802.11 SecurityThis excerpt was reprinted with permission from O'Reilly & Associates. For more information or to order the book "802.11 Security," visit the O'Reilly online catalog.
By Bruce Potter and Bob Fleck
O'Reilly & Associates, December 2002
For more information or to order the book, visit the O'Reilly online catalog.
Chapter 2: Attacks and Risks
802.11 networks have unique vulnerabilities that make them an ideal avenue of attack. Wireless networks cannot be physically secured the same way a wired network can be. An attack against a wireless network can take place anywhere: from the next office, the parking lot of your building, across the street in the park, or a bluff many miles away.
Understanding the details of various attacks against your wireless infrastructure is critical to determining how to defend yourself. Some attacks are easy to implement but aren't particularly dangerous. Other attacks are much more difficult to mount but can be devastating. Like any other aspect of security, wireless security is a game of risk. By knowing the risks involved in your network and making informed decisions about security measures, you have a better chance at protecting yourself, your assets, and your users.
An Example Network
Throughout this book, we will work toward the creation of the example network illustrated in Figure 2-1. This network is split into three segments: the Internet, a wireless network containing access points and wireless clients, and a wired network containing workstations, servers, and other devices. A gateway mediates the traffic between these three segments. The focus of this book is the security of the gateway, access points, and wireless clients. We will also investigate the effects the security of these components has upon the rest of the network and the external security issues that originate from outside the wireless network.
All of these network components must work together, and implement complimentary security, to establish a secure network. With that in mind, we will begin by examining the classes of threats to the wireless network.
Figure 2-1. Architecture of example network
Denial-of-Service (DoS) attacks, which aim to prevent access to network resources, can be devastating and difficult to protect against. Typical DoS attacks involve flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network.
DoS attacks can target many different layers of the network. In order to understand the risk of a DoS attack to a wireless network, you must first understand the difference between various types of DoS attacks.
Application (OSI Layer 7)
An application-layer DoS is accomplished by sending large amounts of otherwise legitimate requests to a network-aware application, such as sending a large amount of page requests to a web server, swamping the server process. The goal of this type of attack is to prevent other users from accessing the service by forcing the server to fulfill an excessive number of transactions. The network itself may still be usable, but since the web server process cannot respond to the users, access to service is denied. (This can occasionally happen, innocently, when a web site receives a sudden boost in popularity due to a link from a high-traffic site, such as http://slashdot.org.)
Transport (OSI Layer 4)
A transport-layer DoS involves sending many connection requests to a host. This type of attack is typically targeted against the operating system of the victim's computer. A typical attack in this category is a SYN flood. In a SYN flood (SYN packets are the first step of a TCP connection), an attacker sends an excessive number of TCP connection requests to a host hoping to overwhelm the operating system's ability to track active TCP sessions. Most operating systems have a limit to the number of connections per second they will accept and a limit on the maximum number of connections they will maintain. A successful SYN flood will overwhelm the operating system on one of these two limits, thereby denying access to the services running on that host. As is the case in the application-based DoS, the network is usually still functional, but the target host is unresponsive.
Network (OSI Layer 3)
A network-layer DoS is accomplished by sending a large amount of data to a network. This type of attack targets the network infrastructure of the victim. For example, an attacker may send 100 Mb/s of data to a network that can only transmit 10 Mb/s. The victim network obviously cannot retransmit all the data being sent to it, so the network equipment is forced to drop packets. This excessive traffic may also cause high loads on the CPUs within the network equipment itself, causing further network problems.
A typical network-based DoS attack is a ping flood. An attacker generates massive amounts of ICMP traffic destined for the victim network. (ICMP packets are used for management functions such as querying the availability and services of a host.) This usually saturates the victim's WAN links. By cutting off the victim's LAN from the rest of the Internet, the attacker has denied access to any services that reside on the victim's LAN.
Data-Link (OSI Layer 2)
A data-link DoS can target either a host or a network. Data-link attacks are launched to disable the ability of hosts to access the local network even though the hosts are still connected. An example of this would be flooding a non-switched Ethernet network with invalid frames. An attacker (or sometimes a malfunctioning NIC) can send repeated frame headers with no payload. These headers are rebroadcast to all hosts on the network and effectively tie up the medium. Data-link DoS attacks are not common on wired networks because most networking gear has the intelligence to prevent data-link attacks from propagating to hosts on the network.
