Dos 4 PDF
Dos 4 PDF
Dos 4 PDF
Abstract — Wireless Solutions like Wireless LAN (WLAN) 802.11 gaining popularity in all organizations, enterprises
and universities due to its productivity, cost saving as compared to wired network and ease of use by allowing the network
users to move physically while maintaining a connection to the wireless network. Wireless networks are very vulnerable
to (Denial of Service) DoS attacks. DoS is an attempt to make a machine or network resource unavailable to its users. It
can occur in many layers of OSI model and can occur in various form.Network users can protect their systems with Wi-
Fi Protected Access (WPA) security protocols and Wired Equivalent Privacy (WEP) but DoS attack still can’t be
prevented using these protocols. These attacks results in degradation of the network quality or complete loss of
availability of the network within the organization. This paper reviews various denial of service attacks and there
prevention/detection solutions.
I. INTRODUCTION
Wireless networks are preferred over wired networks due to their cost effectiveness and ease of use.But
Technological innovation in wireless networking have opened up new dimensions of threat to system‘s security.
Denial of service is an attack which denies authorized user access to the service provider. The recent report
shows that the most expensive computer crime over the past year was due to denial of service.
DoS attack target different layers of OSI model [2]:
Physical layer: by accidentally cutting a communication cable to take down network services.
Data link layer: to disable the ability of hosts to access the local network.
Network layer: by sending a large amount of IP data to a network.
Transport layer: by sending many TCP connection requests to a host
Application layer: by sending large amount of legitimate requests to an application.
The various kind of Dos attacks are[3] ARP Poisoning, MAC Spoofing, Web Spoofing, ICMP Flooding, CPU
and Memory attacks, Window Multiplication, Airwaves Jamming, Disassociation attack, Distributed Denial of
Service (DDoS) attack, De-authentication message attack etc. WLAN used Wired Equivalent Privacy (WEP)
security protocol [1] to achieve Authentication Integrity and Confidentiality services. Since WEP did not
provide the required level of security, IEEE proposed two another security protocols as Wi-Fi Protected Access
(WPA) and 802.11i as the security standards for WLANs. WPA was an intermediate security protocol to
improve the level of security offered by WEP, until the final security protocol in shape of 802.11i. The
management and control frames of 802.11 based WLANs are still unprotected. Consequently, WLANs, even
with the deployment of 802.11i, are susceptible to Denial of Service (DoS) attacks.
245
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
II. DoS ATTACKS
DOS attack occurs when any of system resource is not available to network users. A DOS attack floods the
remote system with so much traffic that it cannot handle normal, valid requests made from others network
systems[2].DOS attacks are not easily detectable, as the remote computer cannot easily distinguish requests and
traffic sent from the DOS-attacking machines and that sent by valid means. DOS can also occur because of high
legitimate demand. DoS attacks can be roughly classified according to the OSI model [4, 5]:
Application layer attacks: Here the attacker attempts to exploit a weakness of an application protocol like
DNS (cache poisoning), HTTP (stack and buffer overflow) [5]. It is achieved by sending large amounts of
legitimate requests to an application. For example, [4] an HTTP flood attack can make hundreds of thousands of
page requests to a web server which can exhaust all of the server‘s processing capability.
Inter-Network and transport layer attacks: A transport layer DoS attack involves sending many connection
requests to a host. It is very effective and extremely difficult to trace back to the attacker because of IP spoofing
techniques used. A network layer DoS attack [4] is achieved by sending a large amount of data to a wireless
network.
Media access layer attacks: Protocol layer attacks take place on media access layer. Wireless networks are
particularly vulnerable to MAC level attacks due to the use a shared medium. [4] An attacker can transmit
packets using a spoofed source MAC address of an access point. The recipient of these spoofed frames has no
way of telling if they are legitimate or illegitimate requests and will process them. Two main MAC layer are
follow:
Physical layer attacks: Main two attacks are jamming and interference. Jamming a wireless network with noise
signals may reduce the throughput of the network. Interference with other radio transmitters is another
possibility to thrash the performance of a wireless network.
