Every time you make a phone call, send an SMS, or roam onto a foreign mobile network, an invisible signaling network carries the control messages that make it happen. This network is SS7, Signaling System No. 7, a set of protocols that has been the backbone of global telecommunications since the early 1980s. Despite the rise of IP-based alternatives, SS7 still carries the majority of the world's telephony signaling, and understanding it is essential for anyone working in telecom infrastructure.
What SS7 Does (and What It Does Not Do)
SS7 is a signaling protocol, not a voice transport protocol. It does not carry the actual audio of a phone call. Instead, it carries the control messages that set up, manage, and tear down calls. Think of it as the nervous system of the telephone network: the voice itself travels over separate circuits (TDM) or IP paths (VoIP), but the decisions about where to route calls, how to authenticate mobile subscribers, and how to deliver SMS messages are all made through SS7 signaling.
Before SS7, telephone signaling was "in-band," meaning the control tones traveled on the same circuit as the voice. This created security problems (phone phreaks could whistle tones to manipulate the network) and limited the types of services that could be offered. SS7 moved signaling to a completely separate network, enabling features like caller ID, call forwarding, toll-free numbers, local number portability, and eventually mobile telephony.
The SS7 Protocol Stack
SS7 is organized into layers, similar in concept to the OSI model but predating it. Each layer provides specific functionality:
MTP (Message Transfer Part) -- Layers 1-3
MTP provides reliable transport of signaling messages between network nodes. It has three sub-layers:
- MTP Level 1 (Physical): Defines the physical, electrical, and functional characteristics of the signaling link. Traditionally, this was a 64 kbps DS0 timeslot on a T1/E1 circuit. Each signaling link carries only signaling data, never voice.
- MTP Level 2 (Data Link): Provides reliable, sequenced delivery of signaling messages over a single link. It handles error detection (16-bit CRC), error correction (retransmission), and flow control. Messages are called Signal Units, which come in three types: MSU (Message Signal Unit, carrying actual signaling data), LSSU (Link Status Signal Unit, for link state management), and FISU (Fill-In Signal Unit, keepalives sent when no real traffic is pending).
- MTP Level 3 (Network): Provides message routing between signaling points. This is where point codes become important. Every node in the SS7 network has a unique point code (a numeric address), and MTP3 routes messages based on the Destination Point Code (DPC) in the message header. MTP3 also handles network management: if a link fails, it reroutes traffic to alternative paths.
SCCP (Signaling Connection Control Part)
SCCP sits above MTP3 and provides two critical capabilities that MTP3 lacks: Global Title (GT) addressing and connection-oriented signaling.
While MTP3 routes based on point codes, many applications need to address messages using phone numbers or other identifiers. SCCP translates these "Global Titles" (essentially E.164 phone numbers or IMSI-based addresses) into point codes through a process called Global Title Translation (GTT). This is analogous to DNS in the IP world: the application says "deliver this to IMSI 310260..." and SCCP figures out which point code handles that subscriber.
Global Title Translation Example:
Application says: "Send to GT +1-212-555-1234"
SCCP translates: GT +1-212-555 → Point Code 1-234-5 (NYC MSC)
MTP3 routes: Message → Point Code 1-234-5TCAP (Transaction Capabilities Application Part)
TCAP provides a transaction framework for request-response operations. It allows an application to send a query and receive a response, managing the association between requests and responses through transaction IDs. TCAP is used by higher-layer protocols like MAP and CAP that need dialogue-based communication rather than simple one-shot messages.
ISUP (ISDN User Part)
ISUP is the protocol responsible for setting up and tearing down voice calls on the PSTN. When you dial a phone number, ISUP messages flow between the switches involved in the call:
- IAM (Initial Address Message): Sent from the originating switch to the next switch in the path. Contains the called number, calling number, call type, and circuit identification code (CIC) identifying which voice circuit to use.
- ACM (Address Complete Message): Sent back when the destination switch has identified the called party and is ringing the phone. This triggers the ringback tone for the caller.
- ANM (Answer Message): Sent when the called party picks up. This is the billing trigger -- the call timer starts when ANM is received.
- REL (Release Message): Sent when either party hangs up, with a cause code indicating why the call ended.
