conf6l a305 1

DoS Attacks and Defense Mechanisms in

Wireless Networks
Lawan A. Mohammed and Biju Issac

Another term known as Distributed Denial of Service

Abstract- Wireless Networks is one of the fastest growing (DDoS) deploys multiple attacking entities (or agents) to
technologies. Here the users only need to have a mobile device attain the same goal. In this attack, the attacker installs DoS
with a wireless network adapter that negotiates with an Access software on a number of servers, and these servers in turns
Point or Base Station. Once authenticated and associated, the attack the target server. The CSI/FBI [2] recent report
user can freely move around within the coverage area of the shows that the most expensive computer crime over the past
Access Point without losing data or network connection. On
the negative side, these networks tend to have fuzzy
boundaries, making it easy for an intruder to capture these
year
Denial
o denial of re.
of service can result from unintentional action
transmission signals and also send massive volume of such as error or software bugs. For instance, it reported in
illegitimate traffic and utilize system resources in a way that [3] that older version of Netscape Navigator HTML layout
renders the system inoperable thus denying access to engine can be used to allocate gigabytes of memory. More
authorized users. This paper is two fold in its description. recently, it is reported in US/CERT [4] that several denial-
Firstly, it describes some of the major vulnerabilities of-service vulnerabilities have been discovered in Cisco's
associated with wireless networks. Secondly, it demonstrates Internet Operating System (IOS). On the other hand,
different methods of achieving denial of service (DoS) attacks intentional DoS attacks are designed purposely to degrade
as it applies to wireless networks and discusses and proposes
different defense mechanisms so as to minimize the attacks. TheThispe paper
s ofms thto pesyst
ane aims presentore threats asshcalte[5
brigtt
the associated with
Index Terms- DoS attack, Defense mechanism, Wireless Denial of Service (DoS) attacks in the wireless computing
Networks Vulnerabilities. environment. Various methods of DoS attacks are explained
and the impacts of such attacks are discussed. Methods of
minimizing these attacks are also discussed. Besides that
I. INTRODUCTION other vulnerabilities associated with wireless networks were
r echnological innovation in computing such as wireless also described.
discusses someTheofpaper organized
the isgeneral as follows; Section II
threats associated with
. or mobile networking have indeed opened up new wirelsse s some evidencs assa rsto
dimensions of threat to system's security. While many of highway war .wariving ashwe as the
tevidnsecurit of ofW
the breaches of wired network will be found in wireless Section thevape dsciels vnsecraity Wireles
networks, the nature of wireless medium requires a degree net tto
tion D atcsPra ctiale
of trust and cooperation between member nodes. If this mplementations of some attacks are also shown. The paper
cooperation is not guaranteed, a malicious user can exploit also highlights other generic DoS and DDoS attacks. The
the weakness in order to deny service, , collect confidential J~~~~~ap
er then proceedss to describe in Section IV, how some
information, or disseminates
' unwanted or defen
false information, ~~~~~~~~~~~defense
m en tcan
mechanisms binizecthe flaws ou e
can minimize the flaws outlined in
Denial of service is an attack on service availability or Section III. Finally, the paper concludes in Section V.
denying authorized users access to the service provider.
According to CERT/CC [1], it is an explicit attempt to
prevent the legitimate user of a service from using that II VULNERABILTY OF WIRELESS NETWORKS
service. This can be categorized as follows - attempts to
"flood" a network, thereby preventing legitimate network It's a known fact that wireless network has fuzzy
traffic, attempts to disrupt connections between two boundaries, as radio transmission coverage around can get
machines, thereby preventing access to a service, attempts into places where intrusion or eavesdropping would be easy.
to prevent a particular individual from accessing a service With commercial sectors becoming increasingly reliant
and attempts to disrupt service to a specific system or upon wireless systems, it is important to investigate some of
person. the flaws associated with such system. This section discuses
some of the experiments conducted to show how vulnerable
wireless networks are. The experiments conducted are as
Manuscript received 31 May, 2005. follows:
Lawan A. Mohammed is a lecturer in Swinburne University of
Technology (Sarawak Campus), Jalan Simpang Tiga, 93576 Kuching,
Malaysia (phone: +60-82-416353; fax: +60-82-423594; e-mail: A. Highwaly Walrdriving
Imohammed(&swinbume~~edu~my) We conducted wardriving with laptop computers in some
Biju Issac is also a lecturer in Swinburne University of Technology oftehgwas.ewn todfeetaesweewrls
(Sarawak Campus), Jalan Simpang Tiga, 937 uhn ewrsweedtetd and statdcpuring paktvsn
Sarawak, Malaysia (e-mail: bsa sibmedy) ntok eedtce n tre atrn akt sn
the pre-configured laptops we had. The packets captured

Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
conf6l a305 2

were from different locations that included Petrol Stations, were analyzed and they are from seven different locations
Banks, Financial Institutions, Shopping Complexes and during different times of around 30 minutes each. Quite a
Government organizations. lot of unencrypted packets were collected. Overall, we
The configuration of the laptop and other software and located around 50 Access Points or peers in wireless
hardware used are shown in table I below: networks without WEP encryption and 21 Access Points or
peers with WEP encryption using NetStumbler software. A
TABLE I random password was used to intrude and connect to an
LIST OF WARDRIVING TOOLS USED encrypted peer wireless network. The laptop thus connected
Equipment/Item Specification was assigned an IP address.
