Chapter 2 WLANS SECURITY OVERVIEW
PERFORMANCE ANALYSIS & ENHANCEMENTS IN INTRUSION DETECTION TECHNIQUES FOR WIRELESS LOCAL AREA NETWORKS
The research investigates the performance analysis and enhancement in intrusion detection techniques for wireless local area networks. The research proposes novel wireless intrusion detection techniques to address those monitoring requirements.
The specific outcomes of this research are:
* An expository overview of a risk analysis for detecting intruders in WLAN
* The vulnerabilities and security threats in MANET
* The security services like confidentiality, integrity and authentication can be achieved from wireless networks using IDS
* The potential dangers that may be crucial in future
CHAPTER 1 INTRODUCTION
Over the past five years, the world has become increasingly mobile. As a result, traditional ways of networking the world have proven inadequate to meet the challenges posed by our new collective lifestyle. If users must be connected to a network by physical cables, their movement is dramatically reduced. Wireless connectivity, however, poses no such restriction and allows a great deal more free movement on the part of the network user.
As a result, wireless technologies are encroaching on the traditional realm of "fixed" or "wired" networks. This change is obvious to anybody who drives on a regular basis. One of the "life and death" challenges to those of us who drive on a regular basis is the daily gauntlet of erratically driven cars containing mobile phone users in the driver's seat.
Wireless local area network is defined by IEEE 802.11 family of specifications. IEEE 802.11 is a set of standards carrying out wireless local area network (WLAN) computer communication in the 2.4, 3.6 and 5GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee.
IEEE 802.11s is a draft IEEE 802.11 amendment for mesh networking, defining how wireless devices can interconnect to create a WLAN mesh network, which may be used for static topologies and ad-hoc network.
802.11's security problems are well known, and the threat of war driving is well publicized. However so far, no known studies have been conducted to assess the risk faced by organizations and the full extent of unauthorized use of wireless LANs. This study seeks to investigate intrusion detection in the Wireless LAN. Wireless LAN standards offer very unsatisfactory level of security and one could not truly trust them. When using products based on these standards must the security issues been taken care in the upper layers. Some commonly used attacks are more stressed in wireless environment and some additional effort should be used to prevent those. The nature of the radio communication makes it practically impossible to prevent some attacks, like denial of service using radio interference. When the wireless networks are used in strategic applications, like manufacturing or hospitals, the possibility of this kind of attack should be taken into account with a great care. This study seeks to investigate intrusion detection in the Wireless LAN. To maintain the confidentiality, integrity and availability of data transmitted on a LAN.
All the work in this thesis is based on the IEEE 802.11 infrastructure WLAN. the research is specially focused on to study different security problems or flaws in wireless networks and to detect some of these attacks using an intrusion detection system. It is known that wireless networks are prone to more attacks than wired networks because there is no need of any physical access to wireless networks. The sole focus of this thesis id wireless intrusion detection for IEEE 802.11. The work in this thesis is not based on statistical or mathematical modeling.
The followings are the major objective of our study
1 To study the various Vulnerabilities and attacks (such as Invasion & Resource Stealing, Traffic Redirection, Denial of Service (DOS), Rogue Access Points and WEP Key Vulnerability etc ) on WLANs and their detection using the Intrusion detection System (IDS).
2 To study the some of the existing security methods used for securing WLAN and explore the possibility of improvements in the same.
3 To analyze the various techniques based on misuse detection or anomaly detection for securing wireless LAN.
4 To study the number of commercial available Intrusion detection tools that are capable of monitoring wireless traffic.
5 To develop a new efficient technique for monitoring, detecting and responding to the various security breaches to the WLAN
The outcomes of this research have made contributions to each of the aims described above. These outcomes specifically are:
* A comprehensive review of the outstanding vulnerabilities and attacks in WLAN
* A comprehensive review on the wireless intrusion detection techniques currently available for detecting attacks
* Development of algorithm for automatic attack scenario detection using crossdetection technique correlation.
* Development of an algorithm to automatically assign priority to the detected attack scenario using cross detection technique correlation.
This thesis is divided into eleven major chapters, which are structured around the aim of the research
Chapter 2 WLANS SECURITY OVERVIEW
WLAN - Wireless Local Area Network
Wireless Local Area Network (WLAN) links devices via a wireless distribution method and provides a connection through the access point to the wider network. This gives users the mobility to move around within local coverage area and to be connected to the network. Wireless LAN become popular due to ease installation, Public business areas has begun to offer wireless access to their customers for free. Even major cities have begun a pilot project to cover all five borough of the city with wireless internet access.
