DoS Attack in Wireless Network

Int. J. Ad Hoc and Ubiquitous Computing, Vol. 2, No. 3, 2007 157

Copyright © 2007 Inderscience Enterprises Ltd.

Detailed DoS attacks in wireless networks and countermeasures

Lawan A. Mohammed and Biju Issac* Information Security Research (iSECURES) Lab, Swinburne University of Technology (Sarawak), 93576 Kuching, Malaysia E-mail: [email protected] E-mail: [email protected] *Corresponding author

Abstract: IEEE 802.11 wireless networks have fuzzy boundaries, making it easy for an attacker to capture the transmitted packets. Also the attacker can send massive volume of illegitimate traffic and utilise system resources in a way that renders the system inoperable, thus denying access to authorised users. This paper is two fold in its description. Firstly, it describes some of the major vulnerabilities associated with wireless networks. Secondly, it demonstrates different methods of achieving Denial of Service (DoS) attacks in detail, as it applies to wireless networks and discusses and proposes different countermeasures to minimise the attacks.

Keywords: DoS attacks; countermeasures; wireless network vulnerabilities.

Reference to this paper should be made as follows: Mohammed, L.A. and Issac, B. (2007) ‘Detailed DoS attacks in wireless networks and countermeasures’, Int. J. Ad Hoc and Ubiquitous Computing, Vol. 2, No. 3, pp.157–166.

Biographical notes: Lawan A. Mohammed is with the School of IT and Multimedia in Swinburne University of Technology (Sarawak Campus), Malaysia. He received his PhD in Computer and Communication Systems Engineering from the University Putra Malaysia. He is also the Head of Smartcard Research Group in the iSecures Lab at Swinburne University Sarawak. His main research focuses on the design of authentication protocols for secure e-commerce, wireless/mobile networks, cryptography and smart card.

Biju Issac is also with the School of IT and Multimedia in Swinburne University of Technology (Sarawak Campus), Malaysia. He holds a Degree (BEng) in Electronics and Communication Engineering from Bharathiar University, India and a Master Degree in Computer Applications from Calicut University, India. He is also the Head of Network Security Research Group in the iSecures Lab at Swinburne University Sarawak. His research interests are in wireless and network security, wireless mobility and IPv6 networks. Currently he is doing part-time PhD in Networking and Mobile Communications in UNIMAS, Malaysia.

1 Introduction Technological innovations in computing such as wireless or mobile networking have indeed opened up new dimensions of threat to system’s security. While many of the breaches of wired network will be found in wireless networks, the nature of wireless medium requires a degree of trust and cooperation between member nodes. If this cooperation is not guaranteed, a malicious user can exploit the weakness in order to deny service, collect confidential information, or disseminate unwanted or false information. Denial of Service (DoS) is an attack on service availability or denying authorised users access to the service provider. According to CERT/CC (2001), it is an explicit attempt to prevent the legitimate user of a service from using that service. This can

be categorised as follows – attempts to ‘flood’ a network, thereby preventing legitimate network traffic, attempts to disrupt connections between two machines thereby preventing access to a service, attempts to prevent a particular individual from accessing a service and attempts to disrupt service to a specific system or person. Another term known as Distributed Denial of Service (DDoS) deploys multiple attacking entities (or agents) to attain the same goal. In this attack, the attacker installs DoS software on a number of servers, and these servers in turn attack the target server. The (CSI/FBI, 2004) recent report shows that the most expensive computer crime over the past year was owing to DoS. DoS can result from unintentional action such as error or software bugs. For instance, it reported

158 L.A. Mohammed and B. Issac

in Garfinkel and Spafford (1997) that older version of Netscape Navigator HTML layout engine can be used to allocate gigabytes of memory. More recently, it is reported in US/CERT (2005) that several denial-of-service vulnerabilities have been discovered in Cisco’s Internet Operating System (IOS). On the other hand, intentional DoS attacks are designed purposely to degrade the performance of the system or bring it to a halt (Wadlow, 2000).

This paper aims to present the detailed threats associated with DoS attacks in the wireless computing environments. Various types of DoS attacks are explained and the impact of such attacks is discussed. Methods of minimising these attacks are also discussed. Besides that other vulnerabilities associated with wireless networks were also described. The paper is organised as follows; Section 2 discusses some of the general threats associated with wireless networks and it shows some evidences as a result of highway war driving as well as the insecurity of WEP. In Section 3, the paper describes the vulnerability of wireless networks in relation to DoS attacks. Practical implementations of some attacks are also shown. The paper also highlights other generic DoS and DDoS attacks. The paper then proceeds to describe in Section 4, some countermeasures that minimises the attacks outlined in Section 3. The paper concludes in Section 5.

2 Vulnerability of wireless networks

It is a well- known fact that wireless network has fuzzy boundaries, as radio transmission coverage around can get into places where intrusion or eavesdropping would be easy. With commercial sectors becoming increasingly reliant upon wireless systems, it is important to investigate some of the flaws associated with such system. This section discusses some of the experiments conducted to show how vulnerable wireless networks are. The experiments conducted are explained below.

