2013 27th International Conference on Advanced Information Networking and Applications Workshops
Effects of Signaling Attacks on LTE Networks
Ramzi Bassil Imad H. Elhajj
Department of Electrical and Computer Engineering
American University of Beirut
Beirut 1107 2020, Lebanon
{rtb01, ie05, chehab, ayman}@aub.edu.lb
Abstract Attacks on the signaling plane have been well
documented for different generations of cellular networks. The
effects of these attacks vary from a decrease in the quality of
service (QoS) all the way to a denial of service (DoS). Long Term
Evolution (LTE) is the next generation cellular network that is
primarily designed based on the IP protocol and is expected to
achieve wide scale adoption worldwide. LTE employs a different
network architecture than its predecessors that should allow for
more efficient processing of signaling and data packets. In this
paper, we investigate the effects of signaling attacks against LTE
networks. An attack consists of malicious users who take
advantage of the signaling overhead required to setup and release
dedicated bearers in order to overload the signaling plane by
repeatedly triggering dedicated bearers requests. The attack is
simulated in OPNET under diverse scenarios in order to assess
the effects of the increased signaling on the different LTE
network entities. The results show that the increased signaling
traffic causes higher processing loads at the Enhanced Node-B
(eNB) as well as the Evolved Packet Core. We also present a
comparison of the signaling requirements in LTE and UMTS.
Keywords: LTE, LTE security, signaling attacks, bearer.
I. INTRODUCTION
As the borderline between cellular networks and the Internet
is becoming more blurred, the seamless integration and
convergence of these two technologies is imminent. With the
advent of smart phones and their market proliferation, phones
are no longer limited to voice communication but are used as a
platform to perform virtually any computing task their users
require. Supporting these advanced features can become a
daunting task for telecom operators as they are required to
provide a new set of supplementary services that will surely
create an additional burden on their resources and
infrastructure. The additional burden is mainly due to the
drastic increase of data and signaling traffic to accommodate
the services offered by various applications. Signaling traffic
includes all the control and setup messages generated by the
mobile phone and the cellular network prior to the initiation of
a data session. The explosion of traffic has become a major
concern for telecom operators and hence, coming up with
solutions to resolve possible stresses and failures, is of
paramount importance.
Since the dominant next generation network will be LTE,
this paper studies the different signaling interactions that take
place between the user equipment (UE) and the network
infrastructure and identifies the UE dedicated bearer request
procedure as the most signaling-heavy interaction that can be
978-0-7695-4952-1/13 $26.00 2013 IEEE
DOI 10.1109/WAINA.2013.136
Ali Chehab Ayman Kayssi
amplified and exploited by malicious users. Thus, a signaling
attack would consist of malicious users issuing a large number
of dedicated bearer requests that are initiated simultaneously
causing the network entities to go through the signaling
procedure to setup dedicated bearers. After obtaining the
dedicated bearers, the malicious UEs would not use them or
use them very scarcely, and then, the inactive bearer timeout
expires and as a result, the bearer will be deactivated causing
the network entities to go through the signaling procedure to
tear down the dedicated bearers. After that, the malicious UEs
will repeat the same procedure over and over again to amplify
the attack. We study the effects of such an attack by
simulating multiple scenarios and analyzing their effects on
different network metrics.
The rest of the paper is organized as follows: In section 2
we present a literature review of signaling-based attacks
against cellular networks. In section 3, all parameters related
to signaling attacks will be thoroughly described. In section 4,
the simulation of the described attack is implemented in
OPNET under different scenarios and the results are analyzed.
Section 5 presents an analysis of LTE and a comparison with
UMTS network signaling requirements. Conclusions are
presented in section 6.
II. SURVEY OF SIGNALING ATTACKS
In this section a literature review of the signaling attacks
against the different cellular network generations is presented.
A. GSM/GPRS Signaling Attacks
In [1], Traynor et al. describe an attack on GSM networks.
The authors explore the possibility of having a cellular
botnet and its devastating effects on the network core. The
attack is mounted on the HLR which has a crucial role in
providing the services required for normal network operation.
The authors explore the different types of interactions that
users have with the HLR database, and deduce that call-
