3. Core_Network_Diameter_GTP

Legal & Ethical Notice — US Law

This document is for educational and defensive security research purposes only.

All techniques described herein are analyzed in a controlled lab environment using your own equipment and licensed test SIMs. Applying any of these techniques to real-world cellular infrastructure, third-party devices, or spectrum you do not own is illegal under US federal law, including:

47 U.S.C. § 333 — Prohibits interference with radio communications. RF jamming is illegal for all private parties and state/local law enforcement with no exceptions. The FCC has imposed fines exceeding $34 million for marketing jamming devices.
47 U.S.C. § 301 — Requires an FCC license to transmit on licensed spectrum. Operating a fake base station (eNodeB/gNB) on live cellular frequencies without authorization violates this statute.
47 U.S.C. § 605 — Prohibits unauthorized interception of radio communications not intended for the recipient.
18 U.S.C. § 2511 (Wiretap Act) — Prohibits intentional interception of electronic communications, including voice (VoLTE/RTP) and data.
18 U.S.C. § 1029 — Prohibits fraud involving access devices. SIM cards are federally defined access devices; cloning, unauthorized key extraction, and related acts are federal crimes.
18 U.S.C. § 1030 (CFAA) — Prohibits unauthorized access to computer systems, including telecom signaling infrastructure (Diameter, GTP, SBI APIs).

Lab use requirements: All radio experiments must be conducted in an RF-shielded environment (Faraday cage) using test SIMs provisioned in your own Open5GS/srsRAN lab. No transmission on live cellular bands is permitted without an FCC experimental license.

This document does not constitute legal advice. Consult a licensed attorney before conducting any security research involving radio spectrum or telecommunications infrastructure.

Layer 3 — Core Network Protocols: Diameter & GTP (4G/5G)

Overview

The 4G Evolved Packet Core (EPC) and 5G Core (5GC) rely on two critical protocol families:

Diameter — signaling protocol for authentication, authorization, subscriber management (replaces SS7 MAP in 4G)
GTP (GPRS Tunneling Protocol) — user-plane and control-plane tunneling for data sessions

These protocols were designed for trusted operator environments but are exposed at roaming interconnects and sometimes misconfigured internally. Attacks here can affect subscriber location, billing, session continuity, and data confidentiality.

Architecture Reference

flowchart LR
    UE --- eNB
    eNB -- S1-U --> SGW
    SGW -- S5/S8 --> PGW
    PGW --> Internet

    subgraph User Plane
        direction LR
        eNB -. "GTP-U tunnels" .-> SGW
        SGW -. "GTP-U tunnels" .-> PGW
    end

    MME -- "S6a (Diameter)" --> HSS
    MME -- "S11 (GTP-C)" --> SGW
    SGW -- "S5 (GTP-C)" --> PGW
    PGW -- "Gx (Diameter)" --> PCRF
    PGW -- "Gy (Diameter)" --> OCS["OCS\n(online charging)"]

5G equivalent:

flowchart LR
    AMF -- "N8 (HTTP/2 SBI)" --> UDM
    SMF -- "N10 (HTTP/2 SBI)" --> UDM
    SMF -- "N4 (PFCP)" --> UPF
    UPF -- "N3 (GTP-U)" --> gNB

Diameter Protocol Attacks

3.1 Diameter Interface Overview

Interface	Between	Purpose
S6a	MME ↔ HSS	Authentication vectors, subscriber profile, location update
S6d	SGSN ↔ HSS	3G equivalent of S6a
Cx	P-CSCF ↔ HSS	VoLTE/IMS registration
Rx	P-CSCF ↔ PCRF	VoLTE QoS policy
Gx	PGW ↔ PCRF	Session policy (data, charging)
Gy	PGW ↔ OCS	Online charging
Sh	AS ↔ HSS	Application server user data

3.2 S6a Subscriber Location & Profile Extraction

What it is: Abusing the S6a Update-Location-Request (ULR) / Update-Location-Answer (ULA) flow to extract subscriber profiles.

