Denial Of Service In Wireless Networks Computer Science Essay

Published Date: 02 Nov 2017

CM0645: Denial of Service in Wireless Networks

Abdullah Alhassan

General computing project

Computer and Network Technology

Literature Review

Introduction:

In this chapter the arguments provided will analyse and study the literature of the conducted project. It will discuss the information that already exists in relation to the provision of information about DOS that affects services. In order to better understand the intentions of the chosen research topic, it is necessary to examine previous research into this subject area. The project is about denial of service in wireless networks and the purpose of this review is to critically examine theories behind this big problem. This will give the project a foundation on which to start on. By the end of the review, a deeper understanding of the problem will be gained, to facilitate the development of an arrangement that improves security upon this problem.

Denial of service (DOS) is a captivated project that had often received the least amount of attention. [Coleman/Westcott, 2006] Access points are constantly threatened by mechanisms that prevent them from working correctly. This literature review aims to find books, articles associated with Denial of Service (DOS) and evaluate these literature. This is done by pointing out previous work done on this subject and relates it to the project in hand.

History of DOS:

DOS attacks don’t have a definitive history as there was not a very first ever DOS attack, although it is thought that such attacks have been known to the networking study community since the early 1980’s. DOS attacks used to be rather uncommon incidences back in the late eighties, as performing them required more technical knowledge than was then common. They were often executed by individuals, using the physical resources of one, or a handful of computers. (Brief history article) In fact, a 1985 paper provides one of the first descriptions of DOS in operating systems as it comments on the fact that there is no provision in the Internet Protocol to discover the true origin of a packet. (1985 paper) The paper covered important weaknesses in the TCP/IP layer and how UNIX had massive trust in the user as the user can execute commands via a TCP/IP network without supplying a password. Also it stated that "Unix TCP/IP software is very flexible and convenient, but places too much trust in a protocol which provides very little security". This proved that a lot of weaknesses in the raw IP sockets can be exploited to allow for flooding [Swamp port 21 on C with connection requests] (1985 paper) and that the TCP stack was very receptive to it. It talks about how an attacker can fake IP addresses by saying "The ideal way to produce TCP/IP packets with incorrect source host ids would be to talk directly to the network involved." (1985 paper) It became clear that a decade later, attackers would routinely exploit this weakness by faking their source address and sending large volumes of traffic to victim computers.

Although DOS attacks existed during the 1980s and early 1990s, at the beginning they were not viewed as high-profile security incidents by the general public and companies. That all changed in the 21st century. This perception started to change as the Internet was becoming a major medium to exploit. This was used to launch the most significant attack that damaged businesses. This was on February 2000. Many clients were unable to continue to function or execute transactions (such as making electronic trade purchases). In that year, eBay, E-Trade, Amazon, CNN, and Yahoo web sites were all victims of denial-of-service (DOS) attacks and some were disabled for almost an entire corporate day. This meant revenue losses and interruption of service for legitimate users. Perpetrators hijacked a number of client hosts, and instructed those clients to send large numbers of network-layer data packets to the companies’ servers. Because there were relatively such few servers, and they were overwhelmed with the large number of packets, the servers were unable to respond to legitimate packets that they received from valid users. This DOS flooding was first of its kind at that time, and in the end it caused many companies to rethink strategies of combating it. (CNN, history 2010)

History of Wireless LAN:

Wireless LAN technologies, in particular 802.11b and 802.11g technology, have been gaining importance in its use and deployment. Wireless LAN (Local Area Network) started in 1971 when networking technologies met radio communications at the University of Hawaii as a research project called ALOHNET. It included seven computers deployed over four islands to communicate with the central computer on the Oahu Island without the use of phone lines. (History of WLAN) It was only when the IEEE standards emerged, that wireless LAN gained more liking within companies developing the technology. The release of ISM bands in 1985 and the regulating of the 2.4 and 5 GHz bands made it an even competition for all manufactures. The first spectral efficiency of the early 802.11 standard (in 1997) was therefore rather limited, realizing a maximum data rate of 2 Mbps in a 20 MHz channel was restricted and slow. (Article on wireless history) In July 1999, IEEE extended on the original 802.11 standard, creating the 802.11b specification. 802.11b supports bandwidth up to 11 Mbps while using the 2.4 GHz band. This was a breakthrough as the 802.11b was very popular as it served the home market appliances very well. The next development in the standards was in 2002 as the 802.11g came out. It merged the best of the 802.11a and the 802.11b standards and was very operational and effective. 802.11g supports bandwidth of up to 54 Mbps, and it uses the 2.4 GHz frequency for better range. Access points use the 802.11g standard and this standard made the speed of wireless increase considerably. The problem is with more development, more vulnerabilities are in the standards are exposed. (SANS vulnerabilities) These can be the lack of security or the jamming of signals used in the standards.

