Jamming (Denial of Service) | Maximum Wireless Security

Denial-of-service (DoS) attacks are those that prevent the proper use of functions or services. Such attacks can also be extrapolated to wireless networks. To understand this, we must first consider how wireless 802.11b networks operate , and over what frequencies.

Effectively attacking (or securing) a wireless network requires a certain level of knowledge about how radio transmitters, frequencies, and wavelengths work and relate to each other. In the United States, the FCC governs frequencies and their allocation. Devices such as police radios, garage door openers, cordless phones, GPS receivers, microwave ovens, and cell phones use various frequencies to operate. In fact, millions of such devices are capable of operating simultaneously on the various frequencies of the radio spectrum (Table 7.2).

Table 7.2. The Radio Spectrum as Defined by the FCC

Band Name	Range	Usage
Very Low Frequency (VLF)	10kHz to 30kHz	Cable locating equipment
Low Frequency (LF)	30kHz to 300kHz	Maritime mobile service
Medium Frequency (MF)	300kHz to 3MHz	Avalanche transceivers, aircraft navigation, ham radio
High Frequency (HF)	3MHz to 30MHz	Radio astronomy, radio telephone, Civil Air Patrol, CB radios
Very High Frequency (VHF)	30MHz to 328.6MHz	Cordless phones, television, RC cars , aircraft/police/business radios
Ultra High Frequency (UHF)	328.6MHz to 2.9GHz	Police/fire radios, business radios, cellular phones, GPS, paging, wireless networks, cordless phones
Super High Frequency (SHF)	2.9GHz to 30GHz	Terminal doppler weather radar, various satellite communications
Extremely High Frequency (EHF)	30GHz and above	Government radio astronomy, military, vehicle radar systems, ham radio

NOTE

A frequency is the numerical representation of the number of times a sine wave oscillates per second. Let's say you are listening to 101.5 FM on the radio in your car. A transmitter generating a sine wave at 101,500,000 cycles per second is transmitting that signal. The unit of cycles per second is Hertz (Hz), which can be further expressed in terms of kilohertz (kHz), megahertz (MHz), and gigahertz (GHz). In our example of 101,500,000 cycles per second, we could refer to this as 101,500,000 Hertz, or 101,500 Kilohertz, or as it is commonly represented, 101.5 Megahertz .

Radio waves are very easy to create; in fact, you can demonstrate this right now. The following list shows how to create and hear your own radio waves.

Items needed: 9-volt battery, quarter, AM radio

Tune the AM radio to a spot between radio stations , so that you hear static.
Place the battery near the antenna of the AM radio.
Quickly tap the quarter onto the two terminals of the battery, making sure the quarter comes in contact with both terminals simultaneously.

Each time the quarter comes in contact with the battery terminals, it will generate a small radio wave, causing a crackle in the radio.

The circuit you create produces circular waves of electromagnetic interference, perpendicular to the direction of electrical flow.

Wireless 802.11b networks operate in the UHF band, specifically between 2.4GHz and 2.5GHz. These frequencies are broken up into 14 channels as shown in Table 7.3. In the United States, only channels 111 are used. Europe uses channels 113, France uses channels 1013, and Japan uses channels 114.

Table 7.3. Frequency and Channel Assignments

CHANNEL	FREQUENCY	CHANNEL	FREQUENCY
1	2.412GHz	8	2.447GHz
2	2.417GHz	9	2.452GHz
3	2.422GHz	10	2.457GHz
4	2.427GHz	11	2.462GHz
5	2.432GHz	12	2.467GHz
6	2.437GHz	13	2.472GHz
7	2.442GHz	14	2.484GHz

When an 802.11b device is sending data, it is not just transmitting on a single frequency. A technology called Direct Sequence Spread Spectrum (DSSS) is used to spread the transmission over multiple frequencies. DSSS is designed to maximize the effectiveness of the radio transmission while minimizing the potential for interference. In DSSS, a "Channel" refers to a specific ruleset, rather than a particular frequency. These rulesets define how the radio will spread the signal across multiple frequencies, also identified as channels. It is much like having a party at your house at which there are people in eleven different rooms. In each of the eleven rooms, the guests are having a different conversation, and the sound is traveling from room to room. While you are in room one, you can hear the conversations of rooms one, two, three, four, and five. Guests in room six can hear the conversations in rooms two, three, four, five, six, seven, eight, nine and ten, but they cannot hear anything from room one because of a wall or ruleset. Table 7.4 illustrates the channel layout and shows what can be heard by each channel ruleset. In the entire eleven rulesets, there are only three that do not overlapCH1, CH6, and CH11.

Table 7.4. DSSS Channel Overlap Guide

CH1	CH2	CH3	CH4	CH5
CH1	CH2	CH3	CH4	CH5	CH6
CH1	CH2	CH3	CH4	CH5	CH6	CH7
CH1	CH2	CH3	CH4	CH5	CH6	CH7	CH8
CH1	CH2	CH3	CH4	CH5	CH6	CH7	CH8	CH9
	CH2	CH3	CH4	CH5	CH6	CH7	CH8	CH9	CH10
		CH3	CH4	CH5	CH6	CH7	CH8	CH9	CH10	CH11
			CH4	CH5	CH6	CH7	CH8	CH9	CH10	CH11
				CH5	CH6	CH7	CH8	CH9	CH10	CH11
					CH6	CH7	CH8	CH9	CH10	CH11
						CH7	CH8	CH9	CH10	CH11

Conversations governed by ruleset 6 (Channel 6) cannot be heard by a station operating according to rulesets 1 or 11. Thus, in large infrastructure environments, there are really only three rulesets available. For an attacker building some type of jamming device, this is important. Based on the chart in Table 7.4, you can see that by targeting frequencies 5, 6, and 7, the jammer can cause the maximum amount of interference.

Jamming or causing interference to an 802.11b network can be fairly simple. There are several commercially available devices that that will bring a wireless network to its knees. For example, a Bluetooth-enabled device is one such item that can cause headaches for 802.11b networks. We have found that when a Bluetooth device is located within approximately ten meters of 802.11b devices, the Bluetooth device will cause a jamming type of denial-of-service attack. The same is true of several 2.4GHz cordless phones that are currently available. This is because the 2.4GHz band is becoming widely used and is considered shared, thus allowing all kinds of devices to use it.

The signals generated by these devices can appear to be an 802.11 transmission to other stations on the wireless network, thus causing them to hold their transmissions until the signal has gone, or until you have hung up the cordless phone. The other possibility is that the devices will just cause an increase in RF noise, which could cause the 802.11b devices to switch to a slower data rate. Devices re-send frames over and over again to increase the odds of the other station receiving it. Normally, data is transmitted at 11Mbps when sending one copy of each frame. If it were to drop to 50% efficiency, the device would still be transmitting at 11Mbps, but it would be sending a duplicate of each frame, making the effective speed 5.5Mbps. Thus you will have a significant decrease in network performance as a result of re-sending duplicate frames. In addition, with a high level of RF noise, you can expect to see an increase in corrupt frames , which also requires a full retransmission of the packet.