2.1 Highway war driving

We conducted war driving with laptop computers in some of the highways. We went to different areas where wireless networks were detected and started capturing packets using the pre-configured laptops we had. As in Table 1, NetStumbler 0.4.0 software (NSS, 2005) and Link Ferret 3.10 software (LFS, 2005) were used for network detection and packets capturing respectively. CISCO Aironet 350 series PCMCIA Wireless adapter was fixed and configured. WinPcap software needed to be installed for packet capturing to work. The Link Ferret software can be configured to capture packets from different channels with a huge buffer size, with average packet size of around 64 bytes or more. NetStumbler was installed to scan the presence of wireless networks and to show its details like MAC address, SSID name/network name, Access Point name and its details, details of encryption if enabled or the absence of it, the channel number, the time stamp, signal strength etc. The result of the war driving was quite revealing. The packets captured were from different

locations that included Petrol Stations, Banks, Financial Institutions, Shopping Complexes and Government organisations as in Table 2.

Table 1 List of war driving tools used

Equipment/item Specification

Laptop Acer Laptop with Mobile Centrino processor, 256 MB RAM and 20 GB HDD

Network detection software

NetStumbler 0.4.0

Packets capturing software

Link Ferret 3.10 (also analyserer)

Wireless network adapters

Onboard wireless network adapter and CISCO Aironet 350 series PCMCIA

Packet analysers Ethereal 0.10.7 and Packetyser 3.0.1

Table 2 Source of captured packets with unencrypted data

Packet file name

Type of company/organisation

95% confidence interval for the proportion of unencrypted data packets

pkt1.cap Petrol station and private installations

(7.44%, 8.02%)

pkt2.cap Bank/financial institution (22.38%, 23.29%) pkt3.cap Petrol station (6.87%, 7.60%) pkt4.cap Multistoried shopping

complex (4.25%, 4.70%)

pkt5.cap Bank/financial institution (38.04%, 40.50%) pkt6.cap Bank/financial institution (10.43%, 11.10%) pkt7.cap Government

organisation/office (4.52%, 4.99%)

pkt8.cap Government organisation/office

(7.49%, 8.07%)

2.2 Observations on packets captured

Packet Capturing was done in various spots where wireless networks were detected through NetStumbler alerts. It was quite surprising that quite a number of wireless networks were working even without encryption. They simply had not enabled the WEP option. As the headers of the wireless packet are not encrypted it can reveal some interesting information. Sniffing and getting such details on a wired network is not that easy. Wireless frames/packets captured were a combination of Control Frames, Management Frames and Data Frames. Control and Management Frames were much more in comparison to data frames.

Table 3 shows the different protocols found. Critical information captured was source, destination and BSSID (or AP) MAC addresses, source, destination node and BSSID IP addresses, source and destination node open port numbers, checksum details, Initialisation Vector (IV) value etc. This information in itself is not very sensitive, but some of it can be used to launch DoS attacks against a wireless LAN as explained later. Eight captured packet files were

Detailed DoS attacks in wireless networks and countermeasures 159

analysed and they are from seven different locations during different times of around 30 minutes each as shown in Table 2. Quite a lot of unencrypted packets were collected. The data frames considered for tabular analysis fall into the following categories or groups – Data (frame type 32), Data + CF-Acknowledgement (frame type 33), Data + CF-Poll (frame type 34) and Data + CF-Acknowledgement/ Poll (frame type 35). These data packets would be referred to as Unencrypted Data Packets (UDP) from henceforth. Data Frame type 32 dominates the population. We also noted Data Frames of type 32 that are encrypted with WEP, which are not considered for analysis. The sample considered for analysis consists of unencrypted data frames and unencrypted fragmented data frames – both containing visible data sections in HEX format as viewed through Ethereal. Our packet samples are only indicative and they are not very exhaustive. Hence our results are also indicative in nature.

Table 3 Different protocols and number of frames/bytes in all the captured packet files

Protocol Frames Bytes IEEE 802.11 228837 16586529 IEEE 802.1 636 28175 CDP 4 1248 IEEE 802.2 23603 2643396 IEEE SNAP 14410 1624886 ARP 2746 119778 IP 9971 9676389 ICMP 347 12641 IGMP 50 484 BOOTP 329 58979 EGP 1 32 GRE 1 20 IPX 564 58706 IPX RIP 14 140 UDP 3604 341855 TCP 5442 625528 NBNS 471 22938 NBDS 288 83081 NBSS 3763 128225 IPX NETBIOS 18 901 NETBEUI 85 11807 NCP 1 4 SMB 6 776 FTP 1 50 HTTP 693 163350 HTTPS 279 82615 DNS 113 7391 OSPF 26 1333 SSDP 290 68021 NNTP 28 3208 IPX SAP 78 2742 NMPI 11 2057

Overall, we located around 50 Access Points (AP) or peers in wireless networks without WEP encryption and 21 AP or peers with WEP encryption using NetStumbler software. A random password was used to intrude and connect to an encrypted peer wireless network. The laptop thus connected was assigned an IP address. Packet Analysers like Ethereal (ES, 2005), Packetyser (PS, 2005) and Link Ferret monitor (LFS, 2005) software were used for the detailed analysis of packets. Filters were used to list out only the needed packets. Each of those packets could be analysed with its detailed contents. Generally, the packet monitors or analysers provide tools for monitoring and allow packet sniffers in them for capture and eventually to do some protocol decoding and analysis of packets. From the packets captured in eight sessions, we found that the average number of UDP per second is 2 and the average unencrypted data packet size is around 241 bytes (Issac et al., 2005).

