Case Overview:

Diameter signaling attacks targeting LTE networks became popular. These types of attacks can affect the privacy and confidentiality of subscribers and the availability of mobile networks. In this challenge, you will use Kibana to investigate malicious activities carried out by the attacker on a mobile operator’s LTE core network (e.g. traffic interception and location tracking)


Alice is a small business owner and a client for XWealth bank. She uses online banking to transfer money to her suppliers. Her bank forces all customers to activate 2FA via SMS to use the online banking system.

One day, she received an SMS notification for an international money transfer going out from her bank account that he did not initiate. He immediately called the bank and flagged this as an unauthorized transaction.

The bank started an instant investigation and found out an attacker logged into Alice's online banking system. Moreover, the attacker authenticated using a correct 2FA code, although Alice confirmed earlier that she had her phone next to her the whole day!

The bank IT security team engaged with the mobile operator -CyberDefenders- and asked for a clarification on how that could happen. To investigate the case, The operator's security team setup a diameter probe to analyze the traffic and understand what happened under the hood.

Network Information:

  • There are two whitelisted roaming partners; "OpenAirInterface" and "OperatorX". 
  • Operator core network is in the range of - (MCC=602, MNC=05).
  • "OpenAirInterface" network is connected to CyberDefenders network via diameter agents in between, and their network range is -  (MCC=320, MNC=230).
  • "OperatorX" network is connected to Cyberdefenders network via a diameter agent in between, and their network range is - (MCC=123, MNC=001).


# Question Weight Solved
1 Which diameter interface did the EPC nodes use? 100 8

2 Which diameter command did the attacker use to discover and establish a connection with EPC nodes? (hyphens in between). 100 8

3 What was the hostname of the rejected connection? 100 8

4 What was the error returned to the attacker? (Underscore in between) 100 8

5 What was the hostname of the accepted connection? 100 8

6 What is the value of the AVP used during traffic interception? 100 7

7 What was the spoofed hostname? 100 8

8 Which node of the 'cyberdefenders' network communicated with the malicious peer? 100 8

9 What is the name of the node that accepted the attacker's connection attempts? 150 8

10 What was the diameter command used to retrieve Alic's location? (hyphens in between) 150 7

11 What is the IMSI of Alice? 150 8

12 Which AVP is responsible for querying the location? (hyphens in between). 250 4

13 Which flag was set in the tracking diameter command used to retrieve Alice's location? 250 7

14 Which AVP indicates that the attacker spoofed the origin hostname? (hyphens in between). 250 5

15 Which fields can help in decrypting Alice's radio air interface traffic? (comma-separated). 250 7

16 Peers autodiscovery caused an unexpected connection with a malicious peer. Provide the hostname of that malicious peer? 250 7

17 Which AVP did the attacker use to intercept Alice's data traffic? (hyphens in between). 300 4

18 Which diameter command did the attacker use to intercept Alice's 2FA? (hyphens in between). 300 6

19 Which diameter command can the attacker use to intercept the radio air interface traffic? (hyphens in between). 300 6