Physical (OSI Layer 1)
A physical-layer DoS involves severing a host's connection to the network in some fashion. Physical attacks are not common in wired networks because they involve having direct access to the transmission medium involved in the victim's network. For instance, WAN circuits are typically buried underground and are difficult to access. LANs reside inside of buildings, making them difficult targets as well. An example of an unintentional physical DoS attack is the dreaded backhoe DoS. Backhoe attacks are common in areas of heavy construction where a large piece of equipment (like a backhoe) is digging near buried data cables. One wrong move by the backhoe operator can sever thousands of telecommunications lines, potentially taking down many services.
Wireless DoS Attacks
At the application and transport layers, there is nothing fundamentally different between DoS attacks on wireless and wired networks. However, there are critical differences in the interaction between the network, data-link, and physical layers that increase the risk of a DoS attack on a wireless network.
802.11b physical attacks
A physical DoS attack against a wired network requires very close proximity to the victim host. This is not the case with a wireless network. The medium is everywhere and attackers can launch a physical attack from much farther distances. Instead of being inside of a building to perform a physical DoS attack against a LAN, an attacker can be outside of the building. Unlike a wired network where there is usually evidence of a physical attack (destroyed cabling, removed cable, attackers on video surveillance cameras), there are no visible signs that something has changed.
The 802.11 PHY specifications define a limited range of frequencies for communication. The 802.11 devices that use a specific PHY are constrained to these frequency ranges. An attacker can create a device that will saturate the 802.11 frequency bands with noise. If the attacker can create enough RF noise to reduce the signal-to-noise ratio to an unusable level, then the devices within range of the noise will be effectively taken offline. The devices will not be able to pick out the valid network signal from all of the random noise being generated and therefore will be unable to communicate.
Creating a device that produces a lot of noise at 2.4 GHz is relatively easy and inexpensive to construct. However, there are several common commercial devices available today that can easily take down a wireless network. Unfortunately, many 2.4 GHz cordless phones that can be purchased in electronics stores have the capability to take an 802.11b network offline. While not a refined electronic weapon, these phones can interfere or completely disable a WLAN. Cordless phones use several different modulation techniques and can overlap on the frequencies used by 802.11b. This overlapping is simply noise to an 802.11b radio. The cordless-phone-induced noise can drop the SNR enough to bring down any WLAN network nearby.TIP: For Christmas one year, Bruce and his wife bought each other 2.4 GHz phones to replace their older 900 MHz models. After installing the phones, they noticed that they had many unexplained network outages. They also noticed an audible crackling noise on the phones. After reading the specs on the phone, they were able to set the phones to a different part of the ISM range than the frequencies they had chosen for their 802.11b network. This got rid of the interference and the outages. However, they learned the hard way that wireless technology is not necessarily plug-and-play.
There are also problems with a DoS from other networking protocols. In particular, Bluetooth uses the same ISM band as 802.11b and 802.11g. The DSSS modulation in 802.11b is susceptible to interference from the modulation used in Bluetooth networks. While there are potential solutions to prevent Bluetooth from stepping on 802.11b transmissions, large-scale Bluetooth deployments may still interfere to the point of inoperability with 802.11b networks. As time passes, the 2.4 GHz ISM band will become more crowded, making unintended DoS attacks against 802.11b networks commonplace. Sirius and XM satellite radio, who have spectrum bordering the ISM band, have complained that ISM-band devices may cause interference with their ground based repeaters and satellites.
802.11b data-link DoS attacks
At the data-link layer, ubiquitous access to the medium again creates new opportunities for DoS attacks. Even with WEP turned on, an attacker has access to the link layer information and can perform some DoS attacks. Without WEP, the attacker has full access to manipulate associations between stations and access points to terminate access to the network.
If an AP is incorrectly utilizing diversity antennas, an attacker can potentially deny access to clients associated to the AP. The use of diversity antennas is intended to compensate for multi-path fade. However, diversity antennas are sometimes used to cover more area with an AP by using antennas that cover disparate physical regions.TIP: Antenna diversity is a mechanism where a single radio uses multiple antennas to overcome multi-path fade. A radio signal usually has many different paths to get to an antenna due to reflections of the signal off walls, trees, desks, etc. A radio using diversity antennas will sample a client transmission from all attached antennas and determine which antenna has the highest quality signal. The radio will then use that antenna to send and receive traffic destined for that station.