2.3 Breaking of WEP-128 key

Several authors have reported the existence of flaws in the link-layer encryption algorithm associated with Wired Equivalent Privacy (WEP), which make it susceptible to analytic attacks and the cryptanalysis of the initial values used in RC4 block cipher (Walker, 2000; Fluhrer et al., 2001). Further, keys can be cracked using tools such as AirSnort, WEPCrack, Air crack etc many of which are freely available on the internet. Figure 1 shows the results we obtained by breaking 128 bit static WEP key used in our 802.11b test bed using Air crack (version 2.1) software. WEP-128 key was cracked by capturing around 4 million packets containing 264674 unique IVs in 2 seconds as shown. Once the key is broken, various sensitive details can be known through decryption. That can include information to launch other DoS attacks too.

Figure 1 WEP-128 key cracked in 2 seconds

2.4 Other vulnerabilities

Vulnerability has been reported in hardware implementations of IEEE802.11 wireless protocol IEEE-SA (IEEE-SA Standards Board, 1999) that allows effective attack against Wireless Local Area Network (WLAN) devices. An attacker using a low-powered, portable device such as an electronic PDA and a commonly available


wireless networking card may cause significant disruption to all WLAN traffic within range, in a manner that makes identification and localisation of the attacker difficult. The vulnerability is related to the Medium Access Control (MAC) function of the IEEE 802.11 protocol. WLAN devices perform Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), which minimises the likelihood of two devices transmitting simultaneously. Fundamental to the functioning of CSMA/CA is the Clear Channel Assessment (CCA) procedure, used in all standards-compliant hardware and performed by a Direct Sequence Spread Spectrum (DSSS) physical (PHY) layer. An attack against this vulnerability exploits the CCA function at the physical layer and causes all WLAN nodes within range, both clients and AP, to defer transmission of data for the duration of the attack. When under attack, the device behaves as if the channel were always busy, preventing the transmission of any data over the wireless network. It is reported in Geier (2003) that Wi-Fi Protected Access (WPA) is vulnerable to DoS attack. WPA uses mathematical algorithms to authenticate users to the network. If a user is trying to get in and sends two packets of unauthorised data within one second, WPA will assume it is under attack and shut down. A similar report on Wi-Fi’s vulnerability can be found in Thomas (2004). Vulnerability was identified in Nortel Networks VPN Router, which may be exploited by remote attackers to cause a DoS. Similar vulnerability was identified in Microsoft Internet Explorer, which may be exploited by attackers to cause a DoS. The flaw resides in the ‘jscript.dll’ file that does not properly handle malformed JavaScript ‘onLoad’ events, which may be exploited via a specially crafted HTML page to crash the browser. It is also reported that TCP does not adequately validate segments before updating timestamp value. If an attacker knows (or guesses) the source and destination addresses and ports of a connection between two peers, he can send spoofed TCP packets to either peer containing bogus timestamp options as reported in French Security Incident Response Team (FrSIRT, 2005). Examples of DoS attacks on commercial websites include yahoo, eBay, Amazon etc. CCIPS (2003).

3 DoS attacks

In general, DoS attackers rely on the ability to source spoofed packets to the ‘amplifiers’ in order to generate the traffic that causes the DoS. Hence, the attacks are commonly launched from systems that are subverted through security-related compromises. Regardless of how well secured the victim systems may be, its susceptibility to the attack depends on the state of security in the rest of the global internet (CERT/CC, 2001). In general, DoS exploits weaknesses in operating system, network interface, and software or IPs. While some attackers are interested in re-routing messages, others might be interested in disrupting the whole network and degrading its performance or jamming the radio by overloading the system with unwanted messages or packets. Generally, DoS attacks

come in a variety of forms and the attackers have variety of objectives. (CERT/CC, 2001) described three basic types of DoS attacks: • consumption of scarce, limited, or non-renewable

resources • destruction or alteration of configuration information • physical destruction or alteration of network components.

Implementation of attacks that are DoS in nature or attacks that could lead to subsequent DoS attacks are described below with other variants.

3.1 ARP poisoning

In ARP Poisoning, an attacker can exploit the ARP Cache and intercept network traffic between two computers in the network. For instance, to see all the traffic between host A and host B, the attacker begins by sending a malicious ARP ‘reply’ (for which there was no previous request) to host B, associating his computer’s MAC address with host A’s IP address. Now host B thinks the attacker’s computer is host A. Next, the attacker sends a malicious ARP reply to host A, associating his MAC address with host B’s IP address. Now host A thinks that the hacker’s computer is host B. Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker’s machine to forward any network traffic it receives from host A to host B. Instead of enabling IP forwarding the attacker has the choice of drowning host B with any DoS attack, so that the communication actually happens between host A and attacker, whom A thinks to be host B (Nachreiner, 2003).