Normal flow:

sequenceDiagram
    participant MME
    participant HSS

    MME->>HSS: Update-Location-Request (IMSI, MME host/realm)
    HSS->>MME: Update-Location-Answer (subscription-data, APN, QoS profile)

Attack:

Attacker with access to Diameter interconnect (IPX or misconfigured operator network) sends ULR with target IMSI
HSS responds with full subscriber profile: APN, roaming permissions, MSISDN, QoS class
Reveals: subscriber is currently attached (presence), home network, service configuration

Additional Diameter queries for location:

Send-Authentication-Info-Request (AIR)  → retrieve AKA vectors → enables impersonation
Provide-Location-Request (PLR)          → request current cell-level location
Cancel-Location-Request (CLR)           → deregister subscriber (DoS)
Insert-Subscriber-Data-Request (IDR)    → push modified profile → alter subscriber services

Tools:

FreeDiameter — open-source Diameter stack, supports custom extensions
Diameter Test Suite (Ericsson/internal)
Wireshark — Diameter dissector built-in
SCTP scanner — Diameter uses SCTP transport (port 3868 default)

# FreeDiameter — basic S6a query (requires Diameter peer connection)
# Install
sudo apt install freediameter

# freediameter.conf — define peer
ConnectPeer = "hss.operator.net" { No_SCTP; No_IP6; };

# Custom extension to send AIR/ULR — build as .fdx plugin

Legal note: Querying a production HSS for subscriber location or authentication vectors without authorization violates 18 U.S.C. § 1030 (CFAA). Retrieving subscriber location data on a third party without a court order may also implicate federal surveillance statutes. FreeDiameter and similar tools are for lab testing against your own Open5GS HSS only.

3.3 Diameter Gx Policy Manipulation

What it is: Injecting or modifying Gx messages to alter subscriber data policy — change QoS, bypass data caps, enable/disable services.

Gx flow:

sequenceDiagram
    participant PGW
    participant PCRF

    PGW->>PCRF: Credit-Control-Request (CCR-I) — new session
    PCRF->>PGW: Credit-Control-Answer (CCA-I) — policy rules
    PCRF->>PGW: Re-Auth-Request (RAR) — push policy update mid-session
    PGW->>PCRF: Re-Auth-Answer (RAA) — acknowledge

Attack:

Attacker with Gx access sends RAR with modified QoS/charging rules
Can: throttle a subscriber, remove data limits, block services
If Diameter nodes lack mutual TLS or IPsec, injection is possible on the same L2/L3 segment

3.4 Diameter Denial of Service

Types:

Cancel-Location (CLR): Forces MME to detach subscriber → loss of service
Purge-UE-Request: Removes subscriber from HSS → full de-provisioning
Reset-Request: Trigger HSS reset → mass subscriber detachment
Flooding: Overwhelm Diameter routing agents with malformed AVPs

GTP Protocol Attacks

3.5 GTP Overview

GTP operates on two planes:

Plane	Protocol	Interfaces	Purpose
Control	GTP-C (v1/v2)	S11, S5/S8, S4	Session create/modify/delete, bearer management
User	GTP-U (v1)	S1-U, S5/S8-U, X2	Encapsulate user IP traffic in tunnels

GTP runs over UDP port 2123 (GTP-C) and UDP port 2152 (GTP-U).

3.6 GTP-U Tunnel Injection

What it is: Injecting arbitrary packets into an active GTP-U tunnel, spoofing traffic as a legitimate subscriber.

How it works:

Attacker identifies a GTP-U session (TEID — Tunnel Endpoint Identifier)
Crafts GTP-U packet with matching TEID and correct source IP
Injects packet → SGW/PGW delivers it as legitimate user traffic

Prerequisites:

Access to the S1-U, S5, or S8 network segment (inside operator network or via GRX/IPX)
TEID value (discoverable via GTP-C Create Session Response if attacker can observe or request)

Impact:

Inject malicious IP packets into subscriber session
Bypass subscriber IP firewalling (PGW may apply ACLs only to outer IP)
Potential for subscriber impersonation

Tools:

Scapy with GTP layer (from scapy.contrib.gtp import *)
GTPv2-C Fuzzer (academic/custom)

from scapy.contrib.gtp import GTP_U_Header, GTPHeader
from scapy.layers.inet import IP, UDP