Acer Laptop with Mobile Centrino Packet Analyzers like Ethereal [8], Packetyzer [9] and
Laptop processor, 256 MB RAM and 20 GB Link Ferret monitor [7] software were used for the detailed
HDD. analysis of packets. Filters were used to list out only the
Network Detection Software NetStumbler 0.4.0 needed packets. Each of those packets could be analyzed
Packets Capturing Software Link Ferret 3.10 (also analyzer) with its detailed contents. Generally, the packet monitors or
Onboard wireless network adapter and analyzers provide tools for monitoring and allow packet
Wireless Network Adapters CISCO Aironet 350 series PCMCIA sniffers in them for capture and eventually to do some
Packet Analyzers Ethereal 0.10.7 and Packetyzer 3.0.1 protocol decoding and analysis of packets. From the packets
captured in eight sessions, we found that the average
NetStumbler 0.4.0 software [6] and Link Ferret 3.10 number of unencrypted data packets per second is 2 and the
software [7] were used for network detection and packets average unencrypted data packet size is around 241 bytes
capturing respectively. CISCO Aironet 350 series PCMCIA [10].
Wireless adapter was fixed and configured. WinPcap C. Breaking of WEP-128 key
software was also needed to be installed for packet Several authors have reported the existence of flaws in
capturing to work. The Link Ferret software can be the link-layer encryption algorithm associated with Wired
configured to capture packets from different channels with a
hugebufe sie wit avrg pake sieofaoud6 Equivalentattacks
Privacy (WEP), which make it susceptible to
bytes ouffr
btes or more. NetStumerwag sin
more. NetStumbler andtolsho
s e to san th
tsdai lie analytic and the cryptanalysis of the initial values
used in RC4 block cipher [11] and [12]. Further, keys can
be cracked using tools such as AirSnort, WEPCrack,
MAC address, SSID name/network name, Access Point Aircrack etc many of which are freely available on the
name and its details, details of encryption if enabled or the y y
absence~
absence ~the channel
it.h
of it,
of hne number,
ubr,tetmthe time stamp,
tm, signal breaking Fig. bit1 below
Internet. 128 showskey
static WEP theused
results we obtained test
in our 802.1 lb by
strength etc. The result of the war driving was quite bed with ease using Aircrack (version 2.1) software. WEP-
revealing. 128 key was cracked by capturing around 4 million
B. Observations on Packets Captured packets containing 264674 unique IVs in 2 seconds as
Packet Capturing were done in various spots where shown below.
wireless networks were detected through NetStumbler Once the key is broken, various sensitive details can be
alerts. It was quite surprising that quite a number of wireless known through decryption. That can include information to
networks were working even without encryption. They launch other DoS attacks too.
simply had not enabled the WEP option.
As the headers of the wireless packet are not encrypted it aipcrack 2.
Got 264674? unique IUs fudge factop = 2
can reveal some interesting information. Sniffing and [10:0O:002]:
-
Elapsed tine tiied 1 keys at 30 k/R
getting such details on a wired network is not that easy. xB10 depth
1d/ 2
votes
Of(L 38) 7EC 24) SC(M5 63( i2) Ei;C 8) E4C 6)
Wireless frames/packets captured were a combination of 21
O/ 1
O/ 3
23(
45( 12S) 64(
22) 74( AE( i2)8) EC(
i2)
12 32<
S> EF(
3C( 10) 9G(
5) 84(
5) Di(
4)5)
Control Frames, Management Frames and Data Frames. 3
4 1/
O/
i
I 67(
89( 59) 50( 15)
77) AS<
O 12)
24) C6( 7?B( 12)7) FI(
23) 04( 7F( 12) F6( 12)
6) 9D( 6)
19) BF( i0) Si< i0> 2F(
Control and Management Frames were much more in* 5
6 I//
O/ 4
f
AB(
CD( 74) B9( Th) 3E( 14) 9) DF(
BA( 13) 10)8) 60(
01( 12) 6)
40( 9)
f7?
comparison to data frames. Packets/Frames with their 9
8
O/ 3
2
EF(
Q/ 1 Ol(
23(
47) DA< 15) EC( 15)
57) E3B 45) 54( 20>) SA 20) 34(
EA( 13) 42(
40) E9( 28) F2( 20> 62( 18) 55<
FF( 12)8)
ii) 76(
18) E1< 14)
protocols and total number in brackets were as follows: 0
If
O/
O/
1
1
454(
67(
83) EB< 21) 9B( 18) 53( 12) BE(
126) 4B( 24) FF< 13) SB( 12) 4A(
ii) 34(
12) FD(
10)
1i)
IEEE 802.11(228837), IEEE 802.1(636), CDP(4), IEEE 12 0/ 1 89( 60) E9< 26) ED( 23) Ci( 20) 3C( 15) FA( 13)
802.2(23603), IEEE SNAP(144i0), ARP(2746), IP(9971), IEV FOUND! K234XS689ABCDlEF234?89 I
ICMP(347), IGMP(5o), BOOTP(329), EGP(1), GRE(1), Press Ctrl-C to exit.
IPX(564), IPX RIP(14), UDP(3604), TCP(5442), NBNS(471), Fig. 1. WEP-128 key cracked in 2 seconds.