In order to perform ARP poisoning, two desktop computers and one laptop were used as shown in Figure 2. The two desktop computers acted as the victims while the laptop acted as the attacker. The attacker laptop was equipped with the Ethereal packet capturing software (ES, 2005) and an ARP poisoning software known as Cain and Abel (CAAS, 2005). Host A sent continuous ICMP packets to the host B by pinging it. It was observed in the Ethereal software on the attacker’s machine that the ICMP packets were sent only between host A and the attacker, even though host A sent it to host B. In Cain and Abel, it was observed that attacker could monitor the ICMP packets sent between those two computers. It showed that the sender has been fooled to send ICMP packets to the attacker, which has a different set of MAC and IP address.

Figure 2 Implementation of ARP poisoning


3.2 MAC spoofing In MAC spoofing, the attacker would change the manufacturer-assigned MAC address of a wireless adapter to the MAC address he wants to spoof. Mac Makeup (MMS, 2005) was the software we used to perform MAC spoofing. Figure 3 shows how an attacker can enter the MAC address to spoof and press Change button to change the original MAC address. Later by pressing Remove button the original MAC address can be restored. An attacker can learn the MAC address of the valid user by capturing wireless packets using any packet capturing software like Packetyser, LinkFerret or Ethereal by passively or actively observing the traffic. It was observed that upon successful MAC spoofing besides the spoofed MAC address, the IP address assigned to the attacker’s computer was identical to the IP address of the victim computer, whose MAC address was being spoofed. In order to access the wireless network, the attacker had to perform DoS attack to disconnect the target computer from its wireless connection.

Figure 3 Mac Makeup software (ver.1.71d). Note the bogus MAC address (000e6a7b350c) that would be used

We tested it as follows: The MAC address was spoofed on host A (attacker) using host B’s MAC address. The attacker did a ping flooding to Host B and made it drown in ICMP packets. Host A then tried connecting to the access point with the spoofed MAC address of B and got connected, as shown in Figure 4.

Figure 4 Association table in CISCO AP. Note the second row where the attacker got connected with the spoofed MAC address

3.3 Web spoofing In Web spoofing, the attacker convinces the victim that he is visiting a legitimate website, when the web pages are created by the attacker or even hosted by attacker’s web server to eavesdrop the victim. Information such as

passwords and credit card numbers can thus be stolen. The attacker can achieve this by compromising the intranet server of company XYZ and redirecting some links to his web server. The other option is to send forged e-mails (e-mail spoofing) with such links in it. In e-mail spoofing, we compromised an SMTP server (as SMTP servers can be configured without user authentication). The identity of the sender (attacker) is changed to that of a trusted employee. That mail could even have links in it that pointed to a ‘familiar and looked-original’ web page but residing on a test web server (imitating the legitimate server). Scripts could then be written to get sensitive information from the victim.

3.4 ICMP flooding Internet Control Protocol or ICMP is used to report the delivery of Internet Protocol (IP) echo packets within an IP network (ICMP, 2005). It can be used for network trouble shooting purposes to show when a particular end station is not responding, when an IP network is not reachable, when a node is overloaded or when an error occurs in the IP header information etc. Typical DoS attack using ICMP is known as ICMP flooding. It involves flooding the buffer of the target computer with unwanted ICMP packets. In order to perform ICMP flooding, we tried to ping a Pentium 4 computer connected to a CISCO Aironet 350 access point using a 3Com wireless adapter. We tested the DoS attack with ICMP Ping Flood software (PFS, 2005) as shown above in Figure 5. After less than an hour, we found out that the computer failed to browse any websites although it was still connected to the wireless network. The excess and unwanted ICMP packets that flood the target computer buffers have caused this lack of response.

Figure 5 ICMP Ping Flood software

The resulting wireless network performance graphs are as shown. We found the ‘Network utilisation’ of the wireless network connection was about 30–40% higher than the normal utilisation as shown in Figure 6.

Figure 6 Network utilisation (y-axis) vs. time (x-axis) graph that shows the victim PC status during and after the ping flood attack


3.5 Other forms of DoS attacks

Some other forms of effective DoS attacks and its types are discussed below.