# Inject packet into GTP-U tunnel
inner = (IP(src="10.45.0.1", dst="8.8.8.8") /   # inner IP (subscriber's)
         UDP(dport=53) / b'\x00' * 20)

pkt = (IP(src="10.0.0.1", dst="10.100.200.1") /
       UDP(dport=2152) /
       GTP_U_Header(teid=0xdeadbeef) /
       inner)

send(pkt)

Legal note: Injecting packets into a GTP-U tunnel belonging to a third party violates 18 U.S.C. § 1030 (CFAA — unauthorized access to a protected computer system). The example Scapy code is for local lab use with your own Open5GS EPC only. teid=0xdeadbeef is a placeholder value — do not substitute real tunnel IDs from a production network.

3.7 GTP-C Session Manipulation

What it is: Sending crafted GTP-C messages to create, modify, or delete bearer sessions.

Attack types:

3.7.1 Create Session Request Spoofing

Send Create Session Request with target subscriber's IMSI/MSISDN
If SGW/PGW doesn't validate source, can create rogue bearer → steal subscriber's session
Attacker's IP becomes the subscriber's data endpoint

3.7.2 Delete Session / Bearer Attack

Send Delete Session Request with valid TEID → terminate subscriber session (DoS)
Effective against operators with no GTP-C source validation

3.7.3 Update Bearer / Modify Bearer

Redirect subscriber's traffic to attacker-controlled endpoint
Change PDN GW IP in bearer context

Tools:

Scapy GTP — craft arbitrary GTP-C messages
gtplib — Python GTP library
t3rn / custom GTP-C test suites

# GTPv2-C requires scapy.contrib.gtp_v2 (not gtp which is v1 only)
from scapy.contrib.gtp_v2 import (GTPv2Header, IE_IMSI, IE_MSISDN,
                                    IE_BearerContext, IE_EPSBearerID)
from scapy.layers.inet import IP, UDP

# Create Session Request (GTPv2-C, port 2123)
# Note: GTPv2Header replaces GTPHeader for control-plane messages
pkt = (IP(dst="sgw_ip") /
       UDP(sport=2123, dport=2123) /
       GTPv2Header(T=1, seq=1, teid=0, gtp_type=32) /  # 32 = Create Session Request
       IE_IMSI(ietype=1, length=8, IMSI="310260000000001") /
       IE_MSISDN(ietype=76))

send(pkt)
# NOTE: Full GTPv2 Create Session Request requires many mandatory IEs.
# Use SigPloit (tools/SigPloit) or open5gs_lab TP-04 for complete PoC.

Legal note: Creating, modifying, or deleting bearer sessions on a production network without authorization violates 18 U.S.C. § 1030 (CFAA). The IMSI value 310260000000001 in the example is a test value only — substituting real subscriber IMSIs and targeting live SGW/PGW infrastructure constitutes unauthorized access to a protected computer system.

3.8 GTP-U DoS / Packet Flooding

What it is: Flooding the GTP-U interface to exhaust SGW/PGW processing capacity.

Attack: Send high-volume GTP-U packets with random TEIDs → SGW must process each for TEID lookup → CPU exhaustion

Also: Send GTP Error Indication messages with fake TEIDs → cause legitimate sessions to be torn down

3.9 S8 Roaming Interface Exploitation

What it is: The S8 interface connects a visited network's SGW to the home network's PGW over GTP. It crosses the IPX/GRX roaming network.

Why it matters:

S8 is often less strictly firewalled than S1 (internal)
GTP-C S8 can be reached from the IPX if operator doesn't filter properly
Attacker with IPX access can send Create Session Requests targeting home PGW

Scope limitation: Requires either IPX network access or a compromised roaming partner — not accessible via USRP alone.