NBDS(288), NBSS(3763), IPX NETBIOS(18), NETBEUI(85),
NCP(1), SMB(6), FTP(1), HTTP(693), HTTPS(279), DNS(il3), D. Other Vulnerabilities
OSPF(26), SSDP(290), NNTP(28), IPX SAP(78) and Vulnerability has been reported in hardware
NMPI(1 1). implementations of IEEE802. 11 wireless protocol IEEE-SA
Critical information captured was source, destination and [13] that allows effective attack against the availability of
BSSID (or AP) MAC addresses, source, destination node wireless local area network (WLAN) devices. An attacker
and BSSID IP addresses, source and destination node open using a low-powered, portable device such as an electronic
port numbers, checksum details, initialization vector (IV) PDA and a commonly available wireless networking card
value etc. This information in itself is not very sensitive, but may cause significant disruption to all WLAN traffic within
some of it can be used to launch DoS attacks against a range, in a manner that makes identification and localization
wireless LAN as explained later. Eight captured packet files of the attacker difficult. The vulnerability is related to the

Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
conf6l a305
medium access control (MAC) function of the IEEE 802.11
protocol. WLAN devices perform Carrier Sense Multiple
Access with Collision Avoidance (CSMA/CA), which
minimizes the likelihood of two devices transmitting
simultaneously. Fundamental to the functioning of
CSMA/CA is the Clear Channel Assessment (CCA)
procedure, used in all standards-compliant hardware and
performed by a Direct Sequence Spread Spectrum (DSSS)
physical (PHY) layer. An attack against this vulnerability
exploits the CCA function at the physical layer and causes
all WLAN nodes within range, both clients and access
points (AP), to defer transmission of data for the duration of
the attack. When under attack, the device behaves as if the
channel is always busy, preventing the transmission of any
data over the wireless network. It is reported in [14] that
Wi-Fi Protected Access (WPA) is vulnerable to DoS attack.
WPA uses mathematical algorithms to authenticate users to
the network. If a user is trying to get in and sends two
packets of unauthorized data within one second, WPA will
assume it is under attack and shut down. A similar report on
Wi-Fi's vulnerability can be found in [15].
Vulnerability was identified in Nortel Networks VPN
Router, which may be exploited by remote attackers to
cause a denial of service. Similar vulnerability was
identified in Microsoft Internet Explorer, which may be
exploited by attackers to cause a denial of service. The flaw
resides in the "jscript.dll" file that does not properly handle
malformed Javascript "onLoad" events, which may be
exploited via a specially crafted HTML page to crash the
browser. It is also reported that TCP does not adequately
validate segments before updating timestamp value. If an
attacker knows (or guesses) the source and destination
addresses and ports of a connection between two peers, he
can send spoofed TCP packets to either peer containing
bogus timestamp options as reported in French Security
Incident Response Team or FrSirt [16]. Examples of DoS
attacks on commercial web sites include yahoo, eBay,
Amazon, E*Tradet and the like as in CCIPS [17].
III. DoS ATTACKS
In general, DoS attackers rely on 9the ability to source
~and I laptop were usedAs
spoofed packets to the "amplifiers" in order to generate the
traffic which causes the denial of service. Hence, the attacks
are commonly launched from systems that are subverted
through security-related compromises. Regardless of how
well secured the victim systems may be, its susceptibility to
the attack depends on the state of security in the rest of the
global Internet CERT/CC [1]. In generally, DoS exploit
weaknesses in operating system, network interface, and
software or Internet protocols. Further, attacker's objectives
and interests differ. While some attackers are interested in
re-routing messages, others might be interested in disrupting
the whole network and degrading its performance or
jamming the radio by overloading the system with unwanted
messages or packets.
Generally, denial-of-service attacks come in a variety of
forms and the attackers have variety of objectives.
CERT/CC [1] described three basic types of DoS attacks -
(1) Consumption of scarce, limited, or non-renewable
resources, (2) Destruction or alteration of configuration
information and (3) Physical destruction or alteration of
network components.
Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
3
Practical implementations of attacks that are DoS in nature
or attacks that could lead to subsequent DoS attacks are
described below with other variants.
A ARP Poisoning
oisoning
In APP Poisoning, an attacker can exploit ARP Cache
Poisoning to intercept network traffic between two devices
in the network. For instance, let's say the attacker wants to
see all the traffic between host A and host B. The attacker
begins by sending a malicious ARP "reply" (for which there
was no previous request) to host B, associating his
computer's MAC address with host A's IP address. Now
host B thinks the attacker's computer is host A. Next, the
attacker sends a malicious ARP reply to host A, associating
his MAC Address with host B's IP address. Now host A
thinks that the hacker's computer is host B. Finally, the
hacker turns on an operating system feature called IP
forwarding. This feature enables the hacker's machine to
forward any network traffic it receives from host A to host
B. Instead of enabling IP forwarding the attacker has the
choice of drowning host B with any DoS attack, so that the
communication actually happens between host A and
attacker (whom A thinks to be host B) [18].
Wireless
Host B
(victi.m
Workgroup Swit ch1 $
e
s [ de
4
Acftal p1th
1>
Forged I) atIh
ATTACKER
Host A (Wtlh Cain &
(victini) Abel software)
Fig. 2. Implementation of ARP Poisoning.
In order to perform APP poisoning, 2 2desktop computers
ando1dlaptopereose
soning.
as shown above. Thetetw
in Fig. 2 abov two
desktop computers acted as the victims while the laptop
acted as the attacker. The attacker laptop was equipped with
the Ethereal packet capturing software [8] and an ARP
poisoning software known as Cain and Abel [19]. Host A
sent continuous ICMP packets to the host B by pinging it. It
was observed in the Ethereal software on the attacker's
machine that the ICMP packets were sent only between host
A and the attacker, even though host A sent it to host B. In
Cain and Abel, it was observed that attacker could monitor
the ICMP packets sent between those two computers. It
showed that the sender has been fooled to send ICMP
packets to the attacker, which has a different set of MAC
and IP address.
B. MAAC Spoofing
In MAC spoofing, the attacker would change the
manufacturer-assigned MAC address of a wireless adapter
to the MAC address he wants to spoof. Malc Malkeup [20]
was the software we used to perform MAC spoofing.