Vulnerabilities of the IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard:

The IEEE 802.11 standard is a corporation that includes functionality uniquely designed to address problems specific to wireless networks. In particular, it is in charge of 802.11 MAC (Media Access Control) layer that is essential for wireless networks to develop. These functions include a client’s ability to discover wireless networks, join and leave networks, and coordinate access to the wireless medium. The vulnerabilities discussed in this part are a following of these additional functionalities and can be generally placed into two categories: (Bellardo, Savage)

Identity Vulnerabilities: These attacks come alive from the implicit trust 802.11 networks place in a client’s source address. A field in a wireless frame holds both the transmitters and the receiver’s addresses, as told by the sender of the frame. These addresses are found in the unencrypted portion of IEEE 802.11 communication frames. An attacker can spoof a MAC address that is on the network and start sending management frames either from the source or destination. By doing this, he can push a client out of a network forcefully. Some example of these attacks are:

De-authentication attack, Dis-association attack and MITM (Man-in-the-Middle) attack. (Figure)

Media Access Vulnerabilities: 802.11 wireless networks go through significant energy to avoid communication collisions. The protocol’s use of CSMA/CA (Carrier sense multiple access with collision avoidance) to avoid the collision of packets in the medium is something that an attacker can exploit. This method attempts to divide the channel somewhat equally among all sending nodes within the domain. However, this mechanism mistakably provides opportunities for an attacker to conduct DOS attacks on mobile stations and access points. The implementation of RTS/CTS (Request-to-send, Clear-to-send) helps to partially solve the collision of frames problem that is often found in wireless networking. When a transmitter wants to send data on a medium, it must agree with the access point a given time so that data is sent in that time. An RTS (request-to-send) packet is sent, then a reply comes in a CTS (clear-to-send) packet, if there’s no CTS packet then there’s a back-off period. When there is a CTS packet then that’s the time to send. An attacker can exploit the need for all stations to have a lease time for sending as he can have the medium to himself throughout. This example of the attack is called the RTS/CTS attack.

Bellardo and Savage proposed that the vulnerabilities in IEEE 802.11 were either "identity vulnerabilities" or "media-access control vulnerabilities." These two categories quite don’t fairly encapsulate the attacks presented in (Bellardo, Savage), as well as the attacks presented in other published research (Liu, Yu and Brewster, 2010). There’s another type of attack not considered in (Bellardo, Savage) are attacks at the PHY layer, such as military broadband jamming of the RF spectrum. This specific attack jams the RF signal of a selected channel on the spectrum. Other attacks that weren’t taken into consideration in the paper were flooding and bandwidth attacks. This type of attack takes a big effect on a receiver’s buffer as it drowns him with specific packets.

Main Body:

The types of DOS attacks that are mentioned in SANS Institute InfoSec Reading Room 802.11 Denial of Service Attacks and Mitigation [3.Compton, 2007] are:

1- Physical layer 1 attacks, 2- MAC layer 2 attacks, 3- Network layer 3 attacks, 4- Transport layer 4 attacks, 5- Application layer 7 attacks.

The specifications and IEEE (Institute of Electrical and Electronics Engineers) organisation are talked about to make wireless more secure. Encryption and the different implementations of security are also discussed. This is to understand encryption in more detail so that denial of service will be easier. There is a discussion of different attacks at different layers of the OSI layer. Although, there are no defining results showing what kind of disturbance it has to a network. IP spoofing is also spoken about, this is to make it extremely difficult to trace back to an attacker. Like Backtrack, de-authentication and dis-association are mentioned to disconnect clients from access points. This is useful for DOS as it will make access points difficult to connect to when these attacks are implemented. Finally, defensive measures are discussed that will protect access point against different attacks. This is good as the project will relate to this as defensive aims.

Another article that discusses flooding authentication and association requests is called A Solution to WLAN Authentication and Association DoS Attacks [4.Liu/Yu 2007]. This article talks about the difference between the two attacks and details them with graphs and specifies how the AP (Access Point) went down. This is excellent as it can be compared with some of the results taken from the project. It also gives tables about throughput, packet loss, delay and jitter while the access point is under attack. This is also compared with when the access point is not under attack. In less detail, it specifies how MAC spoofing is done and how a hacker can fake a source MAC address. The journal also states that there is some protection to authentication and association attacks. There are MAC address filtering as you can specify what MAC address can be processed and what MAC address is not. The problem is after talking about how to use MAC address filtering, the journal explains that MAC address filtering is not an effective way for access control because a hacker can easily sniff and fake MAC addresses of legitimate wireless users [Liu/Yu 2007]. This counteracts the idea that MAC address filtering is a solution to disassociation or deauthentication. On the other hand, there are a lot of graphs and results analysing the two attacks and showing results.

