Overview
The STP β Signal Transfer Point β is the routing node of the SS7 signalling network. It does not originate or terminate signalling messages. Its function is purely to receive MTP3-addressed SS7 messages and forward them toward their destination β acting as the SS7 equivalent of an IP router.
Every 2G and 3G mobile network runs on a hub-and-spoke SS7 topology where the STPs are the hubs. Rather than requiring every MSC to maintain direct signalling links to every HLR, SMSC, and foreign network node β an impractical mesh at national scale β each signalling point (MSC, HLR, SGSN, SMSC) connects to a pair of mated STPs. The STPs maintain routing tables that map destination point codes to outgoing links, and forward messages accordingly. This allows any node in the network to reach any other via at most one or two STP hops.
The STP's central position in the signalling topology makes it simultaneously essential and dangerous. It sees every SS7 message that transits the network β location updates, authentication requests, call routing queries, SMS deliveries. A compromised STP is a passive intercept point for all of this traffic, and an active manipulation point for any message it forwards. The commercially operated international STPs that connect national networks for roaming and interconnect have been identified as a primary enabler of SS7 attacks: an attacker with access to an international STP can send messages into any connected network, targeting subscribers worldwide.
How it works
The STP operates at MTP levels 2 and 3 β the signalling link and network layers of the SS7 stack. Its processing is comparatively simple: inspect the destination point code (DPC) in the MTP3 routing label, look up the outgoing link in the routing table, and forward the message. This makes STPs extremely high-performance; they can process hundreds of thousands of messages per second with sub-millisecond latency.
MTP3 routing
Every message in the SS7 network carries a routing label in the MTP3 header, containing an Originating Point Code (OPC), Destination Point Code (DPC), and a Signalling Link Selector (SLS) used for load distribution across parallel links. The STP performs a lookup on the DPC and selects the appropriate outgoing link or link set. If the DPC is directly reachable, the message goes directly. If not, the STP looks for a next-hop STP that can route the message onward.
Global Title Translation
Many MAP messages are addressed not to a specific point code but to a Global Title (GT) β a directory number or IMSI-based address. GT does not directly map to a point code; the STP must perform Global Title Translation (GTT) to convert the GT to a routable DPC before forwarding. GTT tables map GT ranges (often MNO prefixes or IMSI prefixes) to the point codes of destination nodes (e.g., the HLR's point code for IMSI-addressed MAP messages).
GTT is a critical function: it determines where each category of MAP message is delivered. An error β or manipulation β of GTT tables can silently reroute all subscriber management traffic to the wrong node.
Mated pairs and load sharing
STPs are always deployed in mated pairs for redundancy. Traffic is load-shared across both STPs in the pair using the SLS field. If one STP fails, all traffic flows to its mate automatically. Links between the two STPs in a mated pair are called C-links (cross-links); they carry traffic that cannot reach its destination via the normal path.
Link types
The SS7 architecture defines distinct link categories based on their function in the network hierarchy:
- A-links (Access): Connect a Signalling Point (MSC, HLR, SGSN) to an STP. Most links in the network are A-links.
- B-links (Bridge): Connect STPs in the same level of the hierarchy between different mated pairs.
- C-links (Cross): Connect the two STPs of a mated pair.
- D-links (Diagonal): Connect STPs at different hierarchical levels.
- E-links (Extended): Alternative access links from a Signalling Point to a secondary STP pair.
- F-links (Fully associated): Direct links between two Signalling Points (bypasses STP), used for high-traffic pairs.
Architecture role
In a national 2G/3G network, the STP infrastructure typically consists of at least two levels: local or regional STPs serving geographic clusters of MSCs and SGSNs, and national STPs connecting the regional layer and the international gateway.
At the international boundary, dedicated international STPs β sometimes called Gateway STPs (GSTPs) β interface with foreign networks via bilateral signalling links. These GSTPs also perform the GTT function for cross-border MAP messages: when an HLR in the home country needs to respond to a MAP query from a visited network, the STP routes it via the appropriate international link based on the originating network's point code.
In 2G GSM: The STP infrastructure uses TDM-based MTP2 links (64 kbit/s E1 timeslots) between nodes. National STP pools handle millions of MAP messages per day for a large operator.
In 3G UMTS: The same STP infrastructure is reused. SIGTRAN extends the SS7 signalling stack to run over IP networks β the M3UA protocol carries MTP3 user messages over SCTP, allowing SS7 signalling to traverse IP networks while the STP continues to perform its MTP3 routing function. Many modern STPs are IP-based, running M3UA natively.
In 4G: The native 4G signalling protocol is Diameter, not SS7. However, the STP infrastructure persists wherever 2G/3G coverage is maintained. Combined STP/DRA products bridge SS7 and Diameter signalling for operators running mixed-generation networks.
International interconnect: The global SS7 roaming interconnect network β the GRX/IPX β connects national SS7 networks of hundreds of operators worldwide via bilateral peerings. At this interconnect layer, the international STP is the chokepoint through which all cross-border MAP traffic must flow. Operators in permissive regulatory jurisdictions have used international STP access to offer commercial SS7 access to third parties, enabling the SS7 attack ecosystem.