The Fig.3 shows how an attacker can enter the MAC
address to spoof and press Change button to change the
conf6l a305 4

original MAC address. Later by pressing Remove button the authentication). The identity of the sender (attacker) is
original MAC address can be restored. An attacker can learn changed to that of a trusted employee. That mail could even
the MAC address of the valid user by capturing wireless have links in it that pointed to a 'familiar and looked-
packets using any packet capturing software like original' web page but residing on a test web server
Packetyzer, LinkFerret or Ethereal by passively or actively (imitating the legitimate server). Scripts could then be
observing the traffic. It was observed that upon successful written to get sensitive information from the victim.
MAC spoofing besides the spoofed MAC address, the IP
address assigned to the attacker's computer was identical to
D.ICMPFlooding
the IP address of the victim computer, whose MAC address Internet Control Protocol or ICMP is used to report the
was being spoofed. In order to access the wireless network, delivery of Internet Protocol (IP) echo packets within an IP
the attacker had to perform DoS attack to disconnect the network [21]. It can be used for network trouble shooting
target computer from its wireless connection. purposes to show when a particular end station is not
responding, when an IP network is not reachable, when a
Select6an dapter irom the hst belo6w About Macr Makeup node is overloaded or when an error occurs in the IP header
66VIA V615 Rh ine III Fast Eth ern et Adapte r (ver 3.15.6.351) information etc. Typical DoS attack using ICMP is known
MAC addlress as ICMP flooding. It involves flooding the buffer of the
0008a7b350c C ianthnd OIlD database _ 0emv target computer with unwanted ICMP packets. In order to
r MAC histor R Filter interfaces W tr iNfo IP b*d feWores perform ICMP flooding, we tried to ping a Pentium 4
08:40:29;Mac MakeUp ver. 1.7ld (c) 2003-2004 H&C WVorks started computer connected to a CISCO Aironet 350 access point
08:40:29;,Checking permissions
08:40:29;Permrission check was ok
08:40:29; Locating and loading database
using a 3Com wireless adapter.
08:40:29 Cannot load OEM file
08:40:29 Scanning interfaces
08:40:29,Skipping virtual interfaces
08:40:29,:Found 16 network interfaces, 14 invalid Pce 4wnwwpotleccom
it__ __E_
.2 .1 1 .3
ize 164 WV
Pig:500000 Local Timeut 10
Fig.3. Mac Makeup software (ver.1.71d). Note the bogus MAC address Ab6ut
( Oe6a7b 5c)(000e6a7b350c)
tat woul
wouldthat beused.
be used. Ping> 172.20.121.34
~~~~~~~~~~~~~~~~~Ping>
btes
172.20.121.34 I 64 bytes
Ping> 172.20.121.34 6;4 1
......
I 64
bytes 11
Ping> 172.20.121.34 64 bytes 1 Ei
We tested it as follows: The MAC address was spoofed P 1 Ext
on host A (attacker) using host B's MAC address. The
Fig. 5. ICMP Ping Flood Software. One can enter the target IP address to
attacker did a ping flooding to Host B and made it to drown flood and enter the number of ping packets, timeout etc and press the start
in ICMP packets. Host A then tried connecting to the access toggle button. Once started, it can be stopped by pressing stop.
point with the spoofed MAC address of B and got
connected. We tested the DoS attack with ICMP Ping Flood software
[22] as shown above in Fig. 5. After less than an hour, we
AI'350-J5hb 0 ssociation Table found out that the computer failed to browse any websites
NetworL Diailostics ViAN Service Sets although it was still connected to the wireless network. The
Home Network Associatioi_s
h/tu~
Lo ~ 2 Uptime: 01:32:10 excess and unwanted ICMP packets that flood the target
LiClient E]iRepeater LBnidge MEAP iInfia.iost ELIlmticast LiEfntreDetwotk computer buffers have caused this lack of response.
rssto Change Setdis: aRestore Current DefaL The resulting wireless network performance graphs are as
Asoiton Ta1
F.........................................
dleo
. . . . . . . . . . . . . . . . . . . . . . . . . . ...............................................................................
. disWala
............................................................................ ............................. fife shown. We found the "Network utilization" of the wireless
350 Seties AP A1P3.0-577bbO 172.20 122.79 004096577bbO
eC= 2. .th normal utilization as shown in Fig. 6 below.
Fig.4. Association Table in CISCO Aironet 350 Series (802.1lb) AP. Note
the second row of entry for Generic 802.1 1, where the attacker successfully NUetwork
Util
got connected to the AP with the spoofed MAC address. Du 'mg the
50 ~~~~~attack
Another software as previously explained that can be
used to obtain user's MAC address is NetStumbler. The 25 %
software can also be used to show the details of different After the
wireless networks. 0 attack
C. Web Spoofing Time
In Web spoofing, the attacker convinces the victim that he Fig..6. Network Utilization (y-axis) vs. Time (x-axis) graph that shows the
... victim PC status during and after the ping flood attack (note that the graph
iS visiting legitimate web
visiting a legitimate web site, when the web
when the web pages are
a pages are
drops after attack)
created by the attacker or even hosted by attacker's web
server to eavesdrop the victim. Information such as
passwords and credit card numbers can thus be stolen. The
attacker can achieve this by compromising the intranet In general, DoS attackers rely on the ability to source
server of company XYZ and redirecting some links to his spoofed packets to the "amplifiers" in order to generate the
web server. The other option is to send forged emails (email traffic which causes the denial of service. Hence, the attacks
spoofing) with such links in it. are commonly launched from systems that are subverted
In email spoofing, we compromised an SMTP server (as through security-related compromises. Regardless of how
SMTP servers can be configured without user well secured the victim systems may be, its susceptibility to

Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
conf6l a305
the attack depends on the state of security in the rest of the
global Internet CERT/CC [1]. In generally, DoS exploit
weaknesses in operating system, network interface, and
software or Internet protocols. Further, attacker's objectives
and interests differ. While some attackers are interested in
re-routing messages, others might be interested in disrupting
the whole network and degrading its performance or
jamming the radio by overloading the system with unwanted
messages or packets. Some DoS attacks and its types are
discussed below:
1) Flooding - The most common means of DoS attack is
via flooding. Flooding is a generation of spurious messages
to increase traffic on the network. We will consider SYN
flooding, Ping of Death, Smurf attacks and Email flooding.