forwarding requests are the most costly requests on this
database as they require the highest number of signaling
messages to be exchanged. So, if an attacker is able to form a
botnet of 2% of the mobile phones served by a certain HLR,
he would be able to flood the HLR with call-forwarding
requests and thus achieve excessive service degradation in the
network which might lead to a network-wide DoS.
In [2], Traynor et al. identify vulnerabilities that expose the
weakness in access control, resource management and QoS
mechanisms of the mobile phones operating systems. For
499
example, the vulnerability in Bluetooth technology allows
attackers to issue Attention commands to nearby phones
causing the initiation of phone calls or sending text messages
without the knowledge of the phones owner. The network
impact of the above attack is that it may be used to block GSM
control channels.
In [3], Traynor shifts the attention to vulnerabilities that
occur in GPRS networks. Devices operating in GPRS
networks have three states: IDLE, STANDBY, and READY.
Upon establishing a connection, the device enters the READY
state and a 5-bit temporary flow identifier (TFI) is used as a
unique MAC address. Because the connection setup is an
expensive operation that requires extensive signaling
exchange, devices remain in the READY state expecting the
arrival of more packets. Thus, if an attacker initiates 32
messages to the same sector, the TFI space will be saturated
and hence preventing legitimate users from receiving traffic.
B. SMS-based Attacks
Traynor et al. address the feasibility of targeted text
messaging attacks in [4]. The authors indicate that an SMS
based DoS attack may disable voice communications in a
metropolitan area. Given the fact that sending an SMS is quite
demanding on the network resources, the increase in SMS
traffic might lead to conquering all the standalone dedicated
control channels (SDCCHs), which will inhibit legitimate
users from making voice calls and sending text messages. To
overcome this issue, the authors propose to have a
differentiated service whereby voice calls have a higher
priority than SMS.
In [5], Mulliner et al. explore techniques that allow SMS
injection. The authors state that from a security standpoint,
SMS is the worst possible attack vector since it is always on as
long as the phone is connected to the network. On an iPhone,
an attack was able to crash SpringBoard thus interrupting
any running application and then locked the phone. Another
SMS attack led to crashing the CommCenter process making
the phone lose all network connectivity. These two attacks
cause serious DoS whereby the user is no longer able to use
their iPhone. Similar analysis showed an identical attack on
Android phones is feasible whereby the device was
disconnected from network without the users knowledge.
C. 3G Signaling Attacks
In [6], the authors present a signaling-oriented DoS attack
that makes use of the large number of signaling messages
required to setup and terminate sessions in UMTS and
CDMA2000 networks. According to the authors, 15 signaling
messages are required for session setup and an additional 12
messages are required to release the resources, which makes
low-rate, low-volume DoS attacks feasible by repeatedly
initiating bogus setup requests at specifically timed periods.
In [7], the authors investigated the weaknesses and causes of
attacks in current 3G networks, thus allowing the design and
standardization of 4G networks to be more robust. In 3G
networks, attacks can be based on dedicated channel
assignment, whereby there are two channels over which data
packets can be forwarded: the Forward Access Channel
(FACH) which is a shared channel used when the packet
arrival rate is below a certain threshold, and the Dedicated
500
Channel (DCH) which is given exclusively to an MS when the
packet arrival rate becomes high enough and is released after a
certain timeout period. The attacker in this scenario would try
to maximize the transition frequency between FACH and
DCH, as this involves considerable signaling to take place, or
to prevent a DCH from being released, thus maliciously
overloading the DCHs.
The work in [8] presents signaling DoS attacks in the
UMTS network. According to the authors, UMTS is
susceptible to security threats and attacks due to the use of
some lightweight security techniques and the fact that it is
designed to maintain backward compatibility with GSM. The
DoS attacks occur when an attacker modifies some of the
unprotected initial control messages to manipulate specific
procedures or make them repeat leading to a decrease in QoS
all the way to a massive DoS.
III. LTE SIGNALING ATTACK
An LTE bearer is responsible for carrying information in the
network and there are three kinds of bearers: radio bearers, S1
bearers, and EPS bearers [9]. The radio bearers are responsible
for the UE-Enhanced NodeB (eNB) interface, the S1 bearers
for the interface between the eNB and Mobility Management
