Denial Of Service That Are Implemented Computer Science Essay

Published Date: 02 Nov 2017

Analysis

Overview:

The purpose of this project is to investigate the different types of DOS (Denial of Service) that are implemented on a wireless network and harms them. There are so many of these attacks that are very easy to implement and acquire. Another reason that is very interesting is to find different techniques of protection against these attacks.

These attacks can be very serious as it can destroy precious information and material of different companies that use wireless in their network. Given the amount of sensitive and financial information that is transmitted over the Internet every hour, these attacks are inevitable as people may have a motive to attack these businesses. In 2012, 65% of all companies report that a DOS attack outbreaks would cost them a large amount of revenue. According to statistics, these costs were up to $240,000 a day. () Another survey conducted, based on a survey of 14 establishments that lost private customer information through wireless attacks, the institute found that total costs to recover from a data breach averaged $14 million. The costs of DOS attacks are not only measured in revenue loss alone. Customer service and brand parity factor, too. A customer who can’t get access to a company’s website is unable to buy, login to an account or find useful information. Minute by minute, hour by hour, this costs businesses even more.

There are many attacks that are used and that are very easy to implement. Some of these attacks focus on the dangers posed by denial-of-service (DOS) attacks against 802.11’s MAC protocol. These will be looked into in more detail in this project, as wireless is getting more and more popular within clients and businesses. The combinations of free radio frequency (2.4, 5 GHz), efficient channels and cheap interface hardware have made 802.11 networks extremely popular. Such attacks, which prevent legitimate users from accessing the network, are a worrying problem in all networks, but they are particularly threatening in wireless circumstances.

With relative ease, an attacker can find a whole load of information just by picking up traffic. Information like MAC addresses, clients connected to an access point (with their MAC addresses), what type of information they’re sending and what channel they are on. From this review, a list of requirements will be constructed. These requirements will be used so that practical work can fit within these needs. Other people’s research will be analyzed to where these attacks have been implemented, how they were done and what results were achieved.

Establishing Problem and Analysis

DOS’s difficulty is huge, as it could harm businesses in every way. The threat to users from wireless technology has increased as the facility has become more and more popular. These services vary and differ so much and these include (but are not limited) from mobile technology to the normal access point (IEEE 802.11g/n). There are a whole load of different types of wireless devices and gadgets that can connect to these access points.

There are so many different ways of implementing these attacks, as there are so many programs that apply these attacks very simply. Programs such as backtrack 5, Kismac, aireplay, airodump, Airpwn and Void11. These are only some of the programs that can be used to intercept a wireless network and do damaging attacks on it.

Scanning for networks can relatively give a lot of information just by looking at beacons regarding networks. Programs like airodump can capture traffic in the air and show MAC addresses, channel and SSID (Service Set Identifier) of a network. There are two types of scanning for networks:

Passive scanning:

This scan is waiting for a normal periodic beacon frame that is advertised by a normal access point. Everyone when trying to connect to an access point does this. Passive scanners are limited to looking at existing traffic, they are less sensitive in terms of overall completeness and accuracy.

Active scanning:

It is when the client changes its IEEE 802.11 radio to the channel wanted, and adds a monitor channel to look at the different information from wireless networks. The client’s radio is changed and a probe request is broadcast, and then waits for the probe response from AP’s from that specific channel. It’s very fast and the results are quick, this is because there doesn’t need to be a wait for beacons to show up. There are two types of active scanning:

Directed probe: This is directed to a specific SSID on a network, only AP’s with that SSID replies to the request from a client.

Broadcasted probe: The client sends out an advertised probe to all the AP’s around. All AP’s around that receive the broadcast probe will respond to the request.

Active scanning is more dangerous, as an active scan can show hidden SSID’s and more information than a normal passive scan.

Resources needed

The supplies needed to make this investigation a success are:

Windows/linux powered laptops: one to be a client, one to be an attacker and one to monitor traffic on a channel.

Windows powered wired computer.

Cisco NIC’s (Network interface card).

Some Access points to test the DOS on (Cisco access point/ Small Office, Home Office [SOHO] access point).

Backtrack 5 software to use for the attacks. [Ramachandran, September 2011]

Wireshark, Omnipeek to collect data packets.

Spectrum Analyser to find the radio frequencies and what channels are on.

Northumbria University Labs to do the experiments.

Wi-Spy USB (Universal Serial Bus) to find the different channels.

Traffic Generator’s to produce TCP/UDP (Transmission control protocol, User datagram protocol) traffic between wired and wireless computers connected to access point [refer to Network Connections and Topology].