An article that tries to detect different attacks and tries to find some solutions to the problem is Can Wireless LAN Denial of Service Attacks Be Prevented? [5. Motorola, 2010]. It gives different ideas about DOS and explains the different methods used to bring down a network. After that, it tries to find different ideas to prevent the DOS attacks and how to detect it using a WIPS (Wireless Intrusion Prevention System). On the other hand, there is not enough information about this system on this article. It only talks about what kind of attacks it detects and it shows it through using a spectrum viewer. It shows the system detecting the problem although not showing how it solves the problem of DOS attacks. The forensics of unintentional interference in a given area is shown and a summary is given in pictures and diagrams. Although, there is a lot of analysis needs to be done to find the cause of problems in a given network.

Another paper that tries to give an explanation to DOS attacks is Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks [6.Bicakci, Tavli 2008]. This starts by talking about the IEEE standards and the frame types. This is crucial to understand how data is sent and encrypted. The article explains the way a client connects to an AP, timing and the order of handshake frames. It is explained by diagrams and showed by the different stages of handshakes. This article mostly is concentrated on the physical jamming attacks of networks. Although, there is some explanation on the MAC layer attacks but it is not enough to give a start on the attacks. Even though there is something on the physical jamming, there are no outcomes given about after these jamming attacks. There are no consequences talked about after these jamming and what happened to the access points. It also describes MAC layer countermeasures that it can be used to counteract an attack. Although stating that location detection techniques can be used against DOS attacks, sometimes it cannot be used as it can possibly be at a location where it is impossible to get into and find. Also the article talks about combating techniques for some DOS attacks. This is illustrated in graphs and demonstrated in tables.

An article that talks about disassociation and deauthentication in more detail is Empirical Studies and Queuing Modeling of Denial of Service Attacks against 802.11 WLANs [7.Liu/Yu/Brewster 2010]. This really concentrates on the two attacks in detail while pushing UDP and TCP (transmission control/user diagram protocol) data through the connection. The article records the traffic flow under the AUTHRF/ASSRF attacks. Even though there are no graphs and diagrams to explain the results in the paper, there is a lot about rates, packet loss and the effects on transmission and receiving. It talks about the WLAN model and how the IEEE standards are described. This is to know how the process is between the access points and the nodes connected. There is analysis of different formulas and the mathematical side of networking. This project will not focus on the formulas but it will focus on network performance analysis through these types of attacks. Even though there are no diagrams showing the attack effects, there is some analytical data that could be explored further.

MAC address spoofing

MAC address spoofing is a technique that is used to change the MAC address used on the network card. A MAC address is factory-assigned from the manufacturer and it is hard coded. By changing the MAC address an attacker can pretend to be another user or conceal his own MAC address on a wireless or wired network. In Windows this can be achieved by editing the value in the registry that contains the MAC address. After changing the value the wireless interface just needs to be restarted and it will start using the new MAC address on the network. (Article)

http://www.techinspirit.com/wp-content/uploads/2012/12/mac_spoofing4.png

In Linux it’s easier, with three or four commands, a MAC address of an interface can be changed to whatever address is wanted. This is done in the command line interface. (Linux MAC changer)

This sets up for the attacks that are used to deny a client from the services he/she is using. In a spoofing attack, the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were real. During an attack, the attacker generally desires to be anonymous and make his equipment that is used a mystery.

Relation to proposed work:

This part will look at the technical detail and how these literatures relate to the project at hand.

The backtrack 5 software will be used to do some attacks like de-authentication, dis-association and the siege attack. This is because in the book (Ramachandran, 2011) there is detailed instructions on how to setup networks and hack them. Furthermore, it is a very powerful software that includes: aireplay that is used to inject different kind of frames into a network, airbase that is aimed at attacking clients as opposed to an access point and honeypot that creates a fake access point to make clients connect to it. These attacks will be recorded by Wireshark or Omnipeek Wildpackets. Mostly the Omnipeek software will be used, this is because it can monitor a whole channel and it can retrieve packets that usually Wireshark would not find.

Some other software’s will be taken into consideration such as: Kismac, Airpwn, Void11 and FakeAP. These would be tested out and discovered more to get the best tools possible for the project.

Results got by doing the experiments can be linked with the graphs in other papers and journals. Like in [4.Liu/Yu 2007], there is a lot of graphs and diagrams explaining jitter, throughput and delay as results and outcomes of dis-association and de-authentication. These will be compared to get the best possible outcome for the project.

