This work addresses the challenge of RRC signaling storm attacks in 5G O-RAN, which exhaust gNB resources and prevent legitimate user access. Existing solutions struggle to distinguish between genuine high-load scenarios and actual attacks and often lack support for mobility and practical deployment constraints. To overcome these limitations, the authors design and implement StormShield, a lightweight xApp deployed on the O-RAN near-real-time RIC. For the first time, they validate the feasibility of such attacks on a real over-the-air testbed comprising the OAI 5G protocol stack, NVIDIA Aerial, USRP X410 SDRs, and commercial radio units. StormShield leverages UE behavioral fingerprinting to rapidly identify malicious traffic, supports mobile scenarios and multiple functional split architectures, and blocks malicious UEs within an average of 106.5 milliseconds with 97.6% accuracy, effectively preventing gNB resource exhaustion.

5G networks provide low-latency, high throughput, and massive connectivity, yet the control plane remains exposed to several security threats. Among the most common and impactful threats are Denial-of-Service (DoS) attacks, with Radio Resource Control (RRC) signaling storms being particularly effective and difficult to mitigate. In this attack, a malicious User Equipment (UE) aims to exhaust Next Generation Node Base (gNB) resources, preventing legitimate UEs from establishing a connection. Existing defenses are typically limited to detection, only evaluated through numerical simulations, and cannot discern between high-load network conditions and attacks. Most of them also assume static setups and do not take mobility into account. In this paper, we first evaluate the feasibility of the signaling storm attack by using the OpenAirInterface(OAI) 5G protocol stack. Then, we propose StormShield, a signaling storm attack detection and mitigation technique implemented as an xApp on an O-RAN Near-Real-Time (near-RT) RAN Intelligent Controller (RIC). It fingerprints and blocks Malicious UEs (MUEs) before gNB resources are exhausted. We prototyped our solution on an Over-The-Air (OTA) testbed with OAI, NVIDIA Aerial, and two different gNB setups. The first one leverages an USRP X410 Software-defined Radio (SDR) with 8.1 functional split; the second a commercial Foxconn Radio Unit (RU) with 7.2 functional split. Our experimental evaluation demonstrates that StormShield effectively prevents gNB resource exhaustion, identifying and blocking MUEs with an average detection accuracy of 97.6% within 106.5 ms from the beginning of the attack.