If the diversity antennas do not cover the same region of space, an attacker can deny service to associated stations by exploiting this improper setup, as shown in Figure 2-2. If diversity antennas A and B are attached to an AP, they are setup to cover both sides of the wall independently. Alice is on the left side of the wall, so the AP will choose antenna A for the sending and receiving frames. Bob is on the opposite side of the wall from Alice and will therefore send and receive frames with antenna B. Bob can take Alice off the network by changing his MAC address to be the same as Alice's. Then Bob can guarantee that his signal is stronger on antenna B than Alice's signal on antenna A by using a amplifier or other enhancement mechanism. Once Bob's signal has been detected as the stronger signal on antenna B, the AP will send and receive frames for the MAC address on antenna B. As long as Bob continues to send traffic to the AP, Alice's frames will be ignored.
Figure 2-2. Attack against improperly provisioned diversity antennas
If a client is not using WEP authentication (or an attacker has knowledge of the WEP key), then the client is vulnerable to DoS attacks from spoofed APs. Clients can generally be configured to associate with any access point or to associate to an access point in a particular ESSID. If a client is configured to associate to any available AP, it will select the AP with the strongest signal regardless of the ESSID. If the client is configured to associate to a particular ESSID, it will select the AP in the ESSID with the strongest signal strength.
Either way, a malicious AP can effectively black-hole traffic from a victim by spoofing the desired AP. For example, if a client is configured to associate to APs in the SSID shmoo, the client will look for all available APs in that SSID. It will then associate with the AP for which it has the strongest signal. A malicious AP with the SSID of shmoo can make sure it has the strongest signal by using a larger or directional antenna, signal amplifier, etc., as shown in Figure 2-3. The client will associate to the malicious AP, and the malicious AP can drop or monitor all traffic sent to it by the client.
Figure 2-3. Malicious AP overpowering valid AP
802.11b network DoS attacks
If a network allows any client to associate, it is vulnerable to a network-level DoS attack. Since an 802.11 network is a shared medium, a malicious user can flood the network with traffic, denying access to other devices associated to the affected access point. As an example, an attacker can associate to a victim 802.11b network and send an ICMP flood to the gateway. While the gateway may be able to withstand the amount of traffic, the shared bandwidth of the 802.11b infrastructure is easily saturated. Other clients associated to the same AP as the attacker will have a very difficult time sending packets.
Given the relatively slow speed of 802.11b networks, a network DoS may happen inadvertently due to large file transfers or bandwidth-intense applications. A few bandwidth-hungry applications on a WLAN can hamper access for all associated stations. With the deployment of higher-speed WLAN technologies, these unintentional attacks will become less frequent.
Man-in-the-middle (MITM) attacks have two major forms: eavesdropping and manipulation. Eavesdropping occurs when an attacker receives a data communication stream. This is not so much a direct attack as much as it is a leaking of information. An eavesdropper can record and analyze the data that he is listening to. A manipulation attack requires the attacker to not only have the ability to receive the victim's data but then be able to retransmit the data after changing it, as shown in Figure 2-4.
Figure 2-4. Eavesdropping versus manipulation
MITM attacks on a wired network generally require access to a network that the victim's traffic transits. This can mean physical access to a wire to "tap" into the wire for interception. It can also mean being on the same LAN as the victim and forcing traffic to go through the attacker's host. An attacker can force traffic through a malicious machine on a LAN by performing an ARP poisoning attack.
ARP (Address Resolution Protocol) is the mechanism that IP-enabled Ethernet devices use to determine which device on a network has a particular IP address. When a host wants to communicate with another host, it will send out an ARP request asking, "Who has IP address 192.168.0.1?" All hosts on the LAN receive the question, and the device that has 192.168.0.1 replies with its MAC address. The initial host then uses that MAC address to send datagrams to 192.168.0.1.
In order to reduce the number of ARP requests, many modern operating systems implement a lazy technique to learn MAC addresses. If a host receives a packet from another host on the same LAN (say, 192.168.0.1), it assumes that the MAC address on the packet is the MAC address for 192.168.0.1. It will then enter the MAC/IP address combination into its local MAC address table and use that MAC address for all future communication with 192.168.0.1.
