Securing Mobile Subscriber Services with Arbor Sightline Mobile

Addressing the ever-expanding threat surface caused by 5G and IoT growth

person hands holding cell phone
Andrew Green

Mobile consumer broadband traffic levels escalated quickly with the introduction of 4G. 5G adoption has dramatically increased traffic, matching or even exceeding fixed-line networks. This trend will only accelerate as new spectrum and more 5G networks roll out, indicating that mobile networks are becoming the dominant way to access services on the internet.

The June 2023 “Ericsson Mobility Report” forecasts growth rates of more than 25 percent per year for the next five years. Unfortunately, rapid growth in mobile traffic involving mobile-connected Internet of Things (IoT) devices and users also is accompanied by an increase in mobile network threat activity. In fact, in the first half of 2023, NETSCOUT observed a sharp increase in distributed denial-of-service (DDoS) attacks against multiple wireless telecommunications providers in APAC. This is a global trend we first observed at the end of 2022, with a 79 percent increase in attacks targeted at wireless telecommunications providers.

The consumer and small office/home office (SOHO) infrastructure has been involved in many of the DDoS attacks and other bad behaviors that have plagued wireline networks for years. These same threats are an increasing problem for mobile network operators (MNOs) as this infrastructure expands across mobile services. A solution that can provide scalable threat detection and management, from passively acquired telemetry, inside the mobile network, is now essential.

A Problem of Visibility

Many MNOs have insufficient visibility into their mobile user traffic to identify these threats and are experiencing an increasing number of “unexplained” incidents within their networks.

Mobile networks also are much more complex than wireline, and they have a much larger attack surface exposed to user traffic. In addition, they rely on finite bandwidth (radio spectrum) at the edge. Mobile network IP subscriber traffic is carried across General Packet Radio Service Tunnelling Protocol User (GTP-U) tunnels with no indication of subscriber identity. This is called the “user plane.” Information such as subscriber identity, device type, and cell location is carried across the control plane via a variety of protocols such as General Packet Radio Service Tunnelling Protocol Control (GTP-C) and Packet Forwarding Control Protocol (PFCP). The ability to correlate user-plane and control-plane traffic is essential for an MNO to fully understand what is going on and mitigate any threat.

Combining Technologies: NETSCOUT Arbor Sightline meets NETSCOUT Smart Data

Arbor Sightline

NETSCOUT’s Arbor Sightline passively collects network telemetry within a network and creates a picture of network activity. This picture describes the traffic on the network and how it maps to network infrastructure and the services being consumed by customers. When an alert is detected, Arbor Sightline provides the full classification of the traffic causing the problem.

ISNG + Smart Data

NETSCOUT’s InfiniStreamNG (ISNG) and nGeniusONE provide the market-leading service assurance solution used by mobile operators. The data utilized within ISNG and nGeniusONE is what we call Smart Data. Smart Data is collected passively, without impacting the performance or availability of the monitored network. It provides MNOs with key performance indicators (KPIs) concerning the performance and availability of voice, video, and data services and the infrastructure that enables those services.

In the context of MNOs, Smart Data means a complete picture of both user-plane and control-plane activity can be created and correlated in 3G, 4G, and 5G networks. NETSCOUT has developed a feature-optimized ISNG called MobileStream that delivers this information to Arbor Sightline Mobile.

Arbor Sightline Mobile + MobileStream Solution

NETSCOUT has combined these essential building blocks (Smart Data for visibility; and Arbor Sightline Mobile for threat detection) to deliver a scalable threat detection solution for protecting the performance and availability of mobile consumer services.

MobileStream monitors user-plane links, generating Smart Data for subscriber traffic and allowing it to be mapped to the key mobile infrastructure components through which it passes. MobileStream also looks at the control plane and extracts the information necessary to map IP addresses used by subscribers back to subscriber identity, device type, service, and location.

Using this telemetry, Sightline Mobile can deliver proven, comprehensive in/out/cross-bound DDoS detection and scalable indicator of compromise (IoC) matching for DDoS sources, compromised devices, and so forth along with comprehensive traffic visibility.  Sightline Mobile utilizes the unique combination of user- and control-plane telemetry delivered by Smart Data to contextualize any detected threat with identity, device type, location, service data, and so forth, allowing MNOs to protect the performance and availability of their mobile consumer services and better understand the nature of the traffic on those services so that they can be optimized for customer experience and cost.

Read more about Arbor Sightline Mobile and MobileStream products.

Get more information about how NETSCOUT can help protect mobile network operations.