Flooding

The most common means of DoS attack is via flooding. Flooding is a generation of spurious messages to increase traffic on the network. We will consider SYN flooding, Ping of Death, Smurf attacks and e-mail flooding. In SYN flooding, the attacker sends a volume of connections that cannot be completed, causing the connection queues to fill up. This causes DoS to other legitimate TCP users. A normal TCP session uses three-way handshake. Firstly the source sends SYN packet to initiate the connection. The destination then responds with a SYN ACK packet and a connection queue keeps track of waiting connections. Lastly, the destination should hear an ACK packet of the SYN ACK before connection is established. When an attacker sends SYN packets with random source address toward victim host, the connection queue of the victim hosts would be having added entries corresponding to the SYN ACK it has sent to ‘non-existent’ hosts. The last exchange of TCP handshake never happens and the queue gets bigger, denying other TCP services like e-mail, FTP, WWW etc. Another variant is the UDP flooding attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network devices. This attack is also known as the ‘pepsi’ attack and it can cause network devices to use up a large amount of CPU time responding to these packets (Huegen, 2000a). In Ping of Death, the ping packet size would also be bigger than the normal ping packet size (of 64 bytes) and it would be around 65,536 bytes. An IP datagram of 65,536 bytes usually cannot be sent. But when the packet is fragmented up into small pieces and sent and then rebuilt at its destination, the sheer size of the packet causes the buffer to overflow. The result can be a reboot, hang, etc. In Smurf attack, which is one of the most effective in the category of network-level attacks against hosts, the attacker sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet. The ‘smurf’ attack’s close relative is called ‘fraggle’, which uses UDP echo packets in the same way as the ICMP echo packets; it was a simple re-write of smurf (Huegen, 2000b). In e-mail flooding, the target system e-mail is placed on large junk mail servers so that the target server will be over flooded with junk mails. Other devices that may be vulnerable to DoS attack include printers, tapes, and other network devices. Details of DoS taxonomy are described in Jelena and Peter (2004).

Spoofing

There are different types of spoofing and they are ARP Poisoning, MAC Spoofing, IP address spoofing, Web spoofing and DNS spoofing. We have already seen ARP poisoning, MAC spoofing and Web Spoofing in Sections 3.1, 3.2 and 3.3 respectively. In IP address spoofing, the trust relationship between two hosts is exploited. The firewall of a victim may allow only packets with certain trusted source IP addresses. The attacker circumvents this by generating packets that have a source address of a trusted host. He may then drown the trusted host by a SYN flood so that it cannot respond. As the attacker cannot get the reply packets to his computer, he is faced with the challenge of guessing or narrowing down the correct sequence number from the Initial Sequence Number (ISN) to further his attack. In DNS spoofing the attacker directs the users to a compromised server and they are requested to enter sensitive information, similar to web spoofing. Here the attacker compromises the victim company’s web server and changes the hostname-to-IP address mapping. When the users request the host name, they are directed to the attacker’s server. Even corporate e-mails can be redirected thus to attacker’s mail server, which copies them before forwarding them to their final destination.

CPU and memory attacks

They involve the use of memory hungry codes or infinite looping codes to crash the system. In general, anything that allows data to be written to disk can be used to execute a denial-of-service attack if there are no bounds on the amount of data that can be written. Buffer overflow vulnerability in many software can be exploited to get this attack done.

Window multiplication

Technique used to send images of goods for sales or pornographic images in which when the active window is closed, two or more windows are opened. These unwanted windows that keep on multiplying takes up resources and if not controlled can bring that system to a halt.

Airwaves jamming

Lot of equipment like microwave ovens, baby monitors, cordless phones etc operate on the unregulated 2.4 GHz radio frequency band, which is the same as 802.11b wireless LAN’s operational frequency band. Hence commonly available consumer products can give hackers the tools for a simple and extremely damaging DoS attack. Injecting large amounts of noise from some of these devices that operate at 2.4 GHz, they can jam the airwaves and shut down a Wireless LAN (WLAN, 2003).

Disassociation attack

By configuring a wireless station to work as an Access Point, attackers can launch more effective DoS attacks. He can flood the airwaves with continuous disassociate


commands that compel all stations within range to disconnect from the wireless LAN. In another variation, the attacker’s malicious access point broadcasts periodic disassociate commands that cause a situation where stations are continually disassociated from the network, reconnected and disassociated again. Session hijacking is said to occur when an attacker causes the user to lose his connection, and the attacker assumes his identity and privileges for a period. An attacker disables temporarily the user’s system, say by DoS attack or a buffer overflow exploit. The attacker then takes the identity of the user. The attacker now has all the access that the user has. When he is done, he stops the DoS attacks, and lets the legitimate user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds or few minutes. Such hijacking can be achieved by using forged Disassociation DoS attack as explained above.

EAP manipulation attack

The Extensible Authentication Protocol (EAP) can be manipulated by hackers to launch DoS attacks. There are several forms of attacks where an attacker can manipulate EAP protocols by aiming wireless stations and AP with start commands, log-off commands, premature successful connection messages, failure messages etc., where the EAP protocol is modified (Hatch, 2003).

System log manipulation attack

The system logs are our first source of information about what has occurred on our computer. There are many different possible system logging daemons, syslogd and syslog-ng (in UNIX) being the most popular. Both have a configuration file (/etc/syslog.conf and /etc/syslog-ng.conf respectively) that dictates where logs should be sent. You may just log everything to /var/log/messages. An attacker can purposefully spew your syslog server with uninteresting log entries to cause the logs to rotate out of existence and hide any of his earlier logged activities (Hatch, 2003).

Distributed Denial of Service (DDoS) attack

There are several types of DDoS attacks, but their methods are very similar in that they rely on a large group of previously compromised systems to direct a coordinated distributed flood attack against a particular target.