Entity (MME) interface, and the EPS bearers for the MME-
Serving Gateway (SGW) interface. Each radio bearer is
mapped to one S1 bearer which is in turn is mapped to one
EPS bearer. An important feature of using bearers is that it
becomes possible to differentiate between payloads according
to the type of traffic they carry through the traffic flow
template (TFT) field. According to the users contract with the
operator and the type of data being sent, a certain TFT will be
assigned, and this data will be mapped to a certain bearer.
Upon initial attachment to network, each UE will be
assigned a default bearer that remains active throughout the
UEs presence in the Radio Resource Control (RRC)
connected state. When the UE sends or receives traffic, a
dedicated bearer would be assigned according to the type of
traffic requested. A dedicated bearer can be either a
guaranteed bit rate (GBR) bearer if there are dedicated
network resources reserved for it, or a non-GBR bearer if it is
provided as best effort service.
In order to setup a dedicated bearer, signaling messages are
exchange among the different LTE network entities, namely
UE, eNB, MME, SGW, and Packet Data Network Gateway
(PDN GW). Twelve messages are required for the activation
procedure, six of which are processed by the eNB.
Furthermore, to deactivate this bearer similar signaling
exchange takes place, also requiring 12 messages. Such
signaling exchange imposes significant overhead and it can be
amplified due to the fact that the maximum number of data
bearers that a UE can establish is eight. Thus, a well-timed
attack by a group of malicious users may cause a substantial
strain on network resources. The attack would consist of a
large number of dedicated bearer requests that are initiated
simultaneously forcing setup and then teardown repeatedly.
The downlink physical channel, over which the signaling for
bearers takes place, is the Physical Downlink Shared Channel
(PDSCH) while in the uplink it is the Physical Uplink Shared
Channel (PUSCH). Thus, to monitor the effects of this attack,
we observe the CPU percentage utilization of eNBs and EPCs,
the percentage utilization of the Physical Downlink Control
Channel (PDCCH), PDSCH, PUSCH, and the traffic on the
different bearers.
IV. IMPLEMENTATION
The attack scenario described in Section III was
implemented in OPNET [11] to verify its feasibility and its
effect on the signaling plane. The simulations are done for one
LTE cell containing 75 UEs. Multiple applications were
defined for the UEs and different applications were mapped to
different bearers according to the standardized QCI table. One
bearer was assigned to the voice application; another bearer
for video traffic, one for FTP traffic, and one for HTTP traffic.
These bearers are properly assigned TFT values so that proper
traffic-to-bearer mapping would occur. Note that the scale of
the attack could be increased by defining more bearers per UE
as this would enable the malicious user to generate additional
signaling traffic. Figure 1: Traffic on the Different Bearers for a Malicious UE.
The eNB serves multiple UEs some of which may be
malicious. A malicious UE requests a bearer, uses it for a short Figure 2 shows the percentage utilization of the different eNB
time, allows it to expire, and then immediately requests physical channels and we can see that the physical channels
another bearer. Such behavior would be continuously repeated are almost completely used up, with the exception of PDSCH
for the four different bearers hence forcing the different LTE which utilization drops below 80% when the malicious UEs
network entities to go through attach and detach procedures are not utilizing the bearers. This shows that the 75 UEs are
for each bearer multiple times. In order to isolate the effect of completely using up the resources at the eNB. The eNB and
the signaling traffic on the network resources, several EPC CPU percentage utilizations are shown in Figure 3. The
experiments were devised where the following parameters maximum eNB CPU load required to serve the 75 UEs
were varied: number of malicious UEs, Processing Speed reaches 8% when the UEs are using their bearers, and drops to
Multiplier (PSM) at the eNB and EPC, eNB inactive bearer just 1% when the UEs deactivate their bearers. The average
timeout, and synchronization between UEs. CPU utilization between 100 and 500 sec is 2.85% and the
standard deviation is at 2.54%, which is a high value
A. Number of Malicious UEs indicating the high fluctuations in the CPU load. The same
The simulated LTE network contains 75 UEs that are analysis for the EPC where the maximum utilization reaches
seeking data connections. We perform two simulations: one in 10.5% and the minimum utilization goes down to 3%.
which all UEs are malicious and another in which all UEs are
non-malicious. The eNB inactive bearer timeout in this case
was kept at its default value of 20 sec. Furthermore, in this
scenario we vary the PSM for both the eNB and EPC in order
Utilization %

