A SURVEY ON THREATS, VULNERABILITIES AND SECURITY
SOLUTIONS FOR CELLULAR NETWORK 文章里提到

4GSystem (LTE) Security
Modern LTE cellular networks provide advanced services for billions of users, which exceed
traditional voice and short messaging traffic. The coming attack in LTE is Distributed Denial of
Service (DDoS) attacks. The availability of communication systems, explains the importance of
strengthening the flexibility of mobility networks against Denial of Service (DoS) and DDoS threats
to ensure the LTE network availability against security attacks.
Examples of threats are spam over VoIP, spoofing and misdirection, SIP registration hijacking and
interception and cryptanalysis of IP traffic

There are interfaces in the LTE system which are exposed to different attacks such as Radio access
network, Core evolved packet system (EPC) and Packet data network (PDN). DoS and DDoS
attacks in LTE mobility networks can be classified based on the traffic load maliciously generated
into one single attacker or low traffic volume (DoS) and a large set of multiple simultaneous
attackers or high traffic volume (DDoS).
Denial of Service attacks (DoS)
Radio jamming is the intended transmission of radio signals which disrupt communications by
decreasing the signal to noise ratio. The way of blocking an attack is to locate and stop the jamming
device where that the large amount of power required reduces the effectiveness of the attack.——无线电干扰设备！！！是Dos恶意攻击的源头之一。

Smart jamming consists of attacks that aim to locally disrupt the communications of an LTE
network without sending alerts. It can be implemented by saturating one or more of the important
control channels which required by all mobile devices to access the spectrum(仅仅控制某些重要信道来发起攻击). Saturation of these
channels causes the network unresponsive. In addition to, this attack requires low transmitted power
and requires no authentication, detection and reduction. This type of attack can be started against
essential control channels in both the downlink and the uplink. This attack concentrates on the much
narrower control channels instead of saturating the entire channel and so it consumes less power.
Classic computer vulnerabilities that cellular equipment and the software running on mobile
networks are the same as any other computer system, so it can be affected by the same
vulnerabilities. [21]
Distributed Denial of Service attacks (DDoS)
Botnet of mobile devices——当然僵尸网络设备也是导致Dos的一个可能因素: a smartphone botnet presents a new and very powerful attack vector
against mobility networks. So, a new set of DDoS attacks is affected when large volumes of traffic
and signaling messages can be generated from within the network.
Signaling amplification attacks: A botnet of infected mobile devices can be used to generate a
signaling amplification attack by forcing each terminal to continually establish and release IP
connections to an external server. Such saturation of the EPC could occur legitimately due to the
large amount of traffic.
HSS saturation: The HSS is a key node of the EPC which stores information（攻击HSS节点） for every subscriber in
the network. The stored parameters per user or the phone number, international mobile subscriber
identity (IMSI), billing and account information, cryptographic primitives, keys which perform
authentication of subscribers and the last known location of the user. A DDoS attack against this
node could prevent the network from being operated.
DDoS against external nodes/networks: The attacks are generated from a number of servers which
are remotely controlled by an attacker and have been able to inject large traffic loads into the
network. The high volume of traffic aimed at a specific target during a DDoS attack which could
generate at a botnet of mobile phones, so it could impact the performance of the mobile network.
[21]

3G WCDMA Mobile Network DoS Attack and Detection Technology 这个文章里

说的是使用GTP echo消息来发起DoS攻击

also released a DoS attack on the 3G
mobile network, using the GTP Echo scan message [9][10].

当然，也可以发送其他信令

A.GTP-in-GTP based DoS Attack 第一种方式使用GTP消息（信令？？？应该不是）

If the GTP-C message for 3G WCDMA mobile network
control, such as IP address allocation for the 3G mobile
network, sends the GGSN’s IP address to the destination via the
terminal, the IP address resource can be allocated abnormally.
This type of GTP-in-GTP packet processing vulnerability can
be exploited in most GGSNs installed in the domestic
commercial service environment, and the P-GATEWAT
equipment in the 4G LTE network that performs a similar
function to the 3G network’s GGSN as well.
If the terminal creates many “GTP-C Create PDP Context”
messages and sends them to the GGSN’s IP address, the TEID
and IP address of the GGSN are allocated abnormally.
Likewise, a DoS attack can be launched against normal users
that use the 3G mobile Internet service, if the TEID and IP
address of the GGSN are exhausted by exploiting the GGSN’s
GTP-in-GTP packet processing vulnerability.

google翻译就是：

如果GTP-C消息为3G WCDMA移动网络
控制，如3G手机的IP地址分配
网络，通过发送GGSN的IP地址到目的地
终端，IP地址资源可以异常分配。
这种类型的GTP-in-GTP数据包处理漏洞可以
在国内安装的大多数GGSN中被利用
商业服务环境和P-GATEWAT
执行类似的4G LTE网络中的设备
也适用于3G网络的GGSN。
如果终端创建了许多“GTP-C创建PDP上下文”
消息并将它们发送到GGSN的IP地址TEID
GGSN的IP地址异常分配。
同样，可以针对普通用户启动DoS攻击
使用3G移动互联网服务，如果是TEID和IP
通过利用GGSN，GGSN的地址已经耗尽
GTP-in-GTP数据包处理漏洞。

看原文的图就知道确实可能。

B. Signaling DoS Attack
The 3G mobile network releases the allocated wireless
resource, if the mobile terminal doesn’t transmit the data for a
certain period of time, in order to use the limited wireless
resource efficiently. By taking advantage of this architecture, a
DoS attack that causes RNC and SGSN overload using multiple
signaling messages can be launched.
The signal message can be created by maliciously and
abnormally repeating wireless resource re-allocation right after
resource release [5].

这里说的就应该RRC导致的信令风暴。

As shown in Fig.3, if the active terminal doesn’t establish the
data communication for a certain period of time, a wireless
resource release request message will be sent to the SGSN to
switch to the dormant mode. In addition, if the terminal in a
dormant mode transmits the data, the terminal can be switched
to an active mode again by sending a wireless resource
allocation message to the SGSN. Using this mode switching
method, the 3G mobile network manages the limited wireless
resource efficiently. When the wireless resource is maliciously
and abnormally allocated/released, small traffic is sent at a
particular interval to switch the dormant mode of the terminal
to the active mode, and many signaling messages are created,
which results in a DoS attack by causing overload on the RNC
and SGSN.

说的就是3G状态切换导致的信令风暴。不进行数据传输。