In preparation for these attacks, the attacker will compromise many systems (sometimes hundreds) on which the agent software can be loaded. The agent software is referred to as a ‘Zombie’ program because it lies asleep until awakened. The attacker then uses a master console to communicate with and configure the Zombie agents. At a specified time, all of the agents initiate an otherwise standard DoS attack against the intended target. The attack is so devastating because of the tremendous traffic volume generated by the ‘army’ of agents, as shown in Figure 7. DDoS tools are easily available to attackers as shown in Table 4.

Figure 7 DDoS attack architecture

Source: DDoS (2004)

Table 4 DDoS tools and attack types

DDoS tool DoS attack type (s)

trin00 UDP flood Tribe Flood Network (TFN) UDP bomb, SYN and ICMP

flood and Smurf TFN2K UDP bomb, SYN and ICMP

flood and Smurf Stacheldraht (‘Barbed Wire’) ICMP, UDP, and SYN floods. Shaft UDP flood, SYN and ICMP

flood Mstream Stream (ACK) flood

4 Counter measures

DoS attack has been known for some time. The following countermeasures can be taken as a precautionary measure to thwart such attacks.

4.1 Against spoofing

ARP poisoning or ARP spoofing can easily happen because ARP packets are readily available in wireless networks as they are broadcast to all without any authentication mechanism. There can be a couple of solutions. Use network switches that have MAC binding features that store the first MAC address that appears on a port and do not allow this mapping to be altered without authentication. Another alternative proposal that we make is to make ARP negotiation centralised (say, through a DHCP server and relays with extended facility to answer/forward the ARP packets). Making ARP request unicast can save lot of congestion. Adding authentication to know the identity of the sender or against packet tampering makes it secure. ARP request packets can be sent to a central server that has the IP-MAC address mapping and the server can send the ARP response with a strong digital signature using a collision free one -way hash function to the requested host.


This can protect against tampering or injection of new forged ARP packets. Lastly the host can send an encrypted acknowledgement with the timestamp of the server response. To prevent IP spoofing, disable source routing on all internal routers and use ingress filtering as explained below in Section 4.3. Web spoofing depends mainly upon social engineering tricks and it is thus important to educate users and to be generally aware of the address window in a browser that displays the web address that they are directed to. That can help if some suspicious website address comes up. DNS spoofing can be prevented by securing the DNS servers and by implementing anti-IP address spoofing measures (Campbell et al., 2003).

4.2 Against flooding attack

TCP SYN flooding on devices behind a firewall from hosts with random IP addresses is easy, because access list can block such IP addresses or blocks of it. But on web or mail server with public internet access, there is no way to check whether the incoming IP addresses are hostile or non-hostile and there is no clear -cut solution, even though Intrusion Detection System would be a choice. Some options available to hosts in such as case are: increase the connection SYN ACK queue, decrease the time-out waiting for three way handshake and employ vendor software patches, if available (CISCO Whitepaper, 2004).

A combination of Host-based Intrusion Detection System (HIDS) and Network-based Intrusion Detection System (NIDS) can greatly help especially against all flooding attacks. HIDS can be placed on critical servers and NIDS can be placed on one or more network segments. Signature detection scheme would be good at detecting any known attacks. Alerts arising from any suspicious activity can be intimated to the administrator immediately. NIDS reactions can also be TCP resets, IP session logging and Blocking. HIDS approach looks into log files, file checksums and intercepting requests to the operating system for system resources before they can proceed. Signatures and generic rules help in anomaly detection. Open server ports can also be monitored for excess or abnormal traffic. Firewalls are an excellent form of protection; however, they must leave some ports open to allow the operation of the web, mail, ftp, and other Internet based services, and which are the paths exploited by most of the vulnerabilities.

We propose a general architecture for an Intrusion Detection or Prevention System, especially against flooding attacks or other variants, which can be as shown in the flow chart of Figure 8. There can be fine-tuning done with the ability for self-learning and correcting false decisions through statistical approach/AI approach as it lives longer in the network. Initially, test installation can be done and a variety of mock DoS attacks can be performed. During the test period (say, n months), the suspicious attacks are only alerted to the administrator. When satisfactory attack reaction results are obtained, it can be installed and made active. The attack signature database is updated online in regular intervals to keep it up-to-date. Some customisation can be implemented so that an administrator can set in

additional network threshold values. Once the threshold values are crossed, some specific action is taken. To avoid false positives, the system needs to be trained and the optimal values should be set after that.