An attacker can force packets to go through a malicious host by exploiting this lazy mechanism of learning MAC addresses. Assume an attacker wants to intercept traffic between a client (192.168.0.99) and a server (192.168.0.1). The attacker and both target hosts are on the same network. The attacker sends an ARP reply packet to the client machine with a source IP of the server but with a source MAC of the malicious machine. The client machine now thinks that the server has the MAC address of the malicious machine and will send all frames for 192.168.0.1 to that host. Conversely, the attacker sends a packet to the server with a source IP of the client and a source MAC of the malicious machine. As in the client's situation, packets will be forwarded to the malicious host.
At this point, the attacker can watch, drop, forward, and manipulate data moving between the client and the server. Even in a switched environment, this attack is successful because the switch has no way of recognizing something is wrong.
Bob Fleck and Jordan Dimov wrote a paper available at http://www.cigitallabs.com/resources/papers/download/arppoison.pdf that discusses how this kind of ARP poisoning can be used on a wireless network. A wireless attacker can use ARP poisoning to pull packets "off-wire" by poisoning the ARP caches of two wired hosts behind an AP. A wireless attacker can intercept traffic between any hosts on the same broadcast domain, regardless if they are wired or wireless by using ARP poisoning.
In a wireless network, eavesdropping is easy because wireless communications are not easily confined to a physical area. A nearby attacker can receive the radio waves on the wireless network without any substantial effort or equipment. All frames sent across the wireless medium can be examined in real time or stored for later examination.
Several layers of encryption can and should be implemented to obscure transmitted data in an effort to prevent attackers from gleaning useful information from the network traffic. Since the ability of an attacker to eavesdrop on wireless communications is fait accompli, the data-link encryption mechanism WEP was developed. If the traffic is not protected at the data-link layer using WEP, then the higher layer security mechanisms must be used to protect the data. If a security mechanism such as IPsec, SSH, or SSL is not used for transmission then the application data is available to anyone with an antenna in the area without any further effort.
Unfortunately, several flaws in WEP have been uncovered as discussed in "Wireless DoS Attacks." Even with WEP turned on, a determined attacker can potentially log gigabytes worth of WEP-protected traffic in an effort to post-process the data and break the protection. These weaknesses in WEP drastically increase the risk due to eavesdropping. If WEP is cracked, there is great deal of sensitive data that is passed across networks with no further encryption, such as a user who accesses his mail using the POP or IMAP protocols. These protocols are widely deployed without any form of encryption for authentication or data transport, putting the users at risk when using a wireless network.
Manipulation takes eavesdropping a step further. An attacker who can successfully manipulate data on a network can effectively send data masquerading as a victim computer. Using ARP poisoning, an attacker can force traffic through a malicious machine. This malicious machine may, for example, change the content of emails, instant messages, or database transactions. The malicious machine can also choose not to forward packets along, effectively denying use of the network from the victim.
Illicit use of a wireless network involves an attacker using the network because of its connection to other networks. Attackers may use a network to connect to the Internet or to connect to the corporate network that lives behind the AP. Illicit use may not cause any operational problems, but it still may be unwanted and unlawful use of the wireless network. An attacker in this case may simply be someone who drove up near the AP, associated to the network and is checking his mail. Alternatively, the attacker may be sending spam to thousands of email addresses. The attacker may even be attempting to exploit a file server that lives on the same network as the AP or use the AP as a mask to hide the source of illegal actions, such as hacking other networks.
No matter what the attacker is doing, his use is unacceptable. However, the different types of illicit use pose varying degrees of problems for the organization running the WLAN. Again, in a wired network, illicit use is not a likely problem. In order to use a wired network, an attacker must have physical access to the network infrastructure. For reasons already outlined, this is unlikely and generally risky for an attacker to do. However, in most wireless networks, an attacker has much more freedom and is less likely to be caught attempting to use the network. (Illicit use by authorized users is a different matter. They already have proper access to the network but are using it for activities that are forbidden by a network-usage policy.)
Access points are not difficult to find. An attacker can simply drive around an area looking for unprotected APs using war-driving software such as NetStumbler. Once an attacker finds an open AP, he can use it for whatever illicit use he desires.