Conclusion:

In this chapter a literature review has been discussed that are associated to the studies conducted on DOS. The review explored the communication tools that were used in articles and how these results were best used.

There are many different genres of DOS attacks available in books and in journals. However, from the previous research, it appears that most of these attacks fell in different categories concerning types. Some fell into the normal categories, but some mixed between different types. For example, the authentication flood attack is a mix between a flooding attack and a protocol attack. This takes advantage of the fact of the protocol used the 802.11 networks and floods an access point with these requests to freeze the access point. DOS negatives and what effect it has on a network can be explored to see what the outcome is. If these attacks are replicated in real time that allowed the linkup of these attacks with results through an external location, the aim of the project could be fulfilled.

Most of these studies were very general and not specific enough in terms of description and practical work. Some articles showed results without some detail about the experimental work. There were journals describing different attacks but not specifying what these attacks were. There was considerable information about DOS and the harms of DOS but without specifying what type of attacks that were used. While some of these studies provided huge amount of detail on how to do these attacks in detail, these books and articles will be used and explored in more detail to get the best possible results. The literature that was revealed provided very valuable information that could be explored more in this project. Because of this, the project in hand will discuss in detail some of the attacks associated with DOS and show results.

References:

Keith Holt. (2005). Wireless LAN: Past, Present, and Future. (Part 2), p1-2.

Heather D. Lane. (2005). Security Vulnerabilities and Wireless LAN Technology. (Part 2), p4-8.

Robert T. Morris. (1985). A Weakness in the 4.2BSD UNIX TCP/IP Software, p1-3.

CNN. (2000). E*Trade, ZDNet latest targets in wave of cyber-attacks. Available at: http://edition.cnn.com/2000/TECH/computing/02/09/cyber.attacks.02/ . Last Accessed 21/02/2013.

Ann Harrison. (2000). the denial-of-service aftermath. Available at: http://edition.cnn.com/2000/TECH/computing/02/14/dos.aftermath.idg/ Last accessed 21/02/2013.

F-secure. (2011). About Denial of Service (DOS). Available at: http://www.f-secure.com/en/web/labs_global/articles/about_denialofservice. Last accessed 21/02/2013.

Georgios Loukas and Gaulay Äoke. (2009). Protection against Denial of Service Attacks: A Survey. (1, 2), p2-3.

John Bellardo and Stefan Savage. (2003). 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, p15-26.

John Bellardo and Stefan Savage. (2012). 802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions PowerPoint presentation, p1-20.

Stuart Compton. (May 17th 2007). SANS Institute InfoSec Reading Room. 802.11 Denial of Service Attacks and Mitigation. 1 (10) Available at: http://www.sans.org/reading_room/whitepapers/wireless/80211-denial-service-attacks-mitigation_2108 Accessed on: 12th November 2012.

Chibiao Liu and James Yu. (2007). A Solution to WLAN Authentication and Association DoS Attacks. IAENG International Journal of Computer Science. Available at: http://www.iaeng.org/IJCS/issues_v34/issue_1/IJCS_34_1_4.pdf Accessed on: 14th November 2012.

Motorola. (2010). Can Wireless LAN Denial of Service Attacks Be Prevented? Available at: http://www.bearcom.com/resource-library/ems/wlandenial.pdf (Accessed: 21st October 2012).

Kemal Bicakci, Bulent Tavli. (21 November 2008). Computer Standards & Interfaces. Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks. Available at: http://www.bicakci.etu.edu.tr/pub/bicakci_csi_2009.pdf (Accessed on: 24th November 2012).

Chibiao Liu, James Yu and Gregory Brewster. (2010). Empirical Studies and Queuing Modeling of Denial of Service Attacks against 802.11 WLANs. Available at: http://facweb.cs.depaul.edu/brewster/pubs/WiFi-DOS.pdf (Accessed on: 25th November 2012).

Wireshark. (2012). Types of software. Available at: http://www.wireshark.org/ (Accessed on: 29th November 2012).

Edgar D Cardenas. (2003). MAC Spoofing--An Introduction. Version 1.4b, p1-5.

Ruchi. (2012). Change your Network card MAC (Media Access Control) address. Available at: www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html, Last accessed 22/02/2013.

Bibliography:

Vivek Ramachandran (September 2011). Backtrack 5 Wireless Penetration Testing Beginners guide. Birmingham: Packt Publishing. p100 - 177.

David D. Coleman, David A. Westcott (2006). CWNA Certified Wireless Network Administrator. Canada: Wiley Publishing. p396 – 400.