Denial of Service

  Wi-Fi Threats   -  

Introduction

Wireless solutions are in great demand as organizations seek to become more flexible and productive. Employees are increasingly accessing their organization’s network from home wireless networks or public wireless “hotspots”.

Organizations today are increasing their dependence on wireless networks in order to operate and maintain a cost effective and competitive advantage. Wireless networks offer organizations mobility, allowing their users to physically move about whilst maintaining a connection to the organization’s wireless network. There is also a cost saving when compared with the traditional installation of a wired network. However, organizations need to control and prevent their network and systems from being exposed to wireless attacks.

Many organizations overlook the potential impact of a Denial of Service (DoS) attack against their wireless networks. Wireless networks can be very vulnerable to DoS attacks and the results can be anything from degradation of the wireless network to a complete loss of availability of the wireless network within the organization.

It does not require much expertise and expensive equipment to launch a DoS attack against an organization. These attacks could be launched by competitors, for political reasons, as part of a combined attack or just frustration on an attacker’s part of not being able to break into an organization’s network.

DoS attacks can be launched from inside an organization or from the outside at great distance using readily available standard wireless equipment. It is also much harder to physically secure wireless networks in the same way that wired networks can be.

Background

Since the ratification of the IEEE 802.11i in 2004, organizations have been able to improve security on their wireless networks by making use of CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code protocol). CCMP uses AES (Advanced Encryption Standard) as opposed to the RC4 streaming cipher found in implementations of WEP (Wired Equivalent Privacy) and TKIP (Temporal Key Integrity Protocol). However, the protection offered by 802.11i applies only to data frames and does not provide any protection over the management frames. It is these management frames that are insecure and can lead to DoS attacks against an organization’s wireless network.

Unencrypted management frames can disclose important pieces of information to an attacker, including details about the type of wireless equipment in use on the wireless network and configuration settings.

It is important to classify the types of wireless DoS attacks that an attacker can carry out against an organization’s wireless network. DoS attacks can target many different layers of the Open Systems Integration (OSI) model. These include the Application Layer 7, Transport Layer 4, Network Layer 3, Media Access Control (MAC) Layer 2 and lastly the Physical Layer 1. The wireless clients themselves can also be a target for a wireless attack.

Application Layer 7 attacks

An Application layer DoS attack can be carried out on a wired or wireless network. It is achieved by an attacker sending large amounts of legitimate requests to an application. For example, an HTTP flood attack can make hundreds of thousands of page requests to a web server which can exhaust all of the server’s processing capability. With an HTTP flood attack, an attacker sends a SYN packet, and the target system responds with a SYN ACK. The attacker will complete the three way handshake with an ACK packet and then issues an HTTP GET request for a common page on the target system. This process amplified on a wireless network can cause a very high computational load on the target system and may result in degradation of the wireless network to a complete loss of availability of the application. One of the best examples of an HTTP flood attack was the MyDoom9 worm, which targeted many thousands of sites. In the case of MyDoom, 64 requests were sent every second from every infected system. With thousands of infected systems, the attack can prove to be overwhelming.

Transport Layer 4 attacks

A Transport layer DoS attack can be carried out on a wired or wireless network. A transport layer DoS attack involves sending many connection requests to a target host. This attack is targeted against the operating system of the victim. It is very effective and extremely difficult to trace back to the attacker because of IP spoofing techniques used.

An example transport layer attack is the TCP SYN flood. When a normal TCP connection starts, the client sends a SYN packet from a specific port to a server where the port is in a listening state. The server will then send back a SYN ACK. The server will wait for an ACK acknowledge of the SYN ACK before the connection can be established. This is known as the TCP three-way handshake (See Figure 1).

 31

Figure 1

However, the problem with the TCP three-way handshake process is that systems allocate resources to connections that have not been fully established – these are also known as half-open connections. Too many of these potential connection requests can exhaust all resources allocated to setting up a connection. When the SYN flood attack starts, attackers will send large amounts of SYN packets to the target system. These SYN packets can be from spoofed source addresses of unreachable systems. If the attacker is spoofing source addresses from systems that are unreachable, the target system will attempt to complete the session by sending back SYN ACK packets which will never be acknowledged or reset (ACK or RST packets).

