Scrubber for distributed denial of service attacks targetting mobile networks

The invention claimed is: 1. A device, comprising: a processor; and a memory coupled with the processor, the memory storing executable instructions that when executed by the processor, cause the processor to effectuate operations comprising: receiving, from network traffic, first signaling messages traversing a first interface associated with an Access and Mobility Management Function (AMF) of a core network and second signaling messages traversing a second interface associated with a Session Management Function (SMF) of the core network, wherein the first signaling messages are intercepted by the processor prior to reaching the AMF, and wherein the second signaling messages are intercepted by the processor prior to reaching the SMF; translating the first signaling messages and the second signaling messages into one or more events; detecting one or more anomalies by analyzing the one or more events; determining whether the one or more anomalies is indicative of an attack on a telecommunications network; and performing a remediation action to the first signaling messages and the second signaling messages to resolve the attack when the one or more anomalies is indicative of the attack on the telecommunications network. 2. The device of claim 1 , wherein the processor is positioned in-line with the first interface and the second interface so as to intercept the first signaling messages and the second signaling messages, wherein the first signaling messages include user equipment (UE) registration and mobility information, wherein the second signaling messages include user information, wherein the determining whether the one or more anomalies is indicative of the attack on the telecommunications network is based on an analysis of the UE registration and mobility information in the first signaling messages and the user information in the second signaling messages, and wherein the processor further effectuates operations comprising sending the first signaling messages to the AMF and the second signaling messages to the SMF after the performing the remediation action to resolve the attack. 3. The device of claim 1 , wherein the processor further effectuates operations comprising classifying the one or more anomalies according to an attack type and implementing an action policy to perform the remediation action based on the attack type. 4. The device of claim 1 , wherein the one or more anomalies comprise attaches per day, attaches per device, or attaches per day per equipment type exceeding a predetermined threshold. 5. The device of claim 1 , wherein the first and second signaling messages are received at an edge router from one or more Internet-of-things (IoT) devices. 6. The device of claim 1 , wherein the remediation action comprises denying all registration requests of a set of user equipment (UE) of a plurality of UE to connect to the telecommunications network, denying a set of UE of the plurality of UE from connecting to the telecommunications network while allowing another set of UE of the plurality of UE to connect to the telecommunications network, reducing a rate of control messages from the plurality of UE, or blocking attach requests from the plurality of UE associated with a determined attack type. 7. The device of claim 1 , wherein the network traffic comprises a request to attach to the telecommunications network, a request to re-register to the telecommunications network, a request for authentication information, or a request for resource allocation information. 8. The device of claim 1 , wherein the first interface is a N1 interface or a S1 interface and the second interface is a N11 interface or a S11 interface. 9. A computer-implemented method comprising: receiving, by a processor, first signaling messages traversing a first interface associated with an Access and Mobility Management Function (AMF) of a core network and second signaling messages traversing a second interface associated with a Session Management Function (SMF) of the core network, wherein the first signaling messages are intercepted by the processor prior to reaching the AMF, and wherein the second signaling messages are intercepted by the processor prior to reaching the SMF; translating, by the processor, the first signaling messages and the second signaling messages into one or more events; detecting, by the processor, one or more anomalies by analyzing the one or more events; determining, by the processor, whether the one or more anomalies is indicative of an attack on a telecommunications network; and performing, by the processor, a remediation action to the first signaling messages and the second signaling messages to resolve the attack when the one or more anomalies is indicative of the attack on the telecommunications network. 10. The computer-implemented method of claim 9 , wherein the first and second signaling messages are included in network traffic, wherein the processor is positioned in-line with the first interface and the second interface so as to intercept the first signaling messages and the second signaling messages, wherein the first signaling messages include user equipment (UE) registration and mobility information, wherein the second signaling messages include user information, wherein the determining whether the one or more anomalies is indicative of the attack on the telecommunications network is based on an analysis of the UE registration and mobility information in the first signaling messages and the user information in the second signaling messages, and wherein the computer-implemented method further comprises sending the first signaling messages to the AMF and the second signaling messages to the SMF after the performing the remediation action to resolve the attack. 11. The computer-implemented method of claim 9 further comprising classifying the one or more anomalies according to an attack type and implementing an action policy to perform the remediation action based on the attack type. 12. The computer-implemented method of claim 9 , wherein the one or more anomalies comprise attaches per day, attaches per device, or attaches per day per equipment type exceeding a predetermined threshold. 13. The computer-implemented method of claim 9 , wherein the first and second signaling messages are received at an edge router from one or more Internet-of-things (IoT) devices. 14. The computer-implemented method of claim 9 , wherein the remediation action comprises denying all registration requests of a set of user equipment (UE) of a plurality of UE to connect to the telecommunications network, denying a set of UE of the plurality of UE from connecting to the telecommunications network while allowing another set of UE of the plurality of UE to connect to the telecommunications network, reducing a rate of control messages from the plurality of UE, or blocking attach requests from the plurality of UE associated with a determined attack type. 15. The computer-implemented method of claim 10 , wherein the network traffic comprises a request to attach to the telecommunications network, a request to re-register to the telecommunications network, a request for authentication information, or a request for resource allocation information. 16. The computer-implemented method of claim 9 , wherein the first interface is a N1 interface or a S1 interface and the second interface is a N11 interface or a S11 interface. 17. A non-transitory computer-readable storage medium storing executable instructions that when executed by a processor causes said processor to effectuate operations comprising: re