Wireless LANs are quickly gaining popularity due to their ease of installation and higher employee mobility. Together with PDAs and other mobility devices, they go on to improve the quality of life.
The reasons for using WLAN are
* Communicate in Meetings, fast responsiveness
* Grads expects the same mobility in the workplace
* No longer limited by wired jacks, wired infrastructure.
* Nontraditional networking: Smoke sensors, surveillance, cameras, temperature sensors etc.,
4. Cost Savings
* Flexible connectivity in large spaces for example, warehouses, convention center.
5. Location and context-aware services
* Crossing boundaries - chokepoints
6. Secure guest access
Types of WLAN
The part of success behind the popularity of WLANs is due to the availability of the 802.11 standard from IEEE. The standard specifies operation of WLANs in three ways:
Infrastructure Mode: Every WLAN workstation (WS) communicates to any machine through an access point (AP). The machine can be in the same WLAN or connected to the outside world through the AP.
Ad Hoc Network Mode: Every WS talks to another WS directly.
Mixed Network Mode: Every WS can work in the above two modes simultaneously. This is also called the Extended Basic Service Set (EBSS)
Security Features of Wireless LANs
A message traveling by air can be intercepted without physical access to the wiring of an organization. Any person, sitting in the vicinity of a WLAN with a transceiver with a capability to listen/talk, can pose a threat. Unfortunately, the same hardware that is used for WLAN communication can be employed for such attacks. Every network application and infrastructure component has a distinct set of security requirements that must be addressed before managers feel comfortable entrusting it with the enterprise's mission critical information.
For wireless LAN, security takes place on two levels: the frame level and the radio frequency (RF) level. Within this context, enterprise WLAN security requirements essentially fall into three broad categories, with the first two referring to frame-level security and the third dealing with RF-level security.
To make the WLANs reliable the following security goals were considered:
* Data Integrity
* Access Control
The following security measures are a part of the 802.11 IEEE protocol:
Data Confidentiality and Integrity
The protection of data as it moves across the shared medium is the most familiar aspect of WLAN security. Confidentiality is delivered through the use of encryption algorithms used to encode information in a manner that can only be decoded and read by the parties for which it is intended. Going handin- hand with encryption are the concepts of data integrity and non-repudiation, which help to prevent hackers from altering data. Non-repudiation is achieved through the use of a hashing algorithm which takes a snapshot of each frame's content before it is encrypted.
Even if a frame were to be decrypted, it would not be possible for a hacker to alter data contained within and fraudulently re-send the data – a process known as spoofing. Strong data confidentiality and integrity are especially critical for wireless traffic, as frames can be more easily intercepted – and potentially compromised – by virtually anyone in vicinity of the network.
Authentication and Access Control
The mechanisms used to grant authorized users access to the wireless network and the resources residing on the broader enterprise network are just as important as encryption and integrity. Sophisticated implementations also allow for the definition of access control policies that grant different users or groups unique security settings and access to different network resources.
Robust authentication and access control measures are especially vital to WLANs because there is little available in the way of physical separation of unauthorized users from the network. A user can potentially have a laptop outside of the office premises, and without an authentication mechanism to keep them out, they could gain full access to the corporate network.
Intrusion Detection and Prevention
Wireless intrusion detection and prevention services (Wireless IDS/IPS) must be able to identify and remove threats, but still allow neighboring WLANs to co-exist while preventing clients from accessing each other's resources. Intrusion detection and prevention focuses on the radio frequency (RF) level. It involves radio scanning to detect rogue access points or ad hoc networks to regulate network access.
Advanced implementations are able to visually represent the network area along with potential threats, and have automatic classification capabilities so that threats can be easily identified. Enterprise WLAN security is not one-size-fits-all. While it is desirable to have the most sophisticated frame-level and RF-level security available, wider considerations mean that this may not always be possible. Each enterprise must weigh the level of security required against the overall costs.
The solution must be cost-effective, leverage and integrate with existing security technology where possible, require little administrative maintenance and interaction, and represent an overall implementation cost that is commensurate with the initial capital expenditure. End-users will resist any implementation that is not transparent.
They will expect full access to applications and network resources, and will not tolerate excessive complexity and/or performance degradation resulting from the security infrastructure. Even enterprises that have decided not to install WLANs must be concerned about WLAN security, because rogue APs and ad hoc networks between wireless-enabled laptop computers can open gaping security holes in an otherwise secure network by allowing access to the wired LAN from remote locations.