Figure 8 General intrusion detection or prevention architecture flow chart

4.3 Against DDoS attack

DDoS attacks can be more deadly. As a precautionary measure, install the updated security patches from software vendors. Install antivirus software with up-to-date signatures on all mail servers to keep e-mail worms that could be DDoS tools. Firewalls and routers can provide a great degree of protection through ingress (inbound) and egress (outbound) filtering, say for example, by stopping the spoofed packets with fake source addresses from leaving the network. Use Egress filter in the network firewall and/or router and make sure whatever comes out of the network only has source addresses that belong to the network and use Ingress filter to confirm that packets coming to the network have source addresses that are not on the inside network. If the attack is unsophisticated, there might be a specific signature to the traffic. A careful examination of captured packets, say through NIDS sometimes reveals a trait on which you can base either router Access Control Lists (ACLs) or firewall rules. Additionally, a large amount of traffic may originate from a specific provider or core router. If that is the case, one might consider temporarily blocking all traffic from that source, which should allow a portion of legitimate activity through. One would also be


blocking ‘real’ packets, or legitimate traffic, but this may be an unavoidable sacrifice. The following steps (Huegen, 2000b) could prevent a network from attacking others without any control:

• filter the packets coming into your networks destined for a broadcast address

• turn off directed broadcasts on all internal routers (preventing smurf attacks)

• block any packet from entering that has a source addresses that include RFC 918 address space (10.0.0.0, 172.16.24.0 and 192.68.0.0) and loop back address 127.0.0.0

• block at the firewall any packet that uses a protocol or port that is not used for internet communication in the local area network

• block packets with a source address originating inside the network from entering the network.

4.4 Against eavesdropping data

WEP-128 bit encryption with TKIP (enabling dynamic WEP key rotation) and 802.1x RADIUS authentication should be activated. A combination of good encryption and authentication makes it quite difficult for an attacker to get the data details. IEEE802.lx is a security protocol used to implement access control at the point at which a user joins the network. It divides the network universe into supplicant, authenticator and authentication server. In wireless communication, the supplicant is the wireless device, the authenticator is the AP and the authentication server is the Remote Access Dial-In User Service (RADIUS) server. IEEE802.1x is a port-based authentication, which uses EAP for the communication between the supplicant and the authenticator. EAP authentication acts as a second layer of protection after WEP because it involves the usage of a RADIUS server as the back-end authentication server. EAP authentication is a user-based authentication where only a recognised user is granted wireless access by the server. This provides enterprise level security. Protected EAP with MSCHAPv2 authentication is a good option. Tests should be regularly conducted to determine how far the system’s signal leaks outside of the building and then adjust transmitter power accordingly until the leakage is eliminated or reduced to the point that it would be easy to locate a hacker. Directive access point antennas should be aimed towards the inside of the building.

4.5 Other general precautions

Highly sensitive information should also be removed from public networks and connection time should be limited. Packets and its flow should be closely checked and monitored. Another measure is to limit system resources allocation. Software manufacturers generally set the limit for resources at high level to allow maximum performance.

Router should be thoroughly filtered, firewall can be used to filter forged request before they reach the server as described in Zwicky et al. (2000). Network monitoring and denying access to foreign stations to join the network should be done frequently. It is also important to check and remove application bugs and updating protocol installation to prevent intrusion. MAC addresses in AP or RADIUS server should also be filtered. In addition, DoS detection tools, such as AirDefense and AirMagnet should be deployed. Regular backup schedules and policies should be established. Others include downloading and installing for example – security patches, firewall systems as in McAfee intrusion detection systems (McAfee, 2005), as in Axelsson (2000), and virus and worms defense systems as in Williamson (2002). Finally, it is important to scan the network and the computer systems frequently to ensure that it is not vulnerable.

4.6 Manual way to respond to an unexpected DoS attack

If all the precautions taken fail and if one faces DoS attacks, he can do the following for a possible graceful shutdown. Firstly, absorb the attack and that calls for planning additional capacity before an attack begins. Secondly, degrade non-critical services or even disable them (if necessary) and thirdly shut down services until the attack has subsided.

5 Conclusion

This paper shows that DoS attacks are much easier to launch on wireless networks than on wired networks. This is typically owing to the nature of wireless communication as packets frantically move around in the air. The paper also comprehensively explained different DoS attacks, some of which we implemented in our lab and also explained a full set of effective defense mechanisms. Further, the paper also proposed some mechanism against ARP poisoning and a general IDS or IPS architecture that could help against such attacks.

Acknowledgement

This work is a slight extension and refinement of the Mobility 2005 Conference paper that we had presented, entitled – “Dos attacks and defense mechanism in wireless networks”.

References Axelsson, S. (2000) Intrusion Detection Systems: A Survey and

Taxonomy, Tech Report 99-15, Dept. of Comp Eng., Chalmers University, Chalmers University, Sweden.

Cain and Abel Software (CAAS) (2005) Retrieved July 16, from www.oxidt.it.


Campbell, P., Calvert, B. and Boswell, S. (2003) Security + Guide to Network Security Fundamentals, Thomson Course Technology, pp.47–84.

CERT/CC (2001) Denial of Service Attacks, Available Online: http://www.cert.org/tech_tips/denial_of_service.html.

CISCO White paper (2004) Defining Strategies to Protect Against TCP SYN Denial of Service Attacks.

Computer Crime and Intellectual Property Section (CCIPS) (2003) Retrieved July 4, 2005, from http://www.cybercrime.gov/ ccpolicy.html#DDSA.

