We have looked at the occurrence of charging bypass/zero-rating fraud and why it is happening now; as well as the cost and pattern of attack. In this part we look at how to fight back – the techniques and tools to analyse traffic, defend against attack, and also as a foundation for managing the mobile data network as a shared resource.

At its core, effective data traffic management requires the right tools in the network to properly identify and classify encrypted application flows, interface with business support systems (such as policy and charging systems), and provide both real-time analytics and enforcement.

One of the basic forms of attack is based on SNI spoofing. The Server Name Indication (SNI) text field is used in the security negotiation to indicate which host the client/app is trying to connect with. If the mechanism for charging detection is overly simplistic and based on SNI only, then faking an SNI and using alternate destination IP addresses can provide free data.

This form of fraud is easier to achieve with the combination of more zero-rated access domains being available [which causes the CSP to look for simpler management and configuration options for sites], as well as the increase in open VPN (virtual private network) apps and protocol manipulation tools. There are people who are intent on fraud searching for vulnerable SNI and sharing them on the web in “SNI bug lists”. A tech-savvy individual can use vpn/proxy and access apps to manipulate the connection from a mobile device to disguise their traffic as going to the ‘free’ /vulnerable SNI domain; from that point, they can tether multiple devices to the same access and consume data – free of charge. The more sophisticated the fraudster, the more it becomes a security threat rather than revenue leakage.

A more intelligent approach where app/content access is measured and modelled over time has to be considered (e.g. duration, frequency of access, volume of data exchanged etc.). This is helpful in the detection of abnormal access, but also in planning for new promotional offers and access. We look at the different levels of such an approach:

Starting at an IP/DNS level – using reverse DNS lookup to match SNI to the destination IP address is a relatively simple step to verify, in the case of a pure SNI approach to charging, that data traffic is intended for the right domain. It is understood that reverse DNS can be variable in response but as part of the onboarding process for a new data offer, this can be checked (and rechecked).  Pre-storing well known destination IP addresses is a short term fix due to the volume and variety (app access can be through CDNs as well)

Application Service Classification

Moving up the protocol stack, the classification of application service and activity is a more challenging and complex activity in which Enea specializes. Working with encrypted traffic, it is a combination of packet, flow, heuristics and modelling in which we deliver a high degree (98+%) of coverage and accuracy with additional capabilities to match specific regional behavior. Enea provides regular protocol and app signature updates as well as matching analytics tools for longitudinal analysis.

Usage & Behavioral Tracking

The next step is tracking the consumption of specific services like zero-rated sites, offered as a promotion. These can be further analyzed to establish the parameters of usage. It is anticipated that promotional offers will be modelled prior to launch, and as noted earlier, the cost/benefit analysis reviewed. In this case, mapping the actual behavior against expected usage is essential for the business.

Simple tests highlighted earlier on consumption (e.g. based on time, frequency, data volume) for a user (prepaid & post-paid), device type, app etc. all can be used to understand ongoing behavior and establish limits (if specified in T&C). Monitoring average versus peak time usage for a service is also useful. If a vulnerability is being exploited then overall site traffic, as measured from the CSP perspective, may significantly increase quickly. Transient activity like this can be identified and notified to network ops and business owners.

Real-Time Response

Finally, the tools to detect must be combined with real-time machine learning responses, at the least notification of possible fraud and advancing to managing connection bandwidth (or termination), redirection (if possible) or reverting usage back to a user’s allocated quota rather than ‘free’. Future connectivity from the same user/source IP may also be classified as a potential source of misuse.

What are the types of threat?, How can a plan for enabling zero-rating access can be enabled while stopping fraud? And, how can this be implemented from Day 1 but, also tracked and reviewed in Day N is the detailed topic of our new paper “Data Charging Bypass: Stopping Zero Rating Fraud”.

If you want know more then download the paper here

Review our Enea capabilities for managing data traffic @  https://www.enea.com/solutions/traffic-management/