- RLC (Release Complete): Confirms that the circuit has been released and is available for reuse.
Voice Call Setup (ISUP):
Caller's Switch ----IAM----> Transit Switch ----IAM----> Called Switch
<---ACM----- <---ACM----- (ringing)
<---ANM----- <---ANM----- (answered)
... voice call in progress ...
----REL----> ----REL----> (hangup)
<---RLC----- <---RLC----- (circuit free)MAP (Mobile Application Part)
MAP is the protocol that makes mobile telephony possible. It carries all the signaling between mobile network elements -- HLR, VLR, MSC, SMSC -- that enables subscriber mobility, authentication, and SMS delivery. Key MAP operations include:
MAP_UPDATE_LOCATION: Sent when a subscriber registers on a new MSC/VLR (including roaming). Tells the HLR where the subscriber currently is.MAP_SEND_AUTHENTICATION_INFO: VLR requests authentication vectors from the HLR to challenge the subscriber's SIM.MAP_INSERT_SUBSCRIBER_DATA: HLR pushes subscriber profile data to the VLR.MAP_SEND_ROUTING_INFO: Used to find the current location of a mobile subscriber for call delivery.MAP_MO_FORWARD_SM/MAP_MT_FORWARD_SM: SMS delivery -- Mobile Originated (phone to SMSC) and Mobile Terminated (SMSC to phone).MAP_PROVIDE_ROAMING_NUMBER: Request a temporary MSRN for routing a call to a roaming subscriber.
SMS delivery is one of the most common MAP operations. When you send an SMS, your phone transmits it to the MSC, which forwards it to the SMSC (Short Message Service Center) using MAP_MO_FORWARD_SM. The SMSC then queries the HLR to find the recipient's current MSC/VLR, and delivers the message using MAP_MT_FORWARD_SM. If the recipient is unreachable, the HLR sets a "message waiting" flag and notifies the SMSC when the subscriber becomes available. For a deeper dive into how roaming ties into this, see our guide on how mobile roaming works.
Signaling Points: SSP, STP, SCP
Every node in the SS7 network is classified as one of three types:
- SSP (Service Switching Point): The telephone switch itself (MSC, GMSC, or local exchange). SSPs originate and terminate signaling messages. When you make a call, your local SSP generates the ISUP IAM message.
- STP (Signal Transfer Point): A signaling router. STPs do not originate or terminate calls; they relay signaling messages between SSPs and SCPs. Large networks deploy STPs in mated pairs for redundancy. The STP performs Global Title Translation, routing messages based on their destination address.
- SCP (Service Control Point): A database or application server. SCPs handle queries for services like toll-free number translation (which carrier handles 1-800-FLOWERS?), local number portability (which carrier now owns this ported number?), and mobile subscriber lookup (HLR). The SCP processes the query and returns a response via TCAP.
Point Codes and Addressing
Every signaling point has a unique point code, which is its address in the SS7 network. Point code formats differ by region:
- ITU format (used internationally): 14 bits, structured as Zone-Area-SP (3-8-3 bits). Example:
2-100-5 - ANSI format (used in North America): 24 bits, structured as Network-Cluster-Member (8-8-8 bits). Example:
250-010-003
Point codes are analogous to IP addresses in the internet. MTP3 routing tables at each node specify which outgoing link to use for each destination point code, similar to IP routing tables. The key difference is that SS7 networks are much smaller than the internet (thousands of nodes, not billions) and are privately managed, so routing is relatively static.
SIGTRAN: SS7 over IP
As the telecommunications industry migrated to IP infrastructure, carrying SS7 signaling over traditional TDM links became increasingly impractical. SIGTRAN (Signaling Transport) is a set of IETF protocols that transport SS7 signaling messages over IP networks using SCTP (Stream Control Transmission Protocol) as the transport layer.
SIGTRAN defines several adaptation layers, each corresponding to a different level of the SS7 stack:
- M2UA (MTP2 User Adaptation): Carries MTP3 messages over IP, replacing MTP2 links.
- M3UA (MTP3 User Adaptation): The most widely used adaptation layer. Carries SCCP/ISUP messages over IP, replacing MTP3 routing. This is what most modern SS7 gateways implement.
