NSGP Modules Overview
Because each mobile station (MS) gets an IP address from an IP pool, an overbilling attack can occur when a legitimate subscriber returns an IP address to the IP pool, but the session is still open. Attackers can hijack the open session without being detected and reported, then download data at the expense of the legitimate subscriber, or send data to other subscribers. Overbilling can also occur when a newly returned IP address is reassigned to another MS; traffic initiated by the previous MS might be forwarded to the new MS, causing the new MS to be billed for unsolicited traffic. To protect subscribers of a public land mobile network (PLMN) from overbilling attacks, you can use the NetScreen Gatekeeper Protocol (NSGP) module and two security devices.
The NSGP module includes two components: the client and the server. The client connects to the server and sends requests, which the server processes. Both client and server support multiple connections to each other and to others simultaneously. Using TCP, NSGP monitors the connectivity between client and server by sending Hello messages at set intervals.
NSGP uses a session context to ensure that the server and client know that status of the connection. The session context stores is identified by a unique number (context ID); when configuring NSGP on the client and server devices, you must use the same context ID on each device. When the client sends a “clear session” request to the server, the request includes the context ID and IP address of the server. When the server receives the “clear session” message, it matches the context ID and then clears the session from its table.
The security device acting as the NSGP server must run the ScreenOS 5.0 GPRS firmware, and the other device acting as the GTP client must run the ScreenOS 5.0 NSGP firmware. After you have deployed the two devices, you must:
Configure NSGP on the GTP server to recognize when a GTP tunnel is deleted and to notify the GTP client.
Configure NSGP on the GTP client to automatically clear sessions whenever the NSGP server gets a notification from the GTP client that a GTP tunnel was deleted.
By clearing the sessions, the NSGP server stops the unsolicited traffic and prevents overbilling.