2.3 DSA Logic Process
To trigger DSA logic, some prerequisite conditions are required. For example, the DCA framework must be activated and DSA must be activated, enabled, and provisioned.
DSA logic is triggered when DSA receives a diameter message. When a diameter message is received:
- DSA starts executing the provisioned countermeasures, which are enabled, in a predefined sequence irrespective of the countermeasure’s provisioning sequence.
- Each countermeasure can be enabled or disabled independently for screening the message for vulnerability.
- The stateless countermeasures are performed first followed by stateful
countermeasures for better efficiency. The stateless countermeasures are processed
in the following sequence if configured and enabled:
- Application-ID Whitelist Screening (AppIdWL)
- Application-ID and Command-Code Consistency Check (AppCmdCst)
- Origin Realm and Destination Realm Whitelist Screening (RealmWLScr)
- Origin Host and Origin Realm Consistency Check (OhOrCstChk)
- Destination-Realm and Origin-Realm Match Check (DrOrMatch)
- Visited-PLMN-ID and Origin-Realm Consistency Check (VplmnORCst)
- Realm and IMSI Consistency Check (RealmIMSICst)
- Subscriber Identity Validation (SubsIdenValid)
- Specific AVP Screening (SpecAVPScr)
- AVP Multiple Instance Check (AVPInstChk)
- AVP Whitelist Screening (AVPWLScr)
- Origin Host and Origin Realm Format Check (OhOrFrmChk)
- Session Id Validation Check (SesIdValChk)
- Destination Host and Destination Realm Format Check (DhDrFrmChk)
The stateful countermeasures are processed in the following sequence if configured and enabled:
This countermeasure screens S6a/d ULR and AIR messages of Outbound Roaming Subscribers are currently in international roaming to check if it is physically possible for a Subscriber to move from its previous location to the new location within the current transit time.
This countermeasure screens the S6a/d ULR and AIR messages are for vulnerability only if there is a successful registration record.
The Outbound Roaming Subscriber is considered successfully registered to an MME when an ingress S6a/d ULR/A message (ULA with Result-Code as 2xxx) is processed by DSA.
The option is available to configure geographical coordinate (Latitude/Longitude) of the capital city of each country (MCC) used by this countermeasure for screening. This configuration is already pre-configured with geographical coordinate (Latitude/Longitude) of the capital city of all the countries. The option is also available to update/insert the geographical coordinate’s details for any missing country.
The option is also available to consider the S6a/d ULR and AIR messages as vulnerable if the geographical coordinates of the country for the received message is not configured.
This countermeasure considers the S6a/d ULR and AIR messages as vulnerable if an earlier successful registration is already processed by DSA and any of these conditions are true.
- The geographical coordinates for both the countries is configured, but the actual transit time is less than the calculated minimum transit time (calculated using geo-coordinates of the two countries).
- The geographical coordinates for either of the countries is not configured and the configuration says to mark the message as vulnerable, if matching configuration not found.
- This countermeasure also provide exception list of neighboring countries for each country to exempt S6a/d ULR and AIR messages from screening.
Note:
- International Roaming is identified by matching the Home MCCs configured in MCC_MNC_List Table (for example, first three digits of MCC_MNC with Network_Type as Home_Network) against the MCC value in Visited-PLMN-Id AVP.
- Transit time between two geo-coordinates point is calculated using distance (between two geo-coordinate points) and speed (user configured in the System_Config_Options table, default: 700 km/hr).
Apart from the mandatory configurations, configure the DSA tables for this countermeasure.