Zero-Rating Fraud – See It, Stop It
In this excerpt from our updated Zero Rating fraud paper we discuss how to build a coordinated response to both detection and real-time response.
In previous excerpts from our paper on data charging bypass, we explored its growing relevance in today’s telecom services. We also examined the commercial and technical steps needed to define retail promotional offers that are resilient to revenue fraud.
In this final extract, we expand our focus to the detection and prevention of fraud, emphasizing the multi-layered observability and real-time response required — a strategy simply summarized as “see it, stop it.”
At its core, this defence relies on effective data traffic management — deploying the right tools within the network to accurately identify and classify encrypted application flows, interface with business support systems (such as policy and charging platforms), and enable both real-time analytics and policy enforcement.
Fraud Techniques Analyzed
We investigated two specific forms of attack: Server Name Indication (SNI) fraud and Domain Name System (DNS) fraud. Both exploit weaknesses in network traffic visibility that policy and charging systems depend on.
- SNI Fraud involves spoofing legitimate zero-rated SNI values during the TLS handshake to gain free data access.
- DNS Fraud exploits zero-rated IP ports — typically port 53 or 453 — to exfiltrate or access data, while disguising the traffic as legitimate DNS activity.
In both cases, data is exchanged with destination IP addresses that route through fake proxy servers, not the intended services. Traditional tracking by IP address alone is not scalable, necessitating smarter, more adaptive detection approaches.
Intelligent Detection Through Behavioral Modeling
Rather than relying solely on static IP tracking, we propose a behavioral approach — analyzing patterns of application/content access over time (e.g., access duration, frequency, and data volumes). This not only aids in detecting anomalies but also helps in designing and planning future promotional offers.
We outline a layered approach to this strategy:
DNS and IP-Level Monitoring
At the foundational level, monitoring DNS activity can reveal suspicious behavior such as auto-generated domain names or abnormal query frequency. For SNI-based fraud, reverse DNS lookups can be used to validate that the claimed SNI matches the destination IP.
Application Service Classification
Deeper in the protocol stack, classifying encrypted application traffic is far more complex — an area where Enea provides specialized capabilities. Using a blend of packet analysis, flow characteristics, heuristic methods, and behavioral modeling, we achieve over 98% classification accuracy. Our solutions also support regional behavioral patterns and include frequent protocol/app signature updates and robust longitudinal analytics.
Usage and Behavioral Tracking
Beyond detection, tracking the consumption of specific services, such as zero-rated promotional sites, allows for deeper insight into how users interact with these offers. Ideally, promotional packages should be modeled and simulated before launch. Post-launch, comparing actual usage with expected patterns is essential for assessing both performance and financial impact.
Simple metrics — including access time, session frequency, and data volume — can be filtered by user type (prepaid vs. postpaid), device, and application to help identify abnormal usage or enforce terms and conditions.
Real-Time Response and Enforcement
Detection alone is not enough. The final layer involves integrating detection tools with real-time, automated responses, such as:
- Alerting on suspected fraud
- Throttling or terminating suspicious connections
- Redirecting traffic
- Reinstating usage against the user’s allocated quota
Future connections from the same device or user may also be flagged as potentially fraudulent, allowing for proactive threat mitigation.
In this last extract we are covering enforcement but if you want the complete picture, then please visit us and download the paper at: @
Review our Enea capabilities for managing data traffic:
