From a user perspective, mobile communication networks seem to simply provide an Internet Protocol (IP) connectivity between a user's mobile device (or user equipment) and other systems or networks, e.g. the Internet, i.e. network nodes or network structures outside of the mobile communication network in question.
However and especially within mobile communication networks, complex signaling procedures are run inside such networks as well as between the mobile communication network and a corresponding mobile device (or user equipment), in order to establish, maintain, and/or re-establish the end-to-end IP connection.
Real mobile communication networks are limited in their capacity to run many such procedures in parallel, these limitations being typically caused by processing or memory limits in network elements, and by limits in transmission capability or transmission capacity.
Capacity limits in fixed networks, such as telecommunications networks providing fixed subscriber lines, are typically measured in their capability or capacity to process (a certain number of) packets per second and/or data bandwidth in bits/s.
Mobile communication networks, i.e. telecommunications networks serving mobile subscribers or mobile communication networks, also have such limits, but they have typically even more limits, due to their higher internal complexity. Such mobile communication networks can already reach their limits and get overloaded when the value of total (number of) user packets per second or bits/s are far below the average that the network was designed to transport. This overload happens when few user packets (especially incoming data packets) result—within the internal treatment of such incoming data packets—in many signalling messages, which are sent both between different network elements, and between mobile devices and the network. Tens or even hundreds of such signalling packets may be caused by one single user packet, especially an incoming user packet.
Such traffic amplification is typically related to procedures that change the state (of activation or of activity) of a mobile device (or user equipment), e.g. when a radio (power) state changes (i.e. from idle state (or a more idle state) of the user equipment to the activated state (or a more activated state) of the user equipment), or a new traffic channel is allocated. Another typical cause for message amplification is the paging procedure, which a mobile network uses to search for a mobile device in a larger area.
Particular user traffic conditions or patterns can cause a mobile network to reach one of its many, often unknown, limits, e.g. in one of its network elements, far before the expected overall user traffic capacity is reached. When such limits are reached, parts of the network are overloaded and many customers will experience service degradation, up to loss of connectivity, even if their own traffic does not significantly contribute to the problem. With mobile networks connected to the Internet, anyone in the Internet can send traffic towards devices in the mobile network. If this traffic matches specific characteristics, it will cause a Denial-of-Service (DoS) attack against the network—regardless of whether the traffic was sent with benign or malicious intent.
Presently existing filter solutions lack awareness of mobile network specific conditions that lead to traffic amplification in the network. It depends on the state of a mobile device, if an incoming packet from the Internet targeted towards that mobile device leads to traffic amplification. Amplification will happen if the incoming packet leads to a state change. The state of the mobile device has many dimensions (power, radio, connection, physical location, logical location, radio network technology . . . ) and is neither simple to evaluate by, nor available to, a typical filter solution presently known.
Existing solutions to protect networks from overload and attacks are typically implemented as filter devices that analyze traffic according to certain criteria, such as:
source addresses,
destination addresses,
traffic contents (both in single packets, and associated traffic flows on top of IP),
traffic volume (packets/s or bits/s).
Depending on the analysis, traffic may be blocked in order to protect the network. While these criteria may be sufficient to prevent overload and attacks that may also occur in fixed networks, they are not suitable to describe traffic patterns that specifically cause overload in mobile communication networks. In particular, specific DoS and DDoS (Denial-of-Service and Distributed Denial-of-Service) protection features in existing firewall products typically aim at protecting the end hosts that are the target of such malicious traffic, rather than protecting a mobile communication network that may lie in the path of such traffic.
On the other hand, simply setting rate limits of packets/s or bits/s to the minimum that avoids every type of overload in a mobile network, however, will render the whole network useless for its purpose: it would also limit regular traffic too much, even if it does not cause network-internal amplification.
Therefore, as a precautionary approach (in order to prevent the mobile communication network from an overload situation), it needs to be assumed that—for a particular data packet to be transmitted to the mobile device or user equipment—the particular data packet will actually create additional network load, especially by means of message amplification. As a consequence, based on a given network performance (of given network structures), the number of data packets that will be handled in reality by a mobile communication network is strongly limited, and especially, it is limited (for reasons of precaution) in situations where such limitation would not be necessary to apply—i.e. the network capacity would not be exceeded by handling of the particular data packet —, because, e.g., the particular user equipment addressed is in a completely activated state or a less inactive state (compared to the idle state), and hence transmission or forwarding of the particular data packet would involve less message amplification (or no message amplification at all) within the mobile communication network compared to the particular user equipment being in idle state.