The target system is now committed to setting up a connection, and this attempted connection will only be removed from the queue after the connection establishment timer expires. The three-way handshake is therefore never completed and the system under attack will not be able to clear the queue before receiving new SYN requests. If the attacker generates SYN packets at a very rapid rate from spoofed source addresses of unreachable systems, it is possible to fill up the connection queue and deny TCP services for legitimate users on the wireless network and may result in degradation of the wireless network.

Network Layer 3 attacks

A Network layer DoS attack can be carried out on a wired or wireless network. If a wireless network allows any client to associate to it, the wireless network could be vulnerable to a network layer attack. A network layer DoS attack is achieved by sending a large amount of data to a wireless network. This type of attack targets the wireless network infrastructure of the victim. A good example of a network layer attack is the ICMP flood.

The ICMP flood attack works by an attacker sending so many ICMP ECHO REQUEST packets to the target wireless system that it cannot respond fast enough to ease the amount of traffic. If the attacker spoofs the source IP address, then the attacker can use all of its resources to just send packets, while the target wireless system has to use all of its resources to process the packets. If the attacker makes use of thousands of systems to perform this attack, the target wireless system may be brought down.

The attack will quickly consume all available bandwidth, resulting in legitimate users being unable to access wireless services.

Media Access Control (MAC) Layer 2 attacks

On an 802.11 network, an attacker can transmit packets using a spoofed source MAC address of an access point. The recipient of these spoofed frames has no way of telling if they are legitimate or illegitimate requests and will process them. The ability to transmit spoofed management frames allows MAC layer DoS attacks to take place.

Two such MAC layer attacks are the authentication/association flood attack and the deauthentication/disassociation flood attacks.

Authentication/Association flood attack

During the authentication/association flood attack, an attacker uses spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker repeatedly makes authentication/association requests, eventually exhausting the memory and processing capacity of the access point leaving clients with little or no connection to the wireless network.

The void11 tool will execute an authentication/association flood attack against a target. When the attacker is equipped with a high-gain antenna, void11 could be used to target many access points in a specific area.

Deauthentication/Disassociation flood attack

In a deauthentication/disassociation flood attack, an attacker transmits spoofed frames with the source address of the access point. When the recipient receives the frames, they will disconnect from the network and attempt to reconnect. If the attack is sustained, the clients will be unable to maintain a connection to the wireless network.

The deauthentication/disassociation flood attack targets one or all users on a specific BSSID (MAC address of the access point).

The file2air tool written by Joshua Wright will execute a deauthentication flood attack against a target by the repeated transmission of a deauthenticate frame to a specified target.  The victim is then unable to reconnect to the wireless network.

Using the file2air tool to perform a deauthentication flood DoS attack against a victim, the attacker needs to locate the network BSSID (MAC address of access point) that they want to attack. This information can be gained through sniffing the network using protocol analyser tools such as tcpdump or wireshark (formerly ethereal).

Implementing the deauthenticate flood attack is straightforward. An attacker runs the file2air command specifying an interface name to transmit the packet on, the driver the interface is using, the supplied deauth.bin file, channel number, number of packets to transmit, timing between packets, victim’s destination address, spoofed source address and finally the BSSID. File2air will then inject the traffic until the packet count is exceeded.

The aircrack-ng suite also includes aireplay-ng which can be used to send deauthentication packets to one or more clients which are currently associated with a particular access point. To find out what clients are currently associated with an access point, wireless auditing tools such as Kismet can be used. In the screenshot below, Kismet as been used to identify an access point that has wireless clients associated with it. The aireplay-ng tool can then used to send deauthentication packets to the targeted wireless client.

Physical Layer 1 attacks

A physical layer attack on a wired network ideally requires the attacker to be inside or very close to the target wireless network. Any network that relies on a shared medium is subject to DoS attacks from other devices sharing the same medium. When one device saturates the medium, other clients will find it difficult to communicate. An attacker using a laptop equipped with a high output wireless client card and a high gain antenna can launch a physical medium attack on an organization’s wireless network by generating enough RF noise to reduce the signal-to-noise ratio to an unusable level by saturating the 802.11 frequency bands. The jamming device could also be a custom built transmitter.