WLAN management frame attacks: 802.11 devices use management frames for the discovery, authentication
and association of WLAN clients to an access point .Many of these management frame types are not
authenticated and thus vulnerable to DoS attacks [5]. For example an attacker could send deauthentication
frames with forged source MAC addresses to the access point thus rendering the client device inaccessible.
246
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
Teardrop Attack: Teardrop attack [14] exploits the network by sending IP fragment packets that are difficult to
reassemble. A fragment packet first identifies an offset that can be used to assemble the entire packet so that the
receiving system can reassemble them. In this attack, the attacker's IP puts an offset value in the subsequent
fragments that confuses the receiving system thus making the system unable to handle that situation in turn
leading to system crash.
Distributed Flooding DoS: This kind of attack is launched by first compromising large number of innocent
nodes in the wireless network termed as Zombies [7], which are programmed by highly skilled programmer.
These zombies send data to selected attack targets such that the aggregate traffic congests the network. In most
of the cases, the DDoS is impossible to prevent.
Power save Exploits: At client‘s sleep state, WLAN is disabled to conserve battery life; the traffic destined for
the client is subsequently discarded. An attacker can send a spoofed power save poll message, while the client is
still sleeping, causing the AP to transmit and discard any buffered traffic [8]. Also buffered frames at the AP are
advertised in a Traffic Indication Map (TIM). An attacker can spoof a TIM to show the client that there is no
buffered traffic, causing the client to go back to the sleep state and resulting in the frames for the client
eventually getting dropped.
WPA 802.1i attack: WPA and 802.11i which are aimed at securing a WLAN network may be used to launch an
attack [5]. As a protection measure if a WLAN AP or station receives more than 1 message with an invalid MIC
checksum the session is to be shut down for 1 minute and then a new session key has to be generated, this
behavior can be misused to launch a DoS attack virtually disabling the wireless service by repeatedly sending
messages with forged MIC checksums.
Authentication/Association flood attack: During the authentication/association flood attack, an attacker uses
spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker
repeatedly makes authentication/association requests, eventually exhausting the memory and processing
capacity of the access point leaving clients with little or no connection to the wireless network.
Deauthentication/Disassociation flood attacks: these are also known as Identity Vulnerabilities [16]. During
deaunthentication Client first authenticate itself to AP as shown in figure 3, one part of the authentication
framework is a message that allows clients and access points to explicitly request deauthentication from one
another. This message is not encrypted. So the attacker can easily spoof this message, either pretending to be the
access point or the client.
Disassociation frames are used when client have multiple access point. 802.11 Since a client can be
authenticated from multiple access points so 802.11 provides a association message to allow the client and
access point to agree which access point shall have responsibility for forwarding packets on the client‘s behalf.
Like deauthentication deassociation frames can be sending by the attacker similarly described above in figure
3[16].
Fig 3. Deauthentication
247
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
Authorization flooding on backbone devices: a Probe request frames is used by IEEE 802.11 to discover a
wireless network [6], if a wireless network exist then the AP respond with Probe response frame. The clients select
that AP which provides the strongest signal. The attacker can spoof a flood of probe request frames presenting a lot of
nodes searching for wireless network; can overload the AP or wireless mesh router. If the load exceeds the threshold
value will cause the AP or wireless mesh router to stop responding and may create service unavailability.
Web Spoofing: In Web spoofing, the attacker convinces the victim that he is visiting a legitimate web site,
when the web pages are created by the attacker to steal information such as passwords and credit card numbers
[3]. The attacker can achieve this by compromising the intranet server of any company and redirecting some
links to his web server.
MAC Spoofing: The attacker would change the manufacturer-assigned MAC address of a wireless adapter to
the MAC address he wants to spoof. An attacker can learn the MAC address of the valid user by capturing
wireless packets. On successful MAC spoofing the IP address assigned to the attacker‘s computer will be
identical to the IP address of the victim computer, whose MAC address was being spoofed [3]. In order to
access the wireless network, the attacker had to perform DoS attack to disconnect the target computer from its
wireless connection.