In SYN flooding, the attacker sends a volume of
connections that cannot be completed, causing the
connection queues to fill up. This causes denial of service to
other legitimate TCP users. A normal TCP session uses
three-way handshake. Firstly the source sends SYN packet
to initiate the connection. The destination then responds
with a SYN ACK packet and a connection queue keeps
track of waiting connections. Lastly, the destination should
hear an ACK packet of the SYN ACK before connection is
established. When an attacker sends SYN packets with
random source address toward victim host, the connection
queue of the victim hosts would be having added entries
corresponding to the SYN ACK it has sent to 'non-existent'
hosts. The last exchange of TCP handshake never happens
and the queue gets bigger, denying other TCP services like
email, FTP, WWW etc. Another variant is the UDP
flooding attack consisting of a large number of spoofed
UDP packets aimed at diagnostic ports on network devices.
This attack is also known as the "pepsi" attack (again named
after the exploit program), and can cause network devices to
use up a large amount of CPU time responding to these
packets [23], [24].
In Ping of Death, the ping packet size would also be
bigger than the normal ping packet size (of 64 bytes) and it
would be around 65,536 bytes. An IP datagram of 65,536
bytes usually cannot be sent. But when the packet is
fragmented up into small pieces and sent and then rebuilt at
it destination, the sheer size of the packet causes the buffer
to overflow. The result can be a reboot, hang, etc.
In Smurf attack, which is one of the most effective in the
category of network-level attacks against hosts, the attacker
sends a large amount of ICMP echo (ping) traffic at IP
broadcast addresses, all of it having a spoofed source
address of a victim. If the routing device delivering traffic to
those broadcast addresses performs the IP broadcast, most
hosts on that IP network will take the ICMP echo request
and reply to it with an echo reply each, multiplying the
traffic by the number of hosts responding. On a multi-
access broadcast network, there could potentially be
hundreds of machines to reply to each packet. The 'smurf
attack's close relative is called 'fraggle', which uses UDP
echo packets in the same way as the ICMP echo packets; it
was a simple re-write of smurf [23], [24].
In E-malil flooding, the target system e-mail is placed on
large junk mails servers so that the target server will be over
flooded with junk mails. Other devices that may be
vulnerable to DoS attack include printers, tapes, and other
network devices. Details of DoS taxonomy are described in
[25].
Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
5
2) Spoofing - There are different types of spoofing and
they are ARP Poisoning, MAC Spoofing, IP address
spoofing, Web spoofing and DNS spoofing. We have
already seen ARP poisoning, MAC spoofing and Web
Spoofing in Section III. A, III.B and III.C respectively. In IP
address spoofing, the trust relationship between two hosts is
exploited. The firewall of a victim may allow only packets
with certain trusted source IP addresses. The attacker
circumvents this by generating packets that have a source
address of a trusted host. He may then drown the trusted
host by a SYN flood so that it cannot respond. As the
attacker cannot get the reply packets to his computer, he is
faced with the challenge of guessing or narrowing down the
correct sequence number from the initial sequence number
(ISN) to further his attack. In DNS spoofing the attacker
directs the users to a compromised server and they are
requested to enter sensitive information, similar to web
spoofing. Here the attacker compromises the victim
company's web server and changes the hostname-to-IP
address mapping. When the users request the host name,
they are directed to the attacker's server. Even corporate
emails can be redirected thus to attacker's mail server,
which copies them before forwarding it to its final
destination.
3) CPU and Memory attacks - Involves the use of
memory hungry codes or infinite looping codes to crash the
system. In general, anything that allows data to be written to
disk can be used to execute a denial-of-service attack if
there are no bounds on the amount of data that can be
written. Buffer overflow vulnerability in many software can
be exploited to get this attack done.
4) Window Multiplication - Technique used to send
images of goods for sales or pornographic images in which
when the active window is closed, two or more windows are
opened. These unwanted windows that keeps on multiplying
takes up resources and if not controlled can bring that
system to a halt.
5) Airwaves Jamming - Lot of equipments like
microwave ovens, baby monitors, cordless phones etc
operate on the unregulated 2.4GHz radio frequency band,
which is the same as 802.1 lb wireless LAN's operational
frequency band. Hence commonly available consumer
products can give hackers the tools for a simple and
extremely damaging DoS attack. Injecting large amounts of
noise from some of these devices that operate at 2.4GHz,
they can jam the airwaves and shut down a wireless LAN
[26].
6) Disassociation attack - By configuring a wireless
station to work as an Access Point, attackers can launch
more effective DoS attacks. He can the flood the airwaves
with continuous disassociate commands that compel all
stations within range to disconnect from the wireless LAN.
In another variation, the attacker's malicious access point
broadcasts periodic disassociate commands that cause a
situation where stations are continually disassociated from
the network, reconnected and disassociated again.
