5G networks provide low-latency, high throughput, and massive connectivity, yet the control plane remains exposed to several security threats. Among the most common and impactful threats are Denial-of-Service (DoS) attacks, with Radio Resource Control (RRC) signaling storms being particularly effective and difficult to mitigate. In this attack, a malicious User Equipment (UE) aims to exhaust Next Generation Node Base (gNB) resources, preventing legitimate UEs from establishing a connection. Existing defenses are typically limited to detection, only evaluated through numerical simulations, and cannot discern between high-load network conditions and attacks. Most of them also assume static setups and do not take mobility into account. In this paper, we first evaluate the feasibility of the signaling storm attack by using the OpenAirInterface(OAI) 5G protocol stack. Then, we propose StormShield, a signaling storm attack detection and mitigation technique implemented as an xApp on an O-RAN Near-Real-Time (near-RT) RAN Intelligent Controller (RIC). It fingerprints and blocks Malicious UEs (MUEs) before gNB resources are exhausted. We prototyped our solution on an Over-The-Air (OTA) testbed with OAI, NVIDIA Aerial, and two different gNB setups. The first one leverages an USRP X410 Software-defined Radio (SDR) with 8.1 functional split; the second a commercial Foxconn Radio Unit (RU) with 7.2 functional split. Our experimental evaluation demonstrates that StormShield effectively prevents gNB resource exhaustion, identifying and blocking MUEs with an average detection accuracy of 97.6% within 106.5 ms from the beginning of the attack.

翻译：5G网络实现了低时延、高吞吐和大规模连接，但其控制平面仍面临多种安全威胁。其中最常见且影响最大的威胁之一是拒绝服务（DoS）攻击，而无线资源控制（RRC）信令风暴尤其难以缓解且效果显著。在此类攻击中，恶意用户设备（UE）旨在耗尽下一代节点基站（gNB）的资源，阻止合法UE建立连接。现有防御手段通常仅限于检测，仅通过数值仿真评估，且无法区分高负载网络条件与攻击行为。此外，多数方法假设静态配置，未考虑移动性场景。本文首先利用OpenAirInterface（OAI）5G协议栈评估信令风暴攻击的可行性，随后提出StormShield——一种在O-RAN近实时（near-RT）RAN智能控制器（RIC）上以xApp形式实现的信令风暴攻击检测与缓解技术。该技术能在gNB资源耗尽前对恶意UE进行指纹识别与阻断。我们在基于OAI、NVIDIA Aerial以及两种不同gNB配置的空中（OTA）测试平台上实现了原型系统：第一种采用USRP X410软件定义无线电（SDR）并基于8.1功能拆分；第二种采用商用富士康射频单元（RU）并基于7.2功能拆分。实验评估表明，StormShield能够有效防止gNB资源耗尽，在攻击开始后106.5毫秒内以平均97.6%的检测准确率识别并阻断恶意UE。