ICMP Flooding: It is used to report the delivery of Internet Protocol (IP) echo packets, troubleshooting
purposes to show when a particular end station is not responding, when an IP network is not reachable, when a
node is overloaded or when an error occurs in the IP header information etc. Typical DoS attack using ICMP is
known as ICMP flooding [3]. It involves flooding the buffer of the target computer with unwanted ICMP
packets and finally lack of response or system failure.
Other DoS attacks are Rogue and selfish backbone devices, ARP Poisoning, Something-of-death attack, Node
deprivation attack etc.
The SYN Flooding Attack: One of the most common DoS attacks is the SYN Flooding Attack [17]. TCP
implementations are designed with a small limit on the maximum number of half-open connections per port that
are possible at any given time. In Figure 4, an attacker initiates a SYN flooding attack by sending many
connection requests with spoofed source addresses to the victim machine. As a result victim allocates resources.
When the limit of half open connections is reached, all successive connection establishment attempts are
refused, whether they are legitimate or not. If the attacker wants the denial of service condition to last longer than
the timeout period, he needs to continuously keep requesting the victim for new connections. The amount of CPU and
network bandwidth required by an attacker for a sustained attack is negligible [17].
248
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
The idea of Client Puzzle Protocol is to correctly solve a mathematical puzzle before establishing a connection,
after solving the puzzle, the client would return the solution to the server, which the server would quickly
confirm or reject. The puzzle requires a minimal amount of computation on the client side. The malicious user
will not be able to simultaneously establish a large numbers of connections due to time delay in solving puzzle.
Intrusion detection is the process of monitoring events occurring on the network and analyzing them for signs of
probable incidents, malicious threats etc. IDS is a software tool that automates the intrusion detection process.
Ingress filtering is a technique used to make sure that incoming packets don‘t have spoofed source IP addresses
in their headers.
Threshold value is defined as a predetermined percentage of the maximum number of requests that a server can
handle. The two novel approaches for application DoS/DDoS attack detection are Signature based attack
detection and Anomaly based attack detection.
Detecting/Preventing Dos at MAC layer: Some techniques used for used for MAC layer DoS detection are:
MAC address spoof detection: Spoofing can be detected using sequence number field, whose value is
incremented by one for each non-fragmented frame [9]. An attacker does not have the ability to alter the value
of sequence number if he cannot control the firmware functionality of his wireless card. Through the analysis of
the sequence number pattern of the captured wireless traffic, detection systems were shown to be capable of
detecting MAC address spoofing to identify de-authentication/de-association attacks.
Cryptographically protecting management and control frames: IEEE started to work on a proposal at the
802.11 Task Group ‗w‘ to extend security to the management traffic. The new extension will be able to provide
protection against some of the MAC layer DoS attacks (e.g. deauthentication attacks), but will not surely be a
solution for all DoS attacks. The final specification of protocol is yet to be publicized; however, it is known that
mitigating DoS attacks is not the actual goal of the working group [9]. The cryptographic solution can work
against different types of attacks but especially public key cryptography is expensive and can easily be a DoS
target itself. For the sake of not opening a new DoS hole, the efficiency of the new protocol has utmost
importance. Similar to 802.11i, we expect 802.11w to be comprehensively reviewed in detail after it is
announced.
Maintaining MAC address Table: Access point maintains a table consisting of the MAC address of the
legitimate users[10]. When any user send a management frame then the MAC address of the sender is search in
the AP‘s table if it matches then the frame will be proceed otherwise AP will drop that management frame. But
this way is not so much effective because an intruder can easily sniff and fake address of legitimate wireless
users. So this technique is not much uses but can be more effective by combining this in another authentication
method and used to prevent DoS attacks. Other problem arises about the poor scalability of the AP. Difficulty
comes to add every MAC address in the table and to maintain that table for any enterprises. It also can be
impractical if any user of wireless network enterprise is dynamic and moving one AP to another.