to analyze the attack effects for different CPU capabilities.

1) Processing Speed Multiplier = 1
For the case where all UEs are malicious, the traffic on the
dedicated bearers for a UE is shown in Figure 1 where we
have 5 bearers from the top: bronze, default, gold,
platinum, and the silver bearer at the bottom.
The platinum bearer carries HTTP traffic, the gold carries
video traffic, the silver carries FTP traffic, and the bronze
carries voice traffic. An additional file print application was
defined on the UEs without mapping it to any specific bearer,
and thus its traffic uses the default bearer. Moreover, the
applications on all the different bearers will function for 5 sec,
then go idle for the duration of the inactive bearer timeout
which is 20 sec, and then repeat the process again. This will
lead to the initiation of an activation request procedure
followed by a deactivation request for the 4 bearers of all the
UEs at exactly the same time since, the data traffic on the
different bearers is synchronized and hence leading to an
increase in the network signaling traffic.



Time (seconds)
Figure 2: Percentage Physical Channel Utilization at the eNB (Malicious UE)
A similar simulation was performed for the case where all the
UEs are non-malicious. The traffic on the different dedicated
bearers is shown in Figure 4 where we can see that once a UE
establishes a bearer, it will be used throughout the session, and
there are no periodic requests that cause additional signaling
exchanges within the network. The resultant physical channel
consumption is shown in Figure 5 where we see that the
utilization of both the uplink and the downlink shared
channels (PUSCH and PDSCH) is 100%, meaning that all the
physical resources at the eNB are used up.

501
 For the case where all the UEs are non-malicious, the CPU

Utilization %

encountered in the malicious case, further establishing the fact
that the signaling attack is leading to higher transient CPU
Time (seconds)
Figure 3: Percentage Utilization of the eNB and EPC CPU (PSM=1)
Figure 4: Traffic on the Different Bearers for a Non-Malicious UE
Next, the eNB and EPC CPU utilizations are shown in
Figure 6. It can be seen that the CPU utilization at the eNB is
constant at 7% after all the UEs access the network and this is
slightly lower than the peak value in the case of malicious
UEs. However, both values are relatively low indicating that
the eNB can handle further signaling packets; the bottleneck in
this case is the fact that the physical channels are completely
used up due to the data traffic. The same analysis presented
above applies to the EPC CPU utilization percentage, where
for the non-malicious case it remains constant at around 9.3%,
while for the malicious case it goes up to 10.5%. Thus, for the
case when the PSM = 1, the additional CPU load incurred due
to this attack is small and the major bottleneck is the
availability of the physical channels.
2) Processing Speed Multiplier = 0.5
This scenario corresponds to a slower CPU. The bearer
traffic sent and the percentage utilization of physical channels
by the UEs is the same as shown previously in Figure 1. The
maximum eNB CPU utilization reaches around 17% during
the times where the malicious UEs are using their bearers, and
drops to 0% when the UEs deactivate their bearers. The
average CPU utilization is 5.34% and the standard deviation is
around 5.33%, which is a high value indicating the high
fluctuations in the CPU load. For the EPC, the maximum
utilization reaches 24% and the minimum utilization goes
down to 0%.
502
utilizations for both the eNB and EPC are almost constant
after the UEs obtain network access, at 14.5% and 20%
respectively. These values are lower than the peak CPU load
loads at eNB and EPC.
Utilization %






Time (seconds)
Figure 5: Percentage Utilization of Physical Channels at the eNB

Utilization %

Time (seconds)
Figure 6: CPU Percentage Utilization of eNB and EPC
3) Processing Speed Multiplier = 0.1
For this scenario, the bearer traffic and the percentage
utilization of physical channels by the UEs are the same as
shown in Figure 1 and 2.
Concerning the percentage CPU utilization, the maximum
eNB CPU load reaches 93% during activation and drops to
just 1% during deactivation of bearers. The average utilization
is 28.67%, and the standard deviation is 27.47%. This means
that the average is relatively low due to the low loads
encountered when all the UEs detach, and the standard
deviation is very high reflecting the high fluctuations seen
between peak load and minimum load. For the EPC, the
maximum utilization reaches 100% and the minimum
utilization goes down to around 1%.
For the case of non-malicious UEs, the CPU utilization at
the eNB is almost constant after all the UEs access the
network at a value of 78% which is lower than the peak value
of 93% for the malicious case. The signaling attack is causing
a 15% transient increase in the maximum eNB CPU
processing, which is a significant value. Hence, users who are
trying to obtain network access during the attack would have
fewer resources to work with and thus they would suffer from
momentary service degradation. The same analysis presented
above applies to the EPC CPU utilization percentage, where
for the non-malicious case it remains constant at around 97%,
while for the all-malicious case it goes up to 100%.
4) Processing Speed Multiplier = 0.01
A PSM value of 0.01 is intended to see the effects of the
attack on CPU constrained devices (cheaper hardware). Figure
7 shows the bearer traffic received by the UE for its different
bearers in the malicious case.
Figure 7: Bearer Traffic Received (PSM=0.01)
As it can be seen, most of the bearers do not carry any
traffic showing that the eNB is unable to respond to the
incoming requests due to its limited processing power. This
can be further assured by looking at the utilization of the
physical channels in Figure 8.



