9.10 Denial-of-Service Attacks and Tools

9.10.1 RF Jamming

Jamming a Direct Sequence Spread Spectrum (DSSS) WLAN is fairly easy to do using inexpensive tools, and such jamming activities can be conducted from relatively long ranges. Most WLANs operate at power outputs that are less than 100 mW. DSSS WLANs generally use only 22 MHz of the RF spectrum in order to transmit data. An RF generator can generate very low amounts of power (less than 1W). It utilizes either directional or omnidirectional antennas capable of transmitting a broadcast signal over very long distances. Because these devices typically use a very small power source, it provides anyone with the ability to easily jam a WLAN.

Even though DSSS WLANs are resilient to noise interference, few can function properly when competing with an RF power source jamming with a signal up to 40 times (4W) more powerful. This amount of generated RF signal can jam nearly any WLAN and cause a complete disruption (or denial) of service to client devices using the target access point. Another consideration is that the users connecting to the jammed access point are allowed to connect to the rogue access point set up by an intruder and configured to display the same SSID as the (hijacked) authorized access point. That is why this type of attack is called hijacking. No WLAN manufacturer makes a device called an "RF jamming device" because of the legal implications involved. A hacker knows he or she must find equipment commonly used for testing WLAN antennas, cables, connectors, and accessories. One such piece of equipment is YDI's Power Signal Generator-1 (PSG-1), which can be seen at http://www.ydi.com. It is important to know that microwave ovens, Bluetooth devices, and even certain WLAN devices can inadvertently cause a jamming situation to occur on a WLAN.

9.10.2 Data Flooding

Data flooding is the act of overwhelming an infrastructure device or computer with more data than it can process. There are three primary methods of performing a data flooding attack:

1. Pull a very large file from the Internet.

2. Pull or push a very large file from or to an internal server on the LAN.

3. Use a packet generator software package.

The packet generator software is easy for even a novice. It can push enough traffic to saturate any WLAN. A packet generation attack is more likely to make it through effective network controls than the first and second methods described previously. This type of attack is very similar to RF jamming except it uses DSSS transmissions to accomplish the same result.

One might think it would require significant amounts of data to flood a WLAN, but that is not the case. A data flooding attack does not require very much data at all. An 802.11b-compliant access point will typically saturate at about 5.5 Mbps of throughput. Sometimes, saturation occurs with even less than 5.5 Mbps of throughput because APs are half-duplex devices. A WLAN client can produce the same amount of throughput. Therefore, each client device also has the ability to saturate an AP. Such methods of saturation will effectively disable the AP, creating a DoS condition by denying a reasonable Quality of Service (QoS) to other users. Because WLAN devices use a protocol known as Carrier Sense Multiple Access/Collision Detection (CSMA/CD), all nodes attached to an AP are allocated a fractional slice of time (usually calculated in a methodology known as round- robin scheduling) to transmit; however, when a single node transmits a huge chunk of data, other nodes are essentially blocked from passing even very small bits of data because the time-slicing algorithm is, in effect, paused to await the completion of processing the largest data frame allowed before allocating a small slice of time to other device connections.

For example, a time-slicing algorithm allocates a 100 millisecond block of time to each of 10 connected devices. Device 8 sends a huge chunk of data that is broken down into the largest allowable frame size and transmitted, using 900 milliseconds to do so. Once the frame is transmitted, Device 9 gets 100 milliseconds , Device 10 gets its turn , then back to Devices 1 through 7, using up a total of one second of computer clock time before getting back to Device 8 again. Device 8 sends the next chunk, using 900 milliseconds again, and the process continues until the entire amount of data sent by Device 8 has been transmitted. In this simplistic example, it is easy to figure out that Device 8 is using 90 percent of the available time and denying equal service in 10 percent increments to the remaining nine devices.

9.10.3 Client Hijacking

Hijacking occurs when an unauthorized user takes control of an authorized user's WLAN connection. In wireless environments, hijacking is done at OSI Layer 2 when the intent is to create a DoS condition. When hijacking occurs at OSI Layer 3, the intruder is most likely attempting to initiate an attack surreptitiously. The unsuspecting victim who attempts connecting to a jammed access point is allowed to connect to a rogue access point set up by an intruder and configured to display the same SSID as the (now hijacked) authorized access point. In order to successfully accomplish the hijack operation, hackers must set up the rogue AP to replicate the authorized access point. A WLAN PC card can be configured to operate as a rogue AP. When configuring a rogue software AP, it is important for the hacker to choose a channel that does not conflict with one in use by the victim. When the jamming device is used to force users to roam for a better connection, the client devices will roam off the authorized hardware AP and onto the rogue software access point. After the Layer 2 connection has been hijacked, the next logical step in the attack process is to allow the hijacked user to establish a Layer 3 connection with the hijacker. The same Layer 3 connection can be established by running a DHCP server on the laptop serving as the AP. Windows-based products automatically renew DHCP leases whenever a Layer 2 connection is broken. This autorenew function works to the hijacker's benefit.