Detecting/Preventing DoS at Physical layer: Jamming attack is a type of DoS attack at physical layer [9]. Low
throughput, low packet delivery ratio (PDR) and high packet latency are indicators of a jamming attack. But,
these indicators can also be present, at network congestion. Thus, better way should be used to differentiate it
from other network conditions.
Two types of jamming detection approaches are:
Signal strength consistency.
Location consistency.
In signal strength consistency approach, a station is suspected to be a victim of a jammer station, if the measured
average signal strength of incoming signals is high and PDR is low. Signal strength level is an indicator of a
high quality channel.
In Location consistency, if the PDR of a data flow between a sender and a receiver is extraordinarily low despite
the fact that these stations are physically close enough, then a jammer station is suspected to be present in the
249
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
surrounding area. If the existence of an active jammer is detected or suspected then the legitimate users in the
network should take actions to counter the intended actions of the jammer .Another solution can be if there are
multiple spatially dispersed APs around then a mobile station can move away to a position where it can
associate with another AP provided that the jammer station's power is not high enough to jam the new link.
DDoS prevention and Detection techniques: The mechanisms can be categorized mainly in two categories as
[12]:
1. Source based mechanisms.
2. Destination based mechanisms.
Source based mechanisms are deployed near the source of attack to prevent generating DDoS attacks. Various
source based mechanisms are[12] Ingress/Egress filtering mechanisms (used to detect and filter packets with
spoofed IP addresses at the source‘s edge routers based on the valid IP address range internal to the network),
D-WARD(detect DDOS flooding attack traffic by monitoring both inbound and outbound traffic of a source
network and comparing the network traffic information with predefined normal flow models), Multi-Level Tree
for Online Packet Statistics (MULTOPS, Normally the rate of traffic in one direction is proportional to the
opposite direction. So, a significant difference between the rates of traffic going to and coming from a host can
indicate that the network prefix is either the source or the destination of an attack. MULTOPS detects and filters
DDoS flooding attacks based on this mechanism).
In Destination-based mechanisms detection and response is mostly done at the destination of the attack. Various
Destination-based mechanisms are[12] IP Traceback mechanisms(It is a process of tracing back the forged IP
packets to their true sources rather than the spoofed IP addresses that was used in the attack is called traceback),
Management Information Base (MIB, its data is comprised of parameters that indicate various packet and
routing statistics. Continuously analyzing MIB can help victims to identify when a DDoS attack is occurring),
Packet marking and filtering mechanisms (aim to mark legitimate packets at each router along their path to the
destination so that victims‘ edge routers can filter the attack traffic), Packet dropping based on the level of
congestion(drop suspicious packets when the network links are congested to a certain level)
We can also avoid these attacks by installing the updated security patches from software vendors [3]. Install
antivirus software with up-to-date signatures on all mail servers to keep email worms that could be DDoS tools.
Firewalls and routers can provide a great degree of protection through ingress (inbound) and egress (outbound)
filtering Use Egress filter in the network firewall and/or router and make sure whatever comes out of the
network only has source addresses that belong to the network and use Ingress filter to confirm that packets
coming to the network have source addresses that are not on the inside network
The various other available solutions to avoid or detect DoS attacks are explained as follow:
Packet Marking: It inscribes some path information into the header of the packets themselves [15]. The
marking can be deterministic or probabilistic. In deterministic marking, every router marks all packets. The
drawback of the deterministic packet marking is that the packet header grows as the number of hops increases
and overhead will be imposed on routers to mark every packet. The probabilistic packet marking (PPM) encodes
the path information into a small fraction of the packets. The assumption is that during a flooding attack, a huge
amount of traffic travels towards the victim. Therefore, there is a great chance that many of these packets will be
marked at routers throughout their journey from the source to the victim. It is likely that the marked packets will
give enough information to trace the network path from the victim to the source of the attack.