Databases of APs have been created, removing the war-driving step. Some databases such as Cisco's Hotspot Locator (http://www.cisco.com/pcgi-bin/cimo/Home) provide the location of closed APs that require payment to access outside resources. Other databases such as The Shmoo Group's Global Access Wireless Database (http://www.shmoo.com/gawd) or NetStumbler's database (http://www.netstumbler.com/query.php) consist of APs entered by individuals who have encountered them via various means including war driving. An attacker can query any of these public databases to determine nearby APs to use as a launching point.
Illicit resource use is a risk for several reasons. An attacker may launch attacks against external servers. These attacks will be seen as originating from the IP addresses of the owner of the access point. If these exploits are detected by remote administrators, they will be tracked down to the owner of the AP. The AP owner may be subject to punishment from his ISP or even a criminal investigation. Without a clear and complete audit trail, this form of illicit use may cause large problems for the AP owner.
In addition, the AP owner may be paying for transit to the Internet on a usage basis. If an attacker is using relatively large amounts of bandwidth, his usage may cost the AP owner money. Even when Internet access is not paid for on a usage basis, the attacker may be using enough bandwidth to infringe on the legitimate use by other clients using the same Internet connection. If an attacker is downloading mp3s via a 265 kb/s DSL connection, then other users of the DSL connection may experience extremely slow connectivity to external services.
Many security professionals fall into the trap of dealing only with the theory and not the practice of defending a network. While it would be great to be protected from all potential attacks that a wireless network may come under, that level of protection may not be practical.
When securing your network, you must consider the risk associated with each attack and address it accordingly. The topic of risk assessment and risk management is one that could fill a book on its own. However, it is important that you understand the basics of risk assessment so you spend your time and money wisely addressing the real issues rather than waste resources on topics that present no risk.
Figuring out your risk boils down to questions like: "What can happen?", "How likely is it to happen?", "What occurs when it happens?", and "How hard is it to defend against?". The "What can happen" question has already been answered in this chapter. Determining the likelihood of any particular attack is the next step.
The likelihood of an attack depends on factors such as:
- How easy it is to launch the attack?
An attack that is theoretical today may be widely distributed in "script kiddie" code tomorrow. The problems with WEP started out as a paper that described the theoretical problems with the protocol. Very few people had the ability to take the vulnerability and write code to exploit it. Within a few months, several different exploit programs had been developed and were publicly available on the Internet. Once that code became available, the likelihood of WEP encrypted traffic being cracked became much higher
- What is the risk to the attacker?
Home WLANs are great jumping-off points for hackers because home users tend not to be as diligent as larger corporations. An attacker may stay off large corporate WLANs for fear of being discovered by full-time security systems such as IDS systems and observant network engineers.
- How big of a target are you and your assets?
A home network usually does not contain resources or people that will single out the network in the attentions of hackers. A bank network, on the other hand, may be filled with user IDs, passwords, high-profile executives, and (above all) money. Keep in mind that the prevalence of wide network scanning by hackers may make you a target simply because you are running a vulnerable service, not because of what valuable assets the network may contain.
There are other issues that affect likeliness, but this is the basic idea. When determining the likeliness of an attack, you must use some common sense and knowledge of the current state of the security industry.
Then you need to determine what you stand to lose (or gain) if a particular attack is used against your network. What kind of user IDs and passwords will be available on the network for eavesdroppers to pick up? Are there time-sensitive applications that a DoS attack can affect? Is the wireless network critical to the minute-to-minute operations of your organization? Can you afford to be sued if a hacker launches an attack from your network?
Finally, using the previous steps to prioritize your activities, you need to evaluate how difficult the attacks are to defend against. If protecting information on your network is your top priority, you must determine to what lengths you will go to protect the integrity of your data. If being sued due to illicit use is your biggest concern, then you must determine the steps you can reasonably take to detect illegitimate use.
When determining and prioritizing your risks, you do not need to necessarily go through a formal process. You need to evaluate your business requirements, your network, and your potential adversary. Most importantly, you need to think about practical ramifications as well as theoretical security.
Knowing Is Half the Battle
Now that you are familiar with the kinds of attacks that an attacker may commit, you know what you're protecting against. Once you've defined your risk in reference to these attacks, you need to know what tools are at your disposal to protect you and your users. The next step in setting up a secure wireless infrastructure is laying down a strong foundation in your wireless clients.
This was first published in January 2003