These resources are needed to fit the desires needed and these are the requirements:

Results must be well presented and clear to understand.

These attacks must be done carefully and with care.

Attacks must be completed ethically and not affect anyone around using services.

A comparison between an infrastructure access point and a SOHO access point with an evaluation of results obtained.

The behaviour of UDP and TCP will be compared when an attack is implemented on a network, this is to see what affects an attack can have on a system when sensitive data is being transmitted.

There must be explanation of data retreated and a description of what happened and how these results were obtained.

Diagrams and tables are needed to present data clearly and with visible variety on how this data is presented.

Denial of service attacks will be tested on a personal access point (refer to resources) and not on either the university, or any of the public access points.

Types of attacks

The types of attacks are very diverse and exploit different aspects of weaknesses. DOS mechanisms can be classified into wired DOS and wireless DOS. Wireless attack mechanisms can be classified into the following: (DOS classification)

Protocol attacks: These attacks take advantage of the protocols used in the 802.11 networks. The attack exploits the management and controlling frames to turn an access point on itself. The attacker sends a few packets that are used by management disabling a victim that is using the services provided by an access point.

Bandwidth attacks: This method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic or it responds so slowly as to be rendered essentially unavailable. This flood’s an access point until it cannot respond to a valid user connected to that access point.

Jamming attacks: This technique is mounted by transmitting noise in the radio frequency of a specific access point used in the wireless network. This implementation is used so that so much noise is transmitted on a specific channel until an access point fails and a client cannot communicate with the AP.

The types of attacks that are used wirelessly to attack an access point include (but are not limited to):

Deauthentication attack:

In the client authentication process, access points advertise themselves by sending out beacons broadcasting one or more SSIDs, data rates, and other information. After a client has selected an access point to use for communication, it must first authenticate and associate the client to the AP before further communication may continue. During the association process, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Furthermore, part of the authentication frame is a message that allows clients and access points to explicitly request deauthentication from one another after they have finished communication.()

J:\Third Year\Individual Project\authenticating handshake.png

So, the question is where is the weakness? Identity vulnerabilities arise from the understood trust 802.11 networks place in a client's source address. Field’s in the frame sent between the client and the access point holds both the senders and the receiver’s addresses, as reported by the sender of the frame. By simply just scanning and sniffing the traffic on networks, a client’s MAC address and his handshake with the access point can be obtained.

The Deauthentication attack is an attack through which an attacker sends faked deauthentication packets to computers/devices connected to a particular Wi-Fi access point. They issue these spoofed de-auth packets to the access point pretending to be the client. The faked packet consists of having the source of the client and the destination of the access point. This will disconnect the targeted victim’s computer from that specific access point. This attack is very versatile as it could be a targeted victim or it will disconnect all connected computers from that specified access point. How many packets are sent is specified by the attacker as it could be only one packet, or as much as the attacker wants. After several deauth packets are sent, it will make a client not have any connection what so ever to that access point. Sometimes this makes a client have to reconnect manually just to re-authenticate.

To take it further, this attack might be just used to de-authenticate someone or all the individuals connected to that access point, but this attack might be used for other purposes. This attack is usually used for more purposes:

Capturing the WPA/WPA2 handshake by forcing a client to re-authenticate

Generating ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

An attack like this is not affected by WPA/WPA2 encryption because the same process is required to start communication between the client and the access point. The management frames (authentication, association, probes, CTS-RTS [clear-to-send, request-to-send] and beacons) are all unencrypted. These are used to establish and maintain communications between a client and server. Only when the authentication process is done, then the data sent between the client and server is encrypted. To be more specific, when the WPA/WPA2 handshake is captured by an attacker, it could be used to do a more precise dictionary attack. This is so that the WPA/WPA2 password key is discovered and an attacker can use an access point to do whatever he wants after that.

Seige attack:

The lifeblood of today’s organization is information, and the siege attack is about attempts to prevent or delay access to information by flooding systems, or information processing systems. This attack abuses a system to such an extent that they fail and it gives up. This attack takes advantage of a bandwidth cap on access points.

The similarity to this attack is DDOS (Distributed Denial of service) on a wired connection as it takes advantage of the fact that a server has a very small buffer size. A hacker can try and attack your server by flooding it with huge requests of a webpage until it cannot handle the requests. In a wired connection, this type of hacking technique by usually trying and sending random HTTP requests to a targeted server. ()

Usually it becomes tough to handle HTTP flood attacks, the reason being the lack of way to identify legitimate packets from the ones which are sent by the hacker. It’s not just the TCP stack that is affected by this, it’s also the web server as it could affect a client that is connected to the internet through this access point. It could make an access point not respond to the legitimate user, or make the response to him very slow.