Traffic filtering- It is another method to prevent DoS attacks to define a limit for the AP to process the
management frames in per second. AP will count the number of management frames per second receiving from
any particular MAC address and if that are exceed from an already decided limit then next all frames will be
ignored at that second for that particular MAC address. A problem can occurs only in a case if an intruder is
sending continuously management frames by changing the MAC address for every frame per second then AP
will process all the frames understanding that a large number of clients want to associated simultaneously.
250
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
Letter envelop Protocol: To prevent the disassociation attack, we can uses letter-envelop protocol [1] to
authenticate management frames in association process .After authentication process between wireless station
and access point, the association process takes place.
ICMP Traceback: In this approach every router samples the forwarded packets with a very low probability
[15] and sends an ICMP traceback message to the destination. An ICMP traceback message contains the
previous and next hop addresses of the router, timestamp, portion of the traced packet, and authentication
information. The drawback of this approach is that the attacker can send many false ICMP Traceback messages
to confuse the victim.
Location tracking: Once a DoS attack is detected, it is paramount to determine the physical location of the
source or attacker [8]. For example, by generating an alarm in real-time and pin-pointing the location of the
attacker.
Large Number of Association Request (LASO): In this attack, the attacker continuously uses random MAC
address for making association with an Access Point (AP). By using this, the attacker makes the AP busy in
working with the attacker‘s request. It prevents any other clients to join with AP. Pre-Check and Pre-
Association processes [11] work together to avoid LASO attacks.
Against Spoofing: ARP poisoning or ARP spoofing [3] can be avoided couple of solutions. Use network
switches that have MAC binding features that store the first MAC address that appears on a port and do not
allow this mapping to be altered without authentication. Making ARP request unicast can save lot of congestion.
Adding authentication to know the identity of the sender or against packet tampering makes it secure. ARP
request packets can be sent to a central server which has the IP-MAC address mapping and the server can sent
the ARP response with a strong digital signature using a collision free one way hash function to the requested
host. This can protect against tampering or injection of new forged ARP packets.
Web spoofing depends mainly upon social engineering tricks and it is thus important to educate users and to be
generally aware of the address window in a browser that displays the web address that they are directed to. That
can help if some suspicious web site address comes up. DNS spoofing can be prevented by securing the DNS
servers and by implementing anti-IP address spoofing measures.
Against flooding attack : TCP SYN flooding on devices behind a firewall from hosts with random IP addresses is
easy, since access list can block such IP addresses or blocks of it. But on web or mail server with public internet
access, there is no way to check whether the incoming IP addresses are hostile or non-hostile. Some options
available in such as case are [3]: increase the connection SYN ACK queue, decrease the time-out waiting for 3
way handshake and employ vendor software patches. A combination of Host-based Intrusion Detection System
(HIDS) and Network-based Intrusion Detection System (NIDS) can greatly help especially against all flooding
attacks. Signature detection scheme would be good at detecting any known attacks. Alerts arising from any
suspicious activity can be intimated to the administrator immediately. Firewalls are an excellent form of
protection; however, they must leave some ports open to allow the operation of the web, mail, ftp, and other
Internet based services, and which are the paths exploited by most of the vulnerabilities.
IV. CONCLUSIONS
DoS attacks are much easier to launch on wireless networks than on wired networks typically due to the nature
of wireless communication as a packet frantically move around in the air. After developing many secure
protocols IEEE 802.11 wireless network is still vulnerable to attacks. DoS attacks can cause serious problems to
the legitimate users .Dos can be initiated at physical layer, data link layer, network layer, application layer etc.
through many ways. In future more attention must be paid to DoS issues as available solutions are not able to
stop Dos attacks fully. And guaranteed immunity against DoS attacks can never be possible due to the openness
of the channel. This paper comprehensively explained different DoS attacks and there available solutions
REFERENCES
[1] Arockiam. L Vani. B ―A Survey of Denial of Service Attacks and its Countermeasures on Wireless Network‖ IJCSE)
International Journal on Computer Science and Engineering Vol. 02, No. 05, 2010, 1563-1571.
