Attacks exploiting eNB
In the case of a BTS resource depletion attack, it is impossible for an eNB to distinguish the adversary’s RRC Connection requests from benign RRC connection requests. A possible mitigation to this attack could be to reduce the inactivity timer value to allow an RRC Connection that is unresponsive to the Authentication request to expire. Although it does not constitute a fundamental solution, it can weaken the impact of this attack as it minimizes the number of fake RRC Connections the adversary can establish. However, if the carrier configures the inactivity timer inappropriately short, the UEs may perform frequent RRC Connection procedures. Accordingly, this would increase the signaling load on both the eNB and MME sides. On the other hand, a possible mitigation for a Blind DoS attack might be to re-assign the S-TMSI when a number of RRC Connection requests using the same S-TMSI are received. According to the 3GPP standard, an MME can trigger reallocation of the S-TMSI in two ways. The first is to directly send a security protected NAS GUTI reallocation command to the UE. However, this would not prevent a Blind DoS attack because the message would not be received by the UE during the attack. Another approach would be to broadcast Paging with the IMSI of the UE. As the Paging is broadcast over the entire area covered by the cell, the UE would receive it and initiate the Attach procedure with the IMSI upon receiving the Paging message, which would increase signaling overhead.