- SUA (SCCP User Adaptation): Carries TCAP messages over IP, replacing SCCP.
Traditional SS7: SIGTRAN:
MAP / CAP MAP / CAP
TCAP TCAP
SCCP SCCP
MTP3 M3UA
MTP2 SCTP
MTP1 (E1/T1) IPSCTP was chosen over TCP for its multi-homing and multi-streaming capabilities. An SCTP association can span multiple IP addresses on each endpoint, providing automatic failover if one path fails. This matches the reliability expectations of telecom signaling, where five-nines availability (99.999%) is the standard.
MOBITELSMS provides a full SS7/SIGTRAN gateway implementation supporting M3UA, SCCP, TCAP, MAP, and ISUP, enabling IP-based applications to interwork with traditional SS7 networks for services like SMS termination, HLR lookup, and number portability queries.
SS7 Security Concerns
SS7 was designed in an era when the signaling network was a closed system accessible only to trusted telephone companies. There was no concept of authentication or encryption at the protocol level, because physical access to the signaling network was considered sufficient security. This assumption no longer holds.
The migration to SIGTRAN and the growth of the GRX/IPX interconnect network has expanded the number of entities with access to SS7 signaling. Security researchers have demonstrated several attack categories:
- Location tracking: An attacker with SS7 access can send
MAP_SEND_ROUTING_INFOorMAP_ANY_TIME_INTERROGATIONqueries to an HLR, receiving the current cell ID of any subscriber. This reveals the subscriber's physical location to within a few hundred meters in urban areas. - SMS interception: By sending a
MAP_UPDATE_LOCATIONthat registers a fake MSC/VLR for the target subscriber, an attacker can redirect incoming SMS messages to their own infrastructure. This has been used to intercept two-factor authentication codes. - Call interception: Similar to SMS interception, an attacker can redirect voice calls by manipulating the routing information for a subscriber.
- Denial of service: Sending
MAP_CANCEL_LOCATIONto an HLR causes the subscriber to be de-registered, effectively disconnecting them from the network. - Fraud: Manipulating charging records or redirecting calls to premium-rate numbers.
Mitigation Approaches
The industry has developed several defenses:
- SS7 firewalls: Deployed at network borders, these inspect incoming SS7 messages and block or filter suspicious operations. For example, a
MAP_SEND_ROUTING_INFOfrom an unexpected source can be blocked. - Category filtering: Operators classify SS7 messages into categories (Category 1: normal operation, Category 2: could be misused, Category 3: should never come from external networks) and apply filtering rules accordingly.
- GSMA FS.11 guidelines: The GSMA has published recommended practices for SS7 interconnect security, including message filtering rules, monitoring for anomalous signaling patterns, and requirements for GRX/IPX providers.
- Migration to Diameter/5G: Newer protocols like Diameter (used in 4G) and the 5G SBA (Service-Based Architecture) include built-in security mechanisms. However, interworking with SS7 networks remains necessary for the foreseeable future, so SS7 security cannot be ignored.
SS7 in the Modern Telecom Landscape
Despite being over 40 years old, SS7 is not going away. It remains essential for several reasons:
- 2G/3G networks: Still operational in most of the world (though being sunset in some markets), these networks depend entirely on SS7/MAP for mobility management and SMS.
- Interworking: Even in 4G/5G networks, SS7 interworking is required for roaming with operators that have not migrated, for SMS delivery to 2G/3G subscribers, and for interoperability with the PSTN.
- Number portability: LNP (Local Number Portability) queries in many countries still use SS7/TCAP to query the NPAC (Number Portability Administration Center).
- SMS aggregation: A significant portion of A2P (Application-to-Person) SMS traffic is delivered through SS7/MAP connections to SMSCs, even when the originating application uses HTTP APIs.
The trajectory is clear: new deployments use Diameter and HTTP/2-based protocols, but SS7 will coexist for at least another decade as legacy networks are gradually retired. For telecom engineers, understanding SS7 remains a fundamental skill, and for platform providers, supporting SS7 interconnection is a practical necessity.
MOBITELSMS supports the full SS7/SIGTRAN protocol stack through our SS7 gateway platform, providing MAP, ISUP, and CAMEL connectivity for operators transitioning between legacy and next-generation networks.