Authentication and Association:
The need of a client to be mobile brought in the separation of authentication and association processes. Since a client frequently changes AP boundaries, he can be authenticated to various AP at a given point, yet remains associated to his chosen one. Before a client gets associated to other, he must be first authenticated.
802.11 specify two authentication mechanisms:
1. Open system authentication
2. Shared key authentication
1 .Open system authentication:
A client needs an SSID for successful Association. Any new client that comes in an EBSS area is provided with an SSID. This is equivalent to no security.
2. Shared system authentication:
The client cannot authenticate himself if he doesn't have the WEP shared secret key. WEP protocol is used for encryption.
An SSID is used to differentiate two networks logically. To successfully associate to a WS, one must have the SSID of the other WS. This was not intended to be a security feature, and in fact SSID is sent in open in the beacon frame of the AP.
The WLAN administrator has an option (if the administrator decides to send the packets unencrypted) to make all the communication over the air encrypted, i.e. every frame that is below the Ethernet Header is encrypted using the WEP protocol.
IDS - Intrusion Detection System
Intrusion Detection System is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.
IDPSs have become a necessary addition to the security infrastructure of nearly every organization. Shortly, IDSs can be classified as the tools and methods that monitor computer systems and network traffic to identify and report possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from within the organization.
By deploying IDS, it will provide warnings indicating if the system is under attack.
These warning help the users to alter their installation's defensive posture to increase resistance to attack. IDS also confirm the secure configuration and operation of other security mechanism such as firewalls.
Intrusion detection functions include:
* Monitoring and analyzing both user and system activities
* Analyzing system configurations and vulnerabilities
* Assessing system and file integrity
* Ability to recognize patterns typical of attacks
* Analysis of abnormal activity patterns
* Tracking user policy violations
WLAN are numerous and potentially divesting. But the securities issues are ranging from miscond Wireless Access Point (WAP) to hijacking. To aid in the defense and detection of these potential threats, WLANs should employ a security solution that includes an intrusion detection system (IDS). Even organizations without a WLAN are at risk of wireless threats and should consider an IDS solution.
New attack forms are continually being discovered. Current IDS systems have limited capabilities for detecting attacks that differ significantly from previously known attacks – exactly those attacks that systems are most vulnerable to. A-IDS may have some success in detecting such attacks, but IDS tools must be updated and maintained continually to ensure that their coverage remains intact.
IEEE 802.11's security problems are well known, and the threat of war driving is well publicized. However so far, no known studies have been conducted to assess the risk faced by organizations and the full extent of unauthorized use of wireless LANs. This study seeks to investigate intrusion detection in the Wireless LAN.
WLAN that is more secure than Wired LAN
WLAN systems incorporating WPA/WPA2 with AES encryption, in conjunction with 802.1x authentication, can provide a level of security for WLANs that can exceed the security of a wired LAN. Although there are still exploits possible that can disrupt the communications on the WLAN, the security of the network and the integrity of the data becomes very difficult to compromise. There are always potential holes in the system. Most are attributable to human error; an unreported lost laptop, a laptop infected with a virus, or a compromised username/password combination, can all cause a security breach despite the integrity of the WLAN.
Wireless Networks do offer an additional physical layer of security when deployed in an all wireless office environment. By effectively eliminating employee or guest physical access to the network elements – jacks and cables – the hidden network becomes more physically secure. Employees can no longer plug in access points from home; guests can't erroneously misconnect LAN connections in a boardroom while trying to secure external access. The securing of the WLAN has become an enabler of the all-wireless future.
Chapter 3 WLAN Technologies and Standards
The Institute of Electrical and Electronics Engineers (IEEE) is responsible for developing the radio technology standards to be used by wireless LANs. These standards pertain to the 802 wireless standards including 802.11, the first one that was developed, and several variations of it. Each standard though developed for wireless LANs serves a different purpose for the LANs, due in part to hackers, as well as others who might challenge its security for the purpose of strengthening their own enterprise security. As vulnerabilities, or holes, are found they become public knowledge and the IEEE proceeds to update the standard. The standards (versions) listed below are the most common ones, a list of which can be found in any wireless LAN literature or in IEEE published data.
802.11 usually referred to as Wi-Fi, was approved in 1997 and is the first wireless standard pulling together the network link and MAC address.
802.11a is an extension of 802.11 that uses 5 GHz radio frequency with data rates up to 54Mbps. The transmission rate may be half as much as dictated by 802.11b and 802.11g.
802.11b is also an extension of 802.11 but it uses 2.4 GHz radio frequency with data rates up to 11 Mbps. 802.11b is, “the defact wireless networking standard of the last few years” because “it offers excellent range and respectable throughput”. .