Session hijacking is said to occur when an attacker causes
the user to lose his connection, and the attacker assumes his
identity and privileges for a period. An attacker disables
temporarily the user's system, say by DoS attack or a buffer
overflow exploit. The attacker then takes the identity of the
user. The attacker now has all the access that the user has.
When he is done, he stops the DoS attacks, and lets the
conf6l a305 6

legitimate user resume. The user may not detect the
interruption if the disruption lasts no more than a couple of
seconds or few minutes. Such hijacking can be achieved by
using forged Disassociation DoS attack as explained above.
7) EAP manipulation attack - The Extensible
Authentication Protocol (EAP) can be manipulated by
hackers to launch DoS attacks. There are several forms of
attacks where an attacker can manipulate EAP protocols by
aiming wireless stations and access points with start
commands, log-off commands, premature successful
connection messages, failure messages etc where the EAP
protocol is modified [26].
8) System log manipulation attack - The system logs are
our first source of information about what has occurred on
our computer. There are many different possible system
logging daemons, syslogd and syslog-ng (in UNIX) being
the most popular. Both have a configuration file
(/etc/syslog.conf and /etc/syslog-ng.conf respectively) that
dictates where logs should be sent. You may just log
everything to /var/log/messages. An attacker can
purposefully spew your syslog server with uninteresting log
entries to cause the logs to rotate out of existence and hide
any of his earlier logged activities [27].
9) Distributed Denial of Service (DDoS) attack - There
are several types of DDoS attacks, but their methods are
very similar in that they rely on a large group of previously
compromised systems to direct a coordinated distributed
flood attack against a particular target.
TABLE II
DDOS TOOLS AND ATTACK TYPES
DDoS Tool DoS Attack Type(s)
trinOO UDP flood
TFN(Tribe Flood Network) UDP bomb, SYN and ICMP flood
and Smurf
TFN2K UDP bomb, SYN and ICMP flood
and Smurf
Stacheldraht ("Barbed Wire") ICMP, UDP, and SYN floods.
Shaft UDP flood, SYN and ICMP flood
Mstream Stream (ACK) flood
In preparation for these attacks, the attacker will
compromise many systems (sometimes hundreds) on which
the agent software can be loaded. The agent software is
referred to as a "Zombie" program since it lies asleep until
awakened.
w¶a-t~r
The attacker then uses a master console to communicate
with and configure the Zombie agents. At a specified time,
all of the agents initiate an otherwise standard DoS attack
against the intended target. The attack is so devastating
because of the tremendous traffic volume generated by the
"army" of agents. There are some DDoS tools available to
attackers. The table II shows the name of each tool and the
specific attack types that can be launched by each [28].
III. DEFENSE MECHANSIM
DoS method of attack has been known for some time.
Defending against it, however, has been an ongoing
concern. Though, there is no known way at present to fully
protect systems against DoS attacks however measures to
reduce or minimize them may include disabling any unused
or unneeded network services. This can limit the ability of
an intruder to take advantage of those services to execute
the attack.
A. Against Spoofing
ARP poisoning or spoofing can easily happen because
ARP packets are readily available in wireless networks as
they are broadcasted to all without any authentication
mechanism. Use network switches that have MAC binding
features that store the first MAC address that appears on a
port and do not allow this mapping to be altered without
authentication.
Another alternative proposal that we make is to make
ARP negotiation centralized (say, through a DHCP server
and relays with extended facility to answer/forward the ARP
packets). Making ARP request unicast can save lot of
congestion. Adding authentication to know the identity of
the sender or against packet tampering makes it secure. ARP
request packets can be sent to a central server which has the
IP-MAC address mapping and the server can sent the ARP
response with a strong digital signature using a collision
free one way hash function to the requested host. This can
protect against tampering or injection of new forged ARP
packets. Lastly the host can send an encrypted
acknowledgement with the timestamp of the server
response. To prevent IP spoofing, disable source routing on
all internal routers and use ingress filtering as explained
below in Section C. Web spoofing depends mainly upon
social engineering tricks and it is thus important to educate
users and to be generally aware of the address window in a
browser that displays the web address that they are directed
to. That can help if some suspicious web site address comes
up. DNS spoofing can be prevented by securing the DNS
servers and by implementing anti-IP address spoofing
measures [29].

ZombIe /ni
~mbk Z/ < Zofbt Z
Ambie
B. Against Flooding attack
TCP SYN flooding on devices behind a firewall from
hosts with random IP addresses is easy, since access list can
block such IP addresses or blocks of it. But on web or mail
server with public internet access, there is no way to check
whether the incoming IP addresses are hostile or non-hostile
The victim's computer and there is no clear cut solution, even though Intrusion
5isfoed wit.h pa;k4 Detection System would be a choice. Some options
fI4J iurnbiei available to hosts in such as case are: increase the
connection SYN ACK queue, decrease the time-out waiting
Fig. 7. DDoS attack architecture [27].

Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
conf6l a305 7

for 3 way handshake and employ vendor software patches, of mock DoS attacks can be performed. During the test
if available [30]. period (say, 3 months), the suspicious attacks are only
A combination of Host-based Intrusion Detection System alerted to the administrator. When satisfactory attack
(HIDS) and Network-based Intrusion Detection System reaction results are obtained, it can be installed and made
(NIDS) can greatly help especially against all flooding active.
attacks. HIDS can be placed on critical servers and NIDS
can be placed on one or more network segments. Signature
detection scheme would be good at detecting any known
C.sAainst dattack
Install the updated security patches from software
attacks. Alerts arising from any suspicious activity can be vendors. Install antivirus software with up-to-date
intimated to the administrator immediately. NIDS reactions signatures on all mail servers to keep email worms that
can also be TCP resets, IP session logging and Blocking, could be DDoS tools. Firewalls and routers can provide a
HIDS approach looks into log files, file checksums and great degree of protection through ingress (inbound) and
intercepting requests to the operating system for system egress (outbound) filtering, say for example, by stopping the
resources before they can proceed. Signatures and generic spoofed packets with fake source addresses from leaving the
rules help in anomaly detection. Open server ports can also network. Use Egress filter in the network firewall and/or
be monitored for excess or abnormal traffic. Firewalls are router and make sure whatever comes out of the network
an excellent form of protection; however, they must leave only has source addresses that belong to the network and
some ports open to allow the operation of the web, mail, ftp, use Ingress filter to confirm that packets coming to the
and other Internet based services, and which are the paths network have source addresses that are not on the inside
exploited by most of the vulnerabilities. network. If the attack is unsophisticated, there might be a
specific signature to the traffic. A careful examination of
captured packets, say through NIDS sometimes reveals a
trait on which you can base either router ACLs (access
control lists) or firewall rules. Additionally, a large amount
il einJG ~~~~~~of
traffic may originate from a specific provider or core
emergency router. If that is the case, one might consider temporarily
reuros (ih blocking all traffic from that source, which should allow a
max Imit Onine Ser _e With portion of legitimate activity through. One would also be
blocking "real" packets, or legitimate traffic, but this may be
recent Updates
AchvwIy initor srinellletl sigratan unavoidable sacrifice. The following steps [24] could
the 000MS prevent a network from attacking others without any
control:
KNOWN ATTACK --Filter the packets coming into your networks destined
Process the SIGNATURE for a broadcast address
IpIacets
I DATABASE --Turn off directed broadcasts on all internal routers
i~~~~~(ithi Online updatingI
l l
etEIhd (preventing smurf attacks)
--Block any packet from entering that has a source
I I I IF addresses that include RFC 918 address space (10.0.0.0,
N0AL
| II 172.16.24.0 and 192.68.0.0) and loop back address
ADDITIO
F0d or gThreshbd THRESHOLD VALU$a 127.0.0.0
NO> SET --Block at the firewall any packet that uses a protocol or
(fOr \/aious ntWbrk port that is not used for Internet communication in the local
| Y ~~~~~~~~~param@trsSSIeLe
|1YES |unduerfull nehwork kDd area network.
IWith mnocx 0t1cks) --Block packets with a source address originating inside
RI16ease r1lvant the network from entering the network.
IrIsources
I~~~~~b u
ifN h dde@d)
IV D. Against Eavesdropping
WEP-128 bit encryption with TKIP (enabling dynamic
WEP key rotation) and RADIUS authentication should be
TAKE ACTION activated. PEAP with MSCHAPv2 authentication is a good
[Prievbentitiaacki(lik(e close option. Tests should be regularly conducted to determine
apert ahitd seratc th
admInistrator, log ff~e
alert
e ) how far the system's signal leaks outside of the building and
then adjust transmitter power accordingly until the leakage
activity 'ndetail etc] is eliminated or reduced to the point that it would be easy to
Fig. 8. General Intrusion Detection or Prevention Architecture Flow chart. locate a hacker. Directive access point antennas should be
aimed towards the inside of the building.
We propose a general architecture for an Intrusion
Detection or Prevention n
**System, especially rl 1-
rr against flooding ~~~~E.
Other Generall Precalutions
attacks or similar type that can be as shown in the flow chart Highly sensitive information should also be removed
(Fig. 8). There can be fine tuning done with the ability for from public networks and connection time should be
self-learning and correcting false decisions through limited. Packets and its flow should be closely checked and
statistical approach/Al approach as it lives longer in the monitored. Another measure is to limit system resources
network. Initially, test installation can be done and a variety allocation. Software manufacturers generally set the limit
for resources at high level to allow maximum performance.

Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.
conf6l a305 8

Router should be thoroughly filtered, firewall can be used to Control (MAC) And Physical Layer (PHY) Specifications",
filter forged request before they reach the server as Available Online:1999.
80211999df,
described In [31]. Network monitoring and deny access to [14] Jim Geier, "Denial of Service a Big WLAN Issue", Available Online:
d cb it

foreign stations to join the network should be done , 2003

frequently. It is also important to check and remove [15] W. Thomas, "Living in Wireless Denial - CIOS must understand Wi-
application bugs and updating protocol installation to Fi's risks in order to mitigate ailetm them", Available Online:
prevent intrusion. MAC addresses in AP or RADIUS server [16] htpHw.ico/riv0954e
French Security Incident Response Team (FrSirt), "Nortel Networks
should also be filtered. In addition, DoS detection tools, VPN Router 600 Denial of Service Vulnerability", Available Online:
such as AirDefense and AirMagnet should be deployed. 5 ,2005.
Regular backup schedules and policies should be [17] "Computer Crime and Intellectual Property Section (CCIPS)",
Available Online:
established. Others include downloading and installing 2000
security patches, firewall systems as in McAfee [32], [18] Corey Nachreiner, "Anatomy of an ARP Poisoning Attack", Online
intrusion detection systems as in Axelsson [33], and virus Available: M
and worms defense systems as in Williamson [34]. Finally, , 2003.
[19] Cain & Abel software and website details: www.oxidt.it
iti mpratosantesoensure that itMac
itis impotvulnertante
toscanthesystemfrequentlyt[20] Makeup software and website details:
iS not vulnerable. _t
unexpected Douser/goy/cuSre/int-
an unexpecteddnac. [21] Internet Control Message Protocol (ICMP).