Utilization %
C. Synchronisation between Malicious UEs
is no complete synchronization between the malicious UEs;
Time (seconds)
the bearer activation and deactivation requests occur at
Figure 8: Percentage Utilization of Physical Channels (PSM=0.01)
The utilization of all the physical channels drops
significantly in this case for all the channels, especially for the
downlink channels where the maximum utilization reaches
40%. Furthermore, the PDSCH is not congested meaning that
the applications are not being properly served. It can be
inferred that due to the severe limitation in the CPU resources
of the eNB and EPC, the LTE network is not able to respond
to the incoming requests.
503
Concerning CPU utilization of eNB, it reaches 100% during
the attack, while the EPC utilization remains at 100% at all
times indicating that both eNB and EPC CPUs are not able to
respond to the incoming requests from the UEs which explains
the fact that the downlink channels are not congested.
The same conclusions can be drawn after running the
simulations for the non-malicious case. The PUSCH is
completely saturated indicating that the UEs are sending a lot
of application traffic on the uplink to the eNB, while on the
other hand the PDSCHs utilization is less than 10% indicating
that due to the limited CPU capabilities, the application
requests are not being served and thus the downlink channels
are not congested. The results for the CPU utilization show
that both eNB and EPC CPU are 100%.
B. Inactive Bearer Timeout
In this scenario, the PSM is set to 0.1 because at this value
the effects of the attack can be seen the most. The results
presented in the previous section correspond to the case where
the inactive bearer timeout is set at 20 sec. In this section,
simulations are done for a timeout of 5 sec. The results (Figure
9) show that eNB and EPC percentage CPU utilizations are
fluctuating at a higher frequency. For the timeout case of 20
sec, the minimum CPU load is at 1% while for a timeout of 5
sec, the minimum CPU load increases to 15% indicating
increased processing. However, the maximum load in both
cases is the same at 93%. The average CPU utilization in this
scenario is at 47.8%, which is significantly higher than the
case of 20-sec timeout. This result is expected since the eNB
is being interrupted more often and thus it will perform more
processing. The same analysis applies for the EPC CPU,
which makes them both more vulnerable to such attack.


Utilization %
Time (seconds)
Figure 9: Utilization of eNB and EPCC PU for timeout 5 seconds(PSM=0.1)
In this section, we show the results for the case when there
slightly different times, with a PSM value of 0.1. The eNB
CPU utilization is shown in Figure 10 where it is seen that the
maximum CPU load does not exceed 80% while the minimum
load does not drop below 28%. The average CPU load for this
case is 52%, which is almost double the synchronized case,
but the standard deviation is much lower at 12.86%. The same
analysis also applies to the EPC CPU load. So it is more
advantageous for an attacker to have synchronization between
the different UEs as this would require higher peak processing
at the eNB, thus causing transient stresses on it and leading to
unreliable operation.
 V. ANALYSIS AND COMPARISON TO UMTS
The results obtained show that the signaling load imposes
additional burden on the LTE infrastructure in the form of an
increase in the peak processing loads at both the eNB and EPC
and it makes the CPU saturate in an intermittent fashion. Thus
users trying to obtain network access during the attack will get
a degraded service or may even be denied service altogether.
These results demonstrate that LTE networks are still
vulnerable to signaling attacks and may not be able to handle
high signaling loads although they were designed to provide
robustness against such attacks. In [7], the authors reviewed
the main reasons for the success of attacks against 3G
networks and proposed some approaches that should be
followed towards a more robust design for next generation
cellular networks, and those included removing the concept of
dedicated channels (the recommendation was actually adopted
in LTE). The fact that LTE employs a flatter architecture than
what was used in 3G systems implies that fewer messages
traverse the network entities. Despite this fact, signaling
attacks lead to transient increases in CPU loads for both the
eNB and EPC making them closer to saturation.
The major signaling attacks described for 3G networks are
those that take advantage of the signaling required to move
among the RRC states. The RRC state machine in 3G
networks is quite complex and numerous transitions among
these states are expected. In LTE, the RRC state machine is
highly simplified to avoid the signaling overhead and the state
transition complexity incurred in the RRC state machine of
3G, and it actually comprises only two states: idle and
connected. Comparing the RRC states between 3G networks
and LTE it can be clearly concluded that the state machine
was optimized in LTE to overcome the control and signaling
overheads incurred by the numerous state transitions in 3G.
But on the other hand, the fact that each UE has the ability to
initiate up to eight dedicated bearers leads to increasing the
signaling overhead due to the signaling exchanges required to
initiate and deactivate dedicated bearers. This fact is used in
the signaling attack described in this paper.