251
ISSN: 2319-5967
ISO 9001:2008 Certified
International Journal of Engineering Science and Innovative Technology (IJESIT)
Volume 3, Issue 3, May 2014
[2] Mofreh Salem, Amany Sarha, Mostafa Abu-Bakr ―A DOS Attack Intrusion Detection and Inhibition Technique for
Wireless Computer Networks‖ ICGST- CNIR, Volume (7), Issue (I), July 2007.
[3] Lawan A. Mohammed and Biju Issac ―Detailed DoS Attacks in Wireless Networks and Countermeasures‖ Int. J. Ad
Hoc and Ubiquitous Computing, Vol. 2, No. 1, 2006.
[4] ―802.11 Denial of Service Attacks and Mitigation‖ Stuart Compton SANS Institute.
[5] Peter Egli, Product Manager Wireless & Networking Technologies ―Susceptibility of wireless devices to denial of
service attacks ―.
[6] Shafiullah Khan, Kok-Keong Loo, Tahir Naeem,‖Denial of Service Attacks and Challenges in Broadband Wireless
Networks‖ IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.7, July 2008.
[7] G.A Marin ―Network security basics,‖ In IEEE Security and Privacy, Vol.3, p 68-72, November 2005.
[8] ―Understanding WLAN DoS Vulnerabilities & Practical Countermeasures‖ Part number WP-WLAN-DENIAL. Printed
in USA 01/10. MOTOROLA.
[9] Kemal Bicakci, Bulent Tavli, ―Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks‖,
Computer Standards & Interfaces 31 (2009) 931–941.
[10] Abhishek Gupta, Manish Garg :‖ DoS Attacks on IEEE 802.11 Wireless Networks and Its Proposed Solutions‖.
[11] Arockiam .L , Vani .B ― A Comparative Study of the Available Solutions to Minimize Denial of Service Attacks in
Wireless LAN‖ Int. J. Comp. Tech. Appl., Vol 2 (3), 619-625.
[12] Saman Taghavi Zargar, James Joshi, David Tipper, ―A Survey of Defense Mechanisms against Distributed Denial of
Service (DDoS) Flooding Attacks‖ IEEE communications surveys & tutorials, vol. 15, no. 4, fourth quarter 2013.
[13] Veronika Durcekova, Ladislav Schwartz and Nahid Shahmehri ―Sophisticated Denial of Service Attacks aimed at
Application Layer‖ IEEE 2012.
[14] Arshey.M, Mr.C.Balakrishnan ―Prevention Strategies and Network Intrusion Prevention Techniques for Dos
Attacks―International Journal of Advanced Research in Computer and Communication Engineering Vol. 2, Issue 2,
February 2013.
[15] Ahsan Habib, Mohamed M. Hefeeda, and Bharat K. Bhargava. ―Detecting Service Violations and DoS Attacks‖.
[16] John Bellardo and Stefan Savage‖ Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions‖ Department
of Computer Science and Engineering University of California at San Diego.
[17] A. B. M. Alim AI Islam, Tishna Sabrina ―Detection of various Denial of Service and Distributed Denial of Service
Attacks using RNN Ensemble‖ .Proceedings of 2009 12th International Conference on Computer and Information
Technology (ICCIT 2009) 21-23 December, 2009, Dhaka, Bangladesh.
AUTHOR’S PROFILE
Nisha Sharma received her B.Tech. Degree from Punjab Technical University, M.Tech degree from Guru Govind
Singh Indraprastha University, Delhi. Currently she is working as a Project Associate in CDAC Noida. Her interest
areas are Image processing, Algorithms, and Database Management Systems, OOPS, JAVA.
Paras Nath Barwal (Joint Director) received M.Tech. (Comp. Sc.) From Birla Institute of Technology, Mesra in
1998. Total 16 year‘s experience in Large Scale of Application Development & Implementation & e-Governance
applications using J2EE, Oracle 10g, 9i/8i on UnixWare, SQL Server 2K .He had successfully design develop &
implemented more than 40 e-governance projects taken by C-DAC Noida from Govt. sectors.
252