A siege attack is an attack similar to the HTTP flood attack. It starts sending HTTP requests over and over again until an access point or until a server is dead. It is a type of HTTP flood that could take down an access point or server for a long time. It is a type of stress testing tool that can see how resistant an Access point can be to a flood. It tests an access point beyond its normal operational capacity, often to the breaking point, in order to observe the results on other clients. It tests a CPU (central processing unit) of an access point till it can’t handle any more requests. These attacks could timeout an access point or make it greatly slow. This attack can be used for a targeted webpage or an IP (internet protocol) address of an access point.

RTS-CTS attack:

RTS-CTS are management frames sent between access point and a client used by the 802.11 wireless networking protocol to reduce frame collisions. The 802.11 protocol uses CSMA/CD (carrier sense multiple access with collision avoidance) to avoid having collisions in a network. CSMA/CD employs RTS/CTS mechanism to combat the hidden/exposed terminal problems. The scheme is done by a sequence of packets that are sent between a client and access point (Figure): Request-To-Send (RTS) packet, Clear-To-Send, (CTS) packet, Data (DATA) packet, and Acknowledgment (ACK) packet. When RTS/CTS packets are sent, encoded within the RTS/CTS packets is a duration field. The duration field is set so that the data transmission can be completed within the chosen time period. If a RTS packet is sent to an access point but there’s no reply from the access point then the client goes into back off mode.

So, if an attacker injects a faked packet, and the faked packet consists of having the source of the access point and the destination of the client, then the client thinks it’s his turn to send and a data packet is sent, then collision of packets occurs and nobody will be able to send because everyone will be backing off.

Another way of implementing this attack is by transmitting back-to-back CTS frames, an attacker can force other wireless devices sharing the RF (Radio Frequency) medium to hold back their transmission until the attacker stops transmitting the CTS frames. This holds back transmission of clients and keeps the RF medium to himself until he stops sending these frames. ()

Beacon Flood:

A beacon flood is essentially an availability attack that is implemented to make a specific part of the network so that it is unreachable for a client to connect to a legitimate access point. Network availability means that at any point the network is able to provide the information requested to the client. ()

http://www.cse.wustl.edu/%7Ejain/cse571-07/ftp/wireless_hacking/fig3.gif

Beacons frames are management frames that advertise networks to neighboring clients that want to connect. It contains all the information about a network. Beacon frames are broadcasted periodically to publicise the presence of a Wireless LAN. ()

The problem is when overloading the network with beacon packets from an attacker, a client thinks that the fake AP is the real AP. The client tries to connect but the attacker keeps changing the information in the beacon frames. This makes a client not have any service from the genuine AP and a user cannot connect to the real access point.

Issues relating to law and liability

Launching a denial of service (DOS) attack is often not difficult to implement, but detection and response is a painfully slow and often a manual process. DOS attacks may prove rather beneficial for the service provider regardless of the doubtful morale behind. The victims may seek compensation from a company regardless were the actual attackers were caught or not. Regardless, laws that would force service providers to engage in appropriate steps to secure their networks would probably soften the problem of security breaches. The relevant legislation of the UK will be examined and the cases will be presented that have been to court concerning this matter.

One of the most problems lies in the controversial natures of technology and law. As (Ezine articles) puts it "Today, as the technology is fast developing, we already have all the convenience in life doing so many things at a time." In addition, technology and DOS attacks development by its nature is highly global. As the biggest platform for information and innovation is the internet. The first ever DOS attack was done on CERT’s website, as "intruders used methods to compromise systems" (CERT). Intruders exploited the calendar manager service by overwhelming the buffer and overflowing it. This first attack was done on Thursday, July 22, 1999 (CERT). On the other hand, UK law took more than 6 years to ban DOS attacks in the UK. The law in the UK was passed on 9th November 2006 as it is punishable by up to ten years in prison to implement a DOS attack. This proves that law inforcement regarding computing is very slow.