Key interfaces
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| A-link | SP β STP | MTP2/MTP3 | Access link connecting signalling points to the STP |
| B-link | STP β STP | MTP2/MTP3 | Bridge links between mated STP pairs at the same level |
| C-link | STP β STP | MTP2/MTP3 | Cross-links between the two STPs in a mated pair |
| D-link | STP β STP | MTP2/MTP3 | Diagonal links between STPs at different hierarchy levels |
| E-link | SP β STP | MTP2/MTP3 | Extended access to secondary STP pair for resilience |
| F-link | SP β SP | MTP2/MTP3 | Direct fully-associated link between high-traffic node pairs |
Security posture
The STP has a critical threat level β higher than any individual signalling node β because of its position in the traffic path. Every MAP message in the network transits an STP. A compromised or rogue STP can passively read every message β location updates, authentication vectors, call routing data β or actively modify, duplicate, or suppress messages.
The SS7 attack landscape depends on STP access. The published attack demonstrations from 2014 onwards were conducted using commercial SS7 access, which is effectively access to an international STP. An attacker who can inject an SS7 message into a network via an STP can target any subscriber of any operator connected to that STP, regardless of their location.
Unlike the nodes it serves, the STP itself has no application-level understanding of the messages it routes. It processes routing labels, not message content. This means a firewall co-located with or adjacent to the STP β one that inspects message content and applies GSMA FS.11 category-based filtering β is the primary technical control for the attack surface the STP creates.
Attack surface
Passive intercept of transit traffic
An STP has visibility into the full content of every message it routes. A compromised STP can log all traffic β MAP location updates, authentication triplets, SMS content passing through Forward-SM messages, call routing data β without affecting message delivery. Detection is difficult because the STP's traffic volumes and patterns are normal.
Impact: Mass passive surveillance of all subscriber activity on all attached networks. Difficulty: Low once STP access is established; requires physical or logical access to the STP.
Message manipulation
An active compromise of an STP allows modification of messages in transit. GTT tables can be altered to reroute MAP traffic to attacker-controlled nodes. Individual messages can be dropped, duplicated, or their content modified β for example, altering an SRI response to return a rogue MSRN and redirect an incoming call.
Impact: Call hijacking, subscriber manipulation, network disruption. Difficulty: Medium. Requires administrative access to the STP or inline injection capability.
GTT manipulation
Global Title Translation maps subscriber identifiers to destination point codes. An attacker who can modify GTT tables β either by compromising the STP management plane or by injecting forged SS7 network management messages β can redirect all MAP traffic for a subscriber range to an arbitrary node.
Impact: Wholesale rerouting of subscriber management traffic; enables MITM on all MAP procedures for affected subscribers. Difficulty: Medium to high. Requires STP management access or SS7 network management message injection.
Launchpad for third-network attacks
An STP with interconnect to foreign networks is a launch platform. An attacker with access to one operator's STP can send MAP messages that transit to any connected network, targeting subscribers of any operator on the interconnect. The originating network's GTT tables provide the routing to reach foreign HLRs and SMSCs.
Impact: Global attack surface β any subscriber of any connected network is reachable. Difficulty: Low. Requires only SS7 access to the interconnect STP, available commercially.
Mitigations
-
GSMA FS.11 category filtering at the international STP: Deploy a signalling firewall inline with or co-located with the international gateway STP. The firewall inspects MAP message content and applies GSMA FS.11 category-based blocking β rejecting Category 1 messages (unconditionally dangerous from roaming partners) and validating Category 2/3 messages against subscriber context. The STP itself cannot do this; it requires an adjacent application-layer inspection device.
-
Point code access lists: Restrict which point codes can establish A-links to the STP. Unauthorised point codes should not be able to inject traffic into the signalling network via the STP.
-
GTT table integrity and audit: Treat GTT tables as critical infrastructure configuration. Implement change management controls, audit all modifications, and periodically validate GTT routing against IR.21 data to detect drift or tampering.
-
Transit traffic monitoring: Monitor the distribution of MAP message types transiting the STP. A sudden increase in SRI, ATI, or Reg SS messages from a specific interconnect partner is a reliable indicator of an ongoing attack campaign.
-
Restrict STP management plane access: The STP management interfaces (CLI, SNMP, vendor-specific OAM protocols) must be protected from unauthorised access. Compromise of the management plane is equivalent to full STP compromise.
Spec references
-
ITU-T Q.704 β Signalling network functions and messages. Defines MTP3 routing, the point code addressing scheme, and the link type hierarchy that STPs implement.
-
ITU-T Q.714 β SCCP procedures. Defines Global Title and Global Title Translation, the address resolution mechanism the STP performs for MAP-addressed messages.
-
GSMA FS.11 β SS7 and SIGTRAN Network Security. Section 3 defines the threat model; Section 4 addresses the interconnect architecture that STPs enable. Annex B describes the STP's role in the roaming attack surface and recommends firewall placement.
Related topics
The STP provides the routing infrastructure on which all SS7 signalling depends. The MSC, HLR, and SGSN all connect to the SS7 network via A-links to mated STP pairs. SIGTRAN allows STPs to carry SS7 over IP networks using M3UA/SCTP.
For the attack taxonomy enabled by STP access, see SS7 attacks. In the 4G Diameter world, the DRA plays an analogous routing role β though with significantly different security properties. The GRX/IPX interconnect network that STP international links traverse is described in roaming architecture.