F. Manual
F. Mcmucll WCly
way to respond to cm DoS attack age/ imc.tck
If all the precautions taken fail and if one faces DoS [22] ICMP Ping Flood software, by QX-Mat.
attacks, he can do the following for a possible graceful [23] Craig A. Huegen, "The latest in denial of service attacks: "smurfing"
shutdown: Firstly, absorb the attack and that calls for
description
and information to minimize
effects",
Available Online:

planning additional capacity before an attack begins. 2000.

Secondly, degrade non-critical services or even disable them [24] Craig A. Huegen, "Network-Based Denial of Service attacks (CISCO
(if necessary) and thirdly shut down services until the attack systems)", s/
has subsided. [25] M. Jelena and Peter R., "A Taxonomy of DDoS Attack and DDoS
Defense Mechanisms", ACM SIGCOMM, Computer Communication
Review, Vol. 34, No. 2. pp. 39 - 53, 2004.
IV. CONCLUSION [26] WLAN Attacks Explained, Available Online:
This paper shows that DoS attacks are much easier to [27] Brian Hatch, "Preventing Syslog Denial of Service attacks", Available
launch on wireless networks than on wired networks. This is Online:
"Distributedtnil,
20030220. 2003.
typically due to the nature of wireless comlmunication as [28] Denial of Service (by Trinity Security)", Available
packets frantically move around in the air. The paper also Online: n:ww
comprehensively explained different DoS attacks, some of f
which we implemented in our lab and also explained a full [29] Paul Campbell, Ben Calvert and Steven Boswell, Security+ Guide to
Network Security fundamentals, Thomson Course technology, 2003,
set of effective defense mechanisms, further, the paper also pp. 47 84.
-
proposed some mechanism against ARP poisoning and IDS [30] CISCO White paper, "Defining strategies to protect against TCP SYN
or IPS architecture that could help against such attacks. Denial of Service Attacks", 2004.
[31] E. D. Zwicky, Cooper S., and Chapman D. B., Building Internet
Firewalls 2e, O'Really, CA, USA, 2000.
[32] McAfee - Personal Firewall, Available Online:
REFERENEEtNCES mae.ommgpsfrwllo-iewl.5
[1] CERT/CC, "Denial of Service Attacks", Available Online: [33] S. Axelsson., "Intrusion Detection Systems: A survey and
btpwwwcertorgtec tips/denial of serc , 2001. Taxonomy", Tech Report 99-15, Dept. of Comp Eng., Chalmers
University, 2000.
[2] CSI/FBI, "Computer Crime and Security Survey" Ninth Annual [34] M. Willaimson, "Throttling Viruses: Restricting Propagation to
Report, 2004. Defeat Malicious Mobile Code", 18th Annual Comp. Sec. Applications
[3] Garfinkel, S. And Spafford, G., Web Security and Commerce, Conference, 2002.
O'Reilly, USA, 1997.
[4] US/CERT, "Multiple Denial-of-Service Vulnerabilities in Cisco IOS",
Available
Available online: t:/wwu-etovcseharsTA5 Lawan A. Mohammed is a lecturer in the School of IT and Multimedia in
[5]
026A.bt',il,2005.
T. A. Wadlow, The Process ofNetwork Security, Addison-Wesley
Swinburne University of Technology (Sarawak Campus), Malaysia. He
received his PhD in Computer and Communication Systems Engineering
Massachusetts, USA, 2000 from University Putra Malaysia (U.P.M) in 2004. He is also the Head of
[6] NetStumbler software and website details: Smartcard Research Group in the iSecures Lab at Swinburne University
Sarawak. His main research focuses on the design of authentication
[7] LinkFerret software and website details: h linkferret.ws/ protocols for secure e-commerce, wireless/mobile networks, cryptography
[8] Ethereal Software details: and smart card. His e-mail address is:
[9] Packetyzer Software details:
.. Biju
[10] Issac, Seibu MaryJacobandLawanA.
Bij Issac.Seibu Mary Jacob and Lawan A. Mohammed, "The Art of
Mohammed,"TheArtof Biju Issac is also a lecturer in the School of IT and Multimedia in
Swinburne University of Technology (Sarawak Campus), Malaysia. He
War Driving" (Unpublished work style), unpublished, holds a degree (BEng) in Electronics and Communication engineering from
[1WaplkrJ"ns aTeAny Key SizE:An Anaysi ofmWEP Bharathiar University, India and a master degree in Computer Applications
enaslain Tehia Reot06. IE80.1 comtte from Calicut University, India (1995). He is also the Head of Network
[12]~~~~~
5.Flhrr Mati I an hmrA,"ekessi h
SchedlingAlgoithm of R4". Poc. f Seecte Ares of
e Security Research Group in the iSecures Lab at Swinburne University
Sarawak. His research interests are in wireless and network security,
Cryptography (SAC), 2001.. '
[13] IEEE-SA, Standards Board, "IEEE Std IEEE 802.11-1999 wireless mobility and IPv6 networks. Currently he is a part-time PhD
Information Technology '" Telecommunications and Inforation student in Networking and Mobile Communications in UNIMAS, Malaysia.
Hise-miladdessis
Exchange Between Systems-Local and Metropolitan Area Networks -
Specific Requirements - Part 11: Wireless LAN Medium Access

Authorized licensed use limited to: Middlesex University. Downloaded on November 26,2023 at 16:20:04 UTC from IEEE Xplore. Restrictions apply.