5G Core Protocol Differences

In 5G SA, the EPC protocols are replaced with HTTP/2-based Service Based Interface (SBI):

4G	5G	Transport
S6a (Diameter)	Nudm, Nausf	HTTP/2 REST
Gx (Diameter)	Npcf	HTTP/2 REST
GTP-C	PFCP (N4)	UDP
GTP-U	GTP-U (N3)	UDP (unchanged)

5G SBI attack surface:

NRF (Network Repository Function) — service discovery; unauthenticated queries reveal all NF addresses
AMF, SMF, UDM APIs — REST endpoints; if mTLS not enforced, can be queried
PFCP (Packet Forwarding Control Protocol) on N4 — session rules between SMF and UPF; similar to GTP-C

Tools for 5G SBI:

curl / httpie — test NRF discovery endpoints
Open5GS + UERANSIM — observe SBI traffic in Wireshark
Wireshark HTTP/2 dissector — decode NAS container in NGAP/HTTP2

Access Requirements by Attack Type

Attack	Access Required	USRP Reachable
Diameter S6a queries	Diameter interconnect / internal network	No
Diameter Gx manipulation	Diameter network segment	No
GTP-U injection	S1-U / S5 network segment	No (lab only)
GTP-C session manipulation	GTP-C network segment	No (lab only)
S8 roaming exploitation	IPX / GRX access	No
5G SBI enumeration	HTTP/2 reachability to NRF	Lab/internal
GTP-U in Open5GS lab	Localhost / VM network	Yes (lab)

Summary: Layer 3 attacks require network-level access to operator infrastructure. In a research lab with Open5GS + srsRAN, all of these can be simulated locally. In a real engagement, they apply to insider threats, compromised IPX nodes, or roaming partner pivots.

Lab Setup for Layer 3

flowchart TB
    VM["Ubuntu VM"]
    VM --> EPC["Open5GS EPC\n(MME + SGW + PGW + HSS)"]
    VM --> srsRAN["srsRAN eNB\n(connects to Open5GS MME)"]
    VM --> USRP["USRP B210\n(air interface for test UE)"]
    VM --> FD["FreeDiameter\n(Diameter testing against HSS/PCRF)"]
    VM --> TOOLS["Scapy / Wireshark\n(GTP-C/U crafting + capture)"]

    subgraph Wireshark capture interfaces
        LO_DIA["lo — Diameter (SCTP 3868)"]
        LO_GTPC["lo — GTP-C (UDP 2123)"]
        LO_GTPU["lo — GTP-U (UDP 2152)"]
    end

macOS: Run Open5GS + FreeDiameter in Docker (see open5gs_lab/TP-00 for Docker Compose setup). All Scapy/pycrate Python attacks run natively on macOS. For tshark capture on macOS + Docker, capture inside a container:

# macOS: capture Diameter SCTP inside the Open5GS container
docker exec -it open5gs-epc tshark -i any -f "sctp port 3868"
# macOS: capture GTP inside the EPC container
docker exec -it open5gs-epc tshark -i any -f "udp port 2152 or udp port 2123"

Wireshark display filters:

diameter           # all Diameter traffic
gtp                # all GTP (C and U)
gtp.teid == 0xdeadbeef   # specific tunnel
diameter.cmd.code == 316  # AIR (Auth-Information)
diameter.cmd.code == 318  # ULR (Update-Location)

Key 3GPP / IETF References

Spec	Topic
TS 29.272	S6a/S6d Diameter interface
TS 29.212	Gx Diameter interface (policy)
TS 29.274	GTPv2-C (S11/S5/S8/S4)
TS 29.281	GTPv1-U (user plane)
TS 29.244	PFCP (N4 — 5G SMF↔UPF)
TS 29.510	NRF service discovery (5G SBI)
RFC 3588	Diameter base protocol
RFC 4960	SCTP (Diameter transport)

Academic / Industry Research

"Diameter Signaling Router Security" — GSMA FS.19 / IR.88 threat taxonomy
"Diameter: New Attacks, New Defenses" (Positive Technologies, 2015)
"GTP: Unpleasant Surprises" (Positive Technologies, 2018) — GTP-C attack PoC
"LTE/SAE Security" (Forsberg et al.) — textbook on EPC security architecture
GSMA FS.20 — Diameter security guidelines

Next Layer

→ Layer 4: UE / Android + SIM Level — AT command injection, RIL attacks, SIMjacker, pySIM, baseband interface.