results an abnormal low level of
SRI_For_SM: Indicates the “faked network (pretended network)”.

Please note that specific service like Optimal routing could use SRI_For_SM message and in this
case the ratio will be affected. Such a mechanism should not be activated without the HPLMN
agreement.

This measurement could be made using:

 Counter and statistic table in MSC/VLR/HLRs or STPs


 A specific SS7 supervision based on C7 probes (on MSC/VLR/HLRs or STPs links)

RESTRICTED 3.0.0 Page 9 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

All these solutions are already available for a large part of manufacturer.

3.2 Spoofing Case


3.2.1 Invalid MSISDN Calling Number [2.1.1 MSISDN Criteria]
Operators should measure the number of invalid MSISDN who submit a SMS to the SMS-C for a
specific period. If a screening is in place on the SMS-C, the relative rejected cause value (For
example "System Failure") should be measured. If there is no screening, the number of request
with an invalid calling MSISDN must be measured.

An abnormal load of request or reject indicates that there is a spoofing attack.

This measurement could be made using:

 Counter and statistic table in SMS'C or STPs


 A specific SS7 supervision based on C7 probes (on SMSCs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.2.2 SMS MO traffic Measurement
Operators should measure the number of SMS submitted from subscriber abroad per Roaming
partner. An abnormal load of traffic could indicate a spoofing problem if it is no related to a
special event (like Football World cup or New Year's Day).

This measurement could be made using:

 Counter and statistic table in SMS'C or STPs


 A specific SS7 supervision based on C7 probes (on SMSCs or STPs links)

All these solutions are already available for a large part of manufacturer.
3.2.3 Compare Location updating messages with the number of SMS Submitted [2.1.3 Unusual
Traffic Pattern Criteria]
Operators should compare the Number of Location Updating received with the number of SMS
Submitted from their subscribers abroad per Roaming partner.

 LocUp (outbound) /SMSMO


 > [0,5] normal
 <= [0,5]

Please note that the [0,5] ratio could be different for each network. Each network should define
its ratio.

This measurement could be made using:

 Counter and statistic table in SMS'C or STPs


 A specific SS7 supervision based on C7 probes (on SMSCs or STPs links)

All these solutions are already available for a large part of manufacturer.

RESTRICTED 3.0.0 Page 10 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

4. Solution for the prevention


4.1 Control of C7 Network Access
GSMA requests that the C7 carrier polices the SCCP addresses used for every C7 direct link
within their normal service package.

On every C7 direct access links, a screening could block all MSUs with a SCCP Calling address
different than the operator’s SCCP addresses.

The C7 Carrier should not forward messages sent with the wrong SCCP calling address. The C7
Carrier may take other actions as they wish.

Network A

C7 CARRIER
International C7 Network
Calling SCCP Address = CC+NDC A

STP A IGP
Calling SCCP Address < > CC+NDC A

4.2 SCCP / MAP Policing on GSM Network


Every GSM operators must implement SCCP and MAP screening in their own network (In
MSC/VLRs, STPs and HLRs)
4.2.1 SRI For SM
On HLRs, a screening based on Calling SCCP Global Title for the MAP Message SRI For SM
should be activated. The HLRs will reject the entire SRI For SM request, which are not sent from
an implemented SMS-C Global Title.

The allowed SMS-C Global Title is implemented every time an AA19 agreement is signed.

This type of screening is already available for some manufacturer.

RESTRICTED 3.0.0 Page 11 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

4.2.2 Forward Short Message


On every MSC/VLR, a screening based on Calling SCCP Global Title for the MAP Forward Short
Message should be activated. The MSC/VLRs will reject the entire MAP Forward Short Message
request, which are not sent from an implemented SMS-C Global Title.

The Allowed SMS-C Global Title is implemented every time an AA19 agreement is signed.

This type of screening is already available for some manufacturer.

4.3 Check the Calling MSISDN for SMS MO


In order to avoid the spoofing case, a control access based on the MSISDN must be activated on
the SMS-C. All SMS MO with a MSISDN different than the operator own MSISDN range should
be rejected.

This type of screening is already available for some manufacturer.

The IMSI of the subscriber must also be checked, through the use of MAP version 3 or by
sending a SRI For SM to the HLR in order to recover the IMSI.

This type of mechanism is already available for some manufacturer

4.4 Comparison between VLR location and stored MSC address


In addition of the IMSI check for the SMS MO request, a comparison between the VLR location
and The Calling SCCP address (MSC/VLR where the subscriber should be located).

If the Location stored in the HLR is different than the SCCP Calling address from which the SMS
MO is coming, the SMS MO will be rejected.

Please note that some networks have different SCCP Address for the VLR and the MSC (but for
the most large part of the operators, the MSC and the VLR have the same SCCP Address). If the
SCCP address (VLR and MSC) is different, a check is possible with a GT proxy filter function.

This mechanism could use the SRI For SM to recover the VLR address stored in the HLR. In this
case, the C7 load will increase.

RESTRICTED 3.0.0 Page 12 of 13


GSM Association RESTRICTED
OFFICIAL DOCUMENT IR.71

Appendix A – Abbreviations

Term Definition
MAP Mobile Application Part
SMS Short Message Service
SMS-C SMS Centre
VPLMN Visited PLMN
C7 SS7
SS7 Signalling System N° 7
STP Signalling Transfer Point
HLR Home Location Register
IGP International Gateway Point
VLR Visitor Location Register
BSS Base Station Subsystem
SCCP Signalling Connection Control Part
GT Global Title
MSU Message Signalling Unit
IMSI International Mobile Subscriber Identity
TCAP Transaction Capabilities Application Part
PRS Premium Rate Services
MSISDN Mobile Subscriber ISDN

RESTRICTED 3.0.0 Page 13 of 13

You might also like