A perfect example of the big loophole regarding DOS is when a court cleared teenager David Lennon in November 2005 from charges of sending five million emails to his former employer because the judge decided that no offence had been committed, the need for changing the law seemed obvious. The teenager’s lawyers debated that the purpose of the company's server was to receive emails. The judge decided that sending emails is an authorised act and that Lennon had no case to answer, so no trial took place. In the end Lennon was cleared of all the charges and he was cleared with nothing done. (UK Banning DOS)

Network Connections and Topology explanation

The experimental setup consists of one AP connected to one of the clients, two clients (one wired and one wireless), a traffic generator between the wireless laptop and the wired client (for generating TCP/UDP network traffic), a wireless monitor station that captures the wireless frames transmitted in the network and an attacker that will transmit the different attack packets on the channel of the AP. (Figure) depicts the basic structure of the test arrangement. The two clients and the monitor are running Windows 7 on the machines. The two clients will have the traffic generator amongst them and will transmit either TCP or UDP packets. The network performance is analysed by sending traffic stream from the traffic generator station to the supplicants and taking the obtained throughput measurements using the same software. Wireshark and Omnipeek, is installed on the monitor station to analyse the captured frames on that specific channel of the AP. The attacker will use an Alfa 802.11b/g wireless adapter card model AWUS036H. This is a high power Wi-Fi adapter that is compatible with almost all laptops and desktop computers. On the attacker station, attacking tools such as aircrack-ng and mdk3 are used to launch the DOS attacks. U:\Third Year\Individual project\Network Project.jpg

Justification of approach

The approach explained above is to get the best results possible in the project. The traffic sent between the two clients is to emulate a real life scenario which could be between two nodes on a network. The attacks will be done to see what effect it has on a network that could be sending even more sensitive data. The tools used will demonstrate the outcome of effect that an attack will have on a group of clients and the access point. The network that can support large amounts of data transmission seems sensible and necessary for this experiment to work.

There will be a traffic generator between the wired and wireless client, this is to understand the consequence an attack can have on a network and how the bandwidth is compromised on a wireless link. There will be TCP and UDP traffic transferred between the two clients, this is to see the different behaviour of the two transfer protocols. The results will be shown in graphs and tables that will explain the outcomes in more detail. Furthermore, there will be two access points used (Infrastructure and SOHO routers) that will be included in the network. This is to find the comparisons between these two types and how an access point’s performance will be affected. The most important part of this network is the monitoring station that will capture all the packets on the channel used by the access point. Omnipeek will be used because filters can be used to analyse specific packets needed. The advantage to this model is that it prevents each development stage from being incomplete and so offers a more detailed initial design that is simpler to follow. It also provides agility as the network can be modified to whatever specific desires are required. Finally, when these individual aspects come together, there’s a good chance of some worthy results.

References:

DDOS survey: Q1 2012 when businesses go dark / Nuestar Insights

http://cseweb.ucsd.edu/~savage/papers/UsenixSec03.pdf

Classifying DOS attacks http://conferences.sigcomm.org/sigcomm/2003/papers/p99-hussain.pdf

Wireless DOS costs http://www.networkworld.com/columnists/2006/061206-wireless-security.html

Article on DOS http://sysnet.ucsd.edu/~bellardo/pubs/usenix-sec03-80211dos-html/aio.html

Scanning types http://www.my80211.com/home/2010/1/11/80211-client-active-and-passive-scanning.html

Association process http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3

Deauth process http://ashwinsaxena.com/blog/technology/deauth-attack-disconnect-computers/

Siege DOS http://www.cheycobb.com/DoS.html

Siege HTTP attack http://ezinearticles.com/?Tips-to-Prevent-Http-Flood-Attack-on-the-Dedicated-Server&id=3378914

RTS-CTS attack and solution http://files.dubfire.net/jhu/presentations/deauthentication.pdf

CTS Flood http://freakquency.hubbert.org/2010/12/rtscts-and-you.html

Implementation of CTS Flood http://www.sans.org/reading_room/whitepapers/detection/detecting-responding-data-link-layer-attacks_33513 p10

Beacon flood http://www.cse.wustl.edu/~jain/cse571-07/ftp/wireless_hacking/index.html

Article on Reliability, Availability and Security http://www.informatica.si/PDF/31-2/08_Maple-Reliability,%20Availability%20and%20Security%20of...pdf

ICMP Flood results http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1656716

UK Banning DOS http://www.out-law.com/page-7462

Cybercrime, DOS article UK Law http://www.inf.kcl.ac.uk/pg/rekkas/Cyberlaw.pdf p15

Fast development of technology: http://EzineArticles.com/5628855

First attack on CERT http://www.cert.org/incident_notes/IN-99-04.html

Timeline of DOS http://staff.washington.edu/dittrich/talks/sec2000/timeline.html