Utilization %
[10]
Time (seconds)
Figure 10: eNB CPU Utilization for timeout 5 sec and un-synched UEs
VI. CONCLUSIONS
In this paper, we described a signaling attack that aims at
increasing the volume of signaling traffic exchanged between
504
the LTE network entities through continuous bearer activation
and deactivation requests. The attack was implemented in
OPNET to verify its feasibility and its effects. The results
showed that increasing the signaling volume leads to higher
processing loads at both the eNB and EPC. Moreover, when
the eNB and EPC CPUs are completely saturated, incoming
application requests would no longer be served and as a result
traffic on the downlink channels will significantly decrease.
Lowering the inactive bearer timeout at the eNB increases the
signaling volume in the network and thus leads to a higher
processing load at both the eNB and the EPC. The results also
showed that a synchronized attack is more effective than an
unsynchronized one because the sudden burst in the signaling
traffic leads to sudden load peaks at the eNB and EPC CPUs.
Also, we presented a comparison between signaling
requirements in 3G and LTE networks.
ACKNOWLEDGMENTS
The authors would like to acknowledge TELUS Corporation
and the Lebanese NCSR for their support of this research
work.
REFERENCES
[1] Traynor P., Lin M., Ongtang M., Rao V., Jaeger T., McDaniel P., La
Porta T., On Cellular Botnets: Measuring the Impact of Malicious
Devices on a Cellular Network Core, Computer and Communications
Security (CCS), Illinois, November 2009.
[2] Traynor P., Amrutkar C., Rao V., Jaeger T., McDaniel P. and La Porta
T., From mobile phones to responsible devices, Security and
Communication Networks, Wiley Online Library, 2010.
[3] Traynor P., McDaniel, P., La Porta T., On Attack Causality in Internet-
Connected Cellular Networks, Proceedings of the 16th USENIX
Security Symposium, Boston, August 2007.
[4] Patrick Traynor, Enck, W., McDaniel, P., La Porta, T., "Mitigating
Attacks on Open Functionality in SMS-Capable Cellular Networks,"
Transactions on Networking, IEEE/ACM, vol.17, no.1, pp.40-53, Feb.
2009.
[5] C. Mulliner and C. Miller, Fuzzing the Phone in Your Phone,
presentation at Black Hat 2009; www.blackhat.com/presentations/ bh-
usa-09/MILLER/ BHUSA09 -Miller-FuzzingPhone-PAPER.
[6] Lee P.C.; Bu T.; Woo T., On the Detection of Signaling DoS
Attacks on 3G/WiMax Wireless Networks, Computer
Networks, April 2009.
[7] Ricciato F.; Coluccia A.; DAlconzo A., A review of DoS
attack models for 3G cellular networks from a system-design
perspective, Elsevier Computer Communications, November
2009.
[8] Georgios Kambourakis; Constantinos Kolias; Stefanos Gritzalis;
Jong Hyuk Park, Signaling-Oriented DoS Attacks in UMTS
Networks ISA 2009: 280-289.
[9] Arunabha Ghosh, Jun Zhang, Jeffrey G. Adrews, and Rias
Muhamed, Fundamentals of LTE Prentice Hall.
Najah Abu Ali; Abd-Elhamid M. Taha; Hossam S. Hassanein,
Lte, Lte-Advanced and Wimax: Towards Imt-Advanced
Networks, Wiley, 2012.
[11] OPNET Technologies Inc., http://www.opnet.com