For example, a Power Signal Generator (PSG) that is used to test antennas, cables and connectors for wireless devices can be turned into a wireless jamming device, when connected to a high gain antenna.

It is not possible to stop someone from transmitting using the same frequency used by wireless networks. Disruptions to organizations can also be caused by noise from everyday household items such as microwave ovens, cordless phones, or any other appliance that operate on the 2.4 GHz or 5 GHz radio frequency that 802.11 networks make use of.

There are also problems with Bluetooth networks which make use of the same ISM band as 802.11b and 802.11g wireless networks. For example, Direct Spread Sequence Spectrum (DSSS) 18 modulation in 802.11b is susceptible to the interference from the Frequency Hopping Spread Spectrum (FHSS)19 modulation used in Bluetooth networks.

As a last resort, if the access point of an organization can be physically located by an attacker, this or the antenna can also be the target of a physical attack leaving the clients with little or no connectivity.

Client attacks

Client attacks are attacks against the wireless stations themselves. For example, an attacker can set their Service Set Identifier (SSID) to be the same as an access point located at a wireless hotspot or a corporate wireless network. Then by directing a DoS attack against the access point, for example by creating RF interference around it, legitimate users will lose their connections to the wireless hotspot or an organization’s wireless network and re-connect to the attacker’s access point. This is known as the “evil twin” attack. A feature of Microsoft Windows XP SP1 clients is that they will automatically roam, authenticate and associate to an access point with a stronger signal. The outcome of an “evil twin” attack can vary. As the attacker’s access point is not connected to the organization’s network, the victims will lose their connections to the legitimate access point when it re-connects to the attacker’s access

point. Additionally, an “evil twin” can present users with fake login pages, allowing the attacker to collect user credentials and intercept all the traffic to that device, potentially stealing sensitive data belonging to an organization.

It is also relatively easy for an attacker to have a software based access point running on their laptop. This will allow a wireless card to perform all the functions of a hardware based access point. Coupled with an antenna, this can produce a stronger signal level than the victim’s access point even when the attack is mounted from a significant distance. For example, Airsnarf21 is a simple rogue wireless access point utility that is designed to demonstrate how a rogue access point can steal usernames and passwords by simulating popular public wireless hotspots.

While client attacks tend to target individual stations on a wireless network, it is possible to extend an attack to a larger number of victims by using broadcast destination addresses.

Defensive measures

The protection offered by 802.11i does not defend against the attacks that we have discussed so far in this paper. By deploying Wireless LAN Intrusion Detection Systems (WLAN IDS) this will go some way towards helping to identify DoS attacks but not actually stop the attack that is taking place. A WLAN IDS will monitor the wireless environment with the help of sensors placed at strategic points. They can generate detailed reports about signal quality, signal-to-noise ratio and channel usage. The presence of an attacker can be identified and hopefully administrators within the organization alerted. Having three or more appropriately placed sensors can help to apply triangulation methods to approximately locate the source of a transmission.

To defend against physical attacks, strategic placement of access points is crucial. Mounting access points at heights will at least prevent attackers from easily reaching and destroying the access point. Aiming directional access point antennas towards the inside of the building will help to contain the Radio Frequency (RF) signal.

Organisations can help to protect a wireless network against DoS attacks by making the buildings as resistive as possible to incoming radio signals. Installation of metallic window tint instead of blinds or curtains can help prevent RF leakage and incoming radio signals.

Also the use of metallic based “Wi-Fi proof wallpaper” and “Wi-Fi paint” on the interior parts or the exterior walls will reduce RF leakage and incoming radio signals. Wi-Fi proof wallpaper has been designed to control the transmission of RF signals. It can be incorporated into properly screened rooms and acts as an RF window which can be turned on and off. This allows control over the way systems using WiFi or indeed mobile phones may be accessed. Wi-Fi paint is available that is water based and approved as a TEMPEST25 (Telecommunications Electronics Material Protected from Emanating Spurious

Transmissions) countermeasure by the National Security Agency (NSA).

It is always good security practice for an organisation to carry out wireless audit testing on their wireless network. This will determine how far the RF signal actually extends outside of the organisation and the RF signal power levels can be adjusted accordingly until the leakage is eliminated or reduced to the point that it would be hard for an attacker to carry out attacks on the wireless network.