CSI/FBI (2004) Computer Crime and Security Survey, Ninth Annual Report, Computer Security Institute, USA, Retrieved July 4, 2005 from http://www.reddshell.com/docs/ csi_fbi_2004.pdf.

Distributed Denial of Service (DDoS) (2004) Retrieved July 4, 2005 from http://www.trinitysecurity.com/reference/bulletin/ Trinity-DDOS-Protecting-Critical-Systems.pdf.

Ethereal Software (ES) (2005) Retrieved July 8, from http://www.ethereal.com/.

Fluhrer, S., Mantin, I. and Shamir, A. (2001) ‘Weaknesses in the key scheduling algorithm of RC4’, Proceedings of Selected Areas of Cryptography (SAC’01), LNCS, Springer-Verlag, Berlin, Vol. 2259, pp.1–24.

French Security Incident Response Team (FrSIRT) (2005) Nortel Networks VPN Router 600 Denial of Service Vulnerability, Retrieved July 23, from http://www.frsirt.com/english/ advisories/2005/0642.

Garfinkel, S. and Spafford, G. (1997) Web Security and Commerce, O’Reilly, USA.

Geier. J. (2003) Denial of Service a Big WLAN Issue, Retrieved July 4, 2005 from http://www.wifiplanet.com/tutorials/ article.php/2200071.

Hatch, B. (2003) Preventing Syslog Denial of Service Attacks, Retrieved July 9, 2005 from http://www. hackinglinuxexposed.com/articles/20030220.html.

Huegen, C.A. (2000a) The Latest in Denial of Service Attacks: ‘Smurfing’ Description and Information to Minimize Effects, Retrieved July 24, 2005 from http://www.pentics.net/denial-of-service/white-papers/smurf.cgi.

Huegen, C.A. (2000b) Network-Based Denial of Service Attacks (CISCO Systems), Retrieved July 24, 2005 from http://www.pentics.net/denial-of-service/presentations/msppt/ 19980513_dos.ppt.

IEEE-SA Standards Board (1999) Telecommunications and Information Exchange Between Systems-Local and Metropolitan Area Networks – Specific Requirements – Part 11: Wireless LAN Medium Access Control (MAC) And Physical Layer (PHY) Specifications, Retrieved July 4, 2005 from http://standards.ieee.org/getieee802/download/802. 11-1999.pdf.

Internet Control Message Protocol (ICMP) (2005) Retrieved July 24, from http://www.erg.abdn.ac.uk/users/gorry/course/ inet-ages/icmp.html.

Issac, B., Jacob, S.M. and Mohammed, L.A. (2005) ‘The art of war driving – a Malaysian case study’, Proceedings of the IEEE International Conference on Networks, Vol. 1, pp.124–129.

Link Ferret Software (LFS) (2005) Retrieved July 8, from http://www.linkferret.ws/.

Jelena, M. and Peter, R. (2004) ‘A taxonomy of DDoS attack and DDoS defense mechanisms’, ACM SIGCOMM, Computer Communication Review, Vol. 34, No. 2, pp.39–53.

Mac Makeup Software (MMS) (2005) Retrieved July 14, from http://www.gorlani.com/publicprj/macmakeup/ macmakeup.asp.

McAfee (2005) Personal Firewall, Retrieved July 29, 2005 from http://www.mcafee.com/myapps/firewall/ov_firewall.asp.

Nachreiner, C. (2003) Anatomy of An ARP Poisoning Attack, Retrieved July 4, 2005 from http://www.watchguard.com/ infocenter/editorial/ 135324.asp.

NetStumbler Software (NSS) (2005) Retrieved July 4, from http://www.netstumbler.org.

Packetyzer Software (PS) (2005) Retrieved July 9, from http://www.networkchemistry.com/products/packetyzer/.

Ping Flood Software (PFS) (2005) Retrieved July 4, 2005 from www.portalsec.com.

Thomas, W. (2004) Living in Wireless Denial – CIOS must Understand Wi-Fi’s Risks in Order to Mitigate Them, Retrieved July 4, 2005 from http://www.cio.com/archive/ 091504/ et_article.html.

US/CERT (2005) Multiple Denial-of-Service Vulnerabilities in Cisco IOS, Retrieved July 4, from http://www. us-cert.gov/cas/techalerts/TA05-026A.html.

Wadlow, T.A. (2000) The Process of Network Security, Addison-Wesley Massachusetts, USA.

Walker, J. (2000) Unsafe at Any Key Size: An Analysis of WEP Encapsulation, Retrieved July 12, 2005 from http://www.dis.org/wl/pdf/unsafe.pdf.

Williamson, M. (2002) ‘Throttling viruses: restricting propagation to defeat malicious mobile code’, 18th Annual Comp. Sec. Applications Conference, Las Vegas, USA.

WLAN Attacks Explained (WLAN) (2003) Retrieved July 4, 2005 from http://neworder.box.sk/newsread.php?newsid=7628.

Zwicky, E.D., Cooper, S. and Chapman, D.B. (2000) Building Internet Firewalls 2e, O’Really, CA, USA.

Documents

DoS Attack in Wireless Network