Uncovering Denial of Service Attacks


Denial of service (DoS) attacks can flood a device with network traffic or exploit other weaknesses in order to prevent users from connecting to and using a service (see Figure 4-10). DoS attacks can involve a single attacking computer, or a cracker may use many compromised computers (called zombies) to simultaneously attack. This simultaneous attack is called a distributed denial of service attack or DDoS. By themselves, DoS attacks don’t steal information or compromise machines, but crackers use them as a component in many spoofing attacks.

click to expand
Figure 4-10: A denial of service attack

There are many different DoS attacks that target wired and wireless networks, operating systems, and applications. DoS attacks aren’t limited to computers; people have launched DoS attacks against the telephone systems of companies or organizations with controversial policies.

In one scenario, hundreds of protesters continually dial the toll-free number of the target organization, staying on the line as long as possible when the target answers and immediately redialing if they get a busy signal or are disconnected. This prevents legitimate customers or members of the target organization from calling the number, effectively denying them that service. It also results in a huge phone bill for the target company.

Some DoS attacks aren’t even intentional; flaws in networking devices can cause them. In 2003, a flaw in some Netgear routers caused them to continually poll the Internet time servers at the University of Wisconsin, inadvertently causing a DoS attack on those servers. In this case, the flaw in these products coupled with the number of the products in use (hundreds of thousands) created an enormous problem for the university’s IT personnel.

On The Web 

For a firsthand account of this accidental DoS attack and to see if your Netgear device is one of the flawed models visit www.cs.wisc.edu/~plonka/netgear-sntp/.

I’m going to concentrate on DoS attacks against wireless networks, specifically some of the more likely or common attacks. When used as part of a spoof attack, a cracker may launch a DoS attack against an access point to prevent users from connecting to it while simultaneously spoofing the access point and inviting clients to connect to his machine (see Figure 4-11).

click to expand
Figure 4-11: DoS attack against an access point as part of a spoof attack

Unfortunately, unless you are relatively network savvy and experienced in configuring firewalls, these DoS attacks are hard for home users to defend against. Fortunately, it’s unlikely that you will find your home WLAN the target of a DoS attack; public hotspots are the more likely victims.

Many of these issues will only be resolved by changes to firmware and addressing problems in the actual 802.11x protocols. To better protect your system, stay aware of updates for your hardware and apply patches immediately when your vendor makes them available.

WPA denial of service

The new Wi-Fi Protected Access (WPA) encryption is a more affective replacement for the flawed WEP algorithm used in many Wi-Fi products. WPA authenticates users logging on to the network to prevent unauthorized persons from connecting. WPA has a feature to prevent active attacks; if it senses because of repeated failed authentication attempts that it’s under attack, the access point shuts down and resets. This leaves users without wireless connectivity during this time.

A cracker can take advantage of this feature and turn it into a DoS attack. By sending repeated packets of unauthorized data to the access point, a cracker can trick WPA into thinking that it’s under attack, forcing it to restart. The attacker can do this repeatedly, creating a denial of service.

Disassociate frame attack

In this type of DoS attack, the cracker repeatedly sends spoofed dissociate frames that force the access point and clients to repeatedly disconnect, effectively shutting down the WLAN. This is the same technique discussed in the “Hijacking Sessions” section at the beginning of this chapter, only on a grander scale.

Strong signal jamming

In this simple and direct DoS attack, an attacker uses a wireless transmitter to broadcast interference on the same frequency channel used by the access point, effectively drowning it out and creating so much radio frequency (RF) noise that Wi-Fi devices in the area can’t operate (see Figure 4-12).

click to expand
Figure 4-12: Strong signal jamming

Because many devices share the same frequency as Wi-Fi networks, this DoS attack may be mistaken for RF interference, and the WLAN administrator may not even know the network is under attack.

Because of the signal power required, however, the attacker often has to be in somewhat close proximity to the access point and can be located using a portable hand scanner. There really isn’t a defense against this attack other than switching radio channels and trying to locate the source of the interfering signal.

FakeAP flood

FakeAP is a software tool designed to defend a WLAN against wardrivers and crack- ers. FakeAP works by creating hundreds, or even thousands, of virtual access points, hiding your real access point among them. Crackers and wardrivers have no idea which access point is real, so your WLAN is effectively hiding in plain sight.

Unfortunately, FakeAP also works great against hotspots. A new twist on the DoS attack turns this defensive tool into one for attacking. The attacker, with a wireless notebook running FakeAP, locates himself near a hotspot and runs FakeAP to create thousands of fake access points. Visitors to the hotspot don’t know which access point is real and can’t connect to the WLAN (see Figure 4-13).

click to expand
Figure 4-13: FakeAP flood attack




Caution. Wireless Networking. Preventing a Data Disaster
Caution! Wireless Networking: Preventing a Data Disaster
ISBN: 076457213X
EAN: 2147483647
Year: 2003
Pages: 145

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net