802.11g uses 2.4 GHz radio frequency with data rates up to 54 Mbps. It is also backwards compatible to 802.11b.
802.16 describe bandwidth between 10GHz and 66GHz and between 2GHz and 11 GHz frequencies and it supports high bit rates for up to 30 miles. It is expected to be popular in the future supporting
802.1X provides stronger wireless LAN security for user authentication. It is standard for port based network access control with EAP and allows a new key for each user and each session, but this standard has already shown vulnerability.
802.11n is currently under development to solve the 802.1X vulnerability issues. It is expected to have data rates over 100 Mbps.
Chapter 4 WLAN VULNERABILITIES
Chapter 5 WLAN ATTACKS
The very nature of networking means that users can exchange information across a distance and over a shared medium. The security implication of this is that a hacker does not need to actually walk up to server or a user's computer in order to gain access to critical files or communications. With wireless LAN, this threat is especially pronounced, because a hacker doesn't even need to reside in the same physical location.
Threats to the wireless network initially stem from providing openings like those described below:
Mis-Cond Access Points
Just as dangerous as an unauthorized “rogue” access point is an access point that has been legitimately connected to the wired network, but improperly or insufficiently cond. For instance, if no security settings were cond, then such an access point would provide open network access to anyone.
Ad Hoc Wireless Networks
Operating systems like Windows allow the creation of networks consisting of multiple wireless clients, without an access point in between. If one of these computers is cond to participate in an ad hoc network as well as connect to the corporate WLAN via an access point, they could be inadvertently creating an opening for a hacker to exploit.
In cases where companies are physically near one another, it is very possible for two wireless networks to have the same network information. In such a case, a wireless client will associate with the first access point that it contacts, and if it belongs to the neighboring WLAN, a security threat can exist.
Malicious users can often take advantage of the openings presented above, but the following examples also represent circumstances in which they can create their own openings:
Rogue access points
An unauthorized access point that has been connected to the wired network, which can provide malicious or unauthorized users with open access to the LAN.
APs Some hackers will be able to determine the configuration settings of the wireless LAN, and will plant an access point with the same settings within range of the network. Through mis-association, clients can connect to these honeypots assuming that they are legitimate. Clever hackers can then exploit this by connecting decoy network resources to the AP so that users login, after which the hacker can steal passwords or even confidential documents.
AP MAC Spoofing
Wireless client computers can be cond to behave like legitimate participants in the network. In this manner, a hacker can mimic an authorized user or even act as a honeypot AP.
WLAN (802.11x) networks have unique vulnerabilities that make them an ideal avenue of attack. Wireless networks cannot be physically secured the same way a wired network can be. An attack against a wireless network can take place anywhere: from the next office, the parking lot of the building, across the street, or possibly several miles away. Understanding the details of various attacks against the wireless infrastructure is critical to determining an appropriate defense strategy.
Some attacks are easy to implement but are not particularly dangerous. Other attacks are, however, much more difficult to mount but can have devastating consequences. Like any other aspect of security, wireless security is a game of risk. By knowing the risks involved in the network and making informed decisions about security measures, the wireless network operator has a better chance to protect itself, its assets, and users.
The possible types of intrusion attacks are Ping of Death: This was first detected or used in 1996 wherein certain operating systems crash (do not know how to react) to packet sizes in excess of 65535 (216 –1) bytes, the normal size of IP datagram packets. Ping is a command to test a machine for reachable to see if it is alive, active and can accept network requests. Large-sized packets are sent using the ping command, these are fragmented and sent over the network and reassembled at the destination.
On reassembly, it is found that the size of the packets received is in excess resulting in internal buffer overflow. This causes different operating systems to react, either in a crash, system abort or hang up. In short, this is called ping of death. The ping command is not at fault, the size of the packets is the problem.
SYN Flood: TCP/IP protocols have a concept of a three-way handshake, which is when two devices talk to each other using TCP/IP. A message is sent (first, one-way--a TCP packet sent with SYN, or synchronization, flag set), the message is acknowledged by the receiver (second, two-way--SYN-ACK), and the acknowledgement is confirmed by the receiver (third, three-way--ACK). The victim's device allocates memory on receipt of the first message anticipating the third message.
The sender (hacker) has sent the first message with a false IP address. The acknowledgement (SYN-ACK) sent by the victim's device never would reach, as the IP address is false. The victim's device would continue to send the SYN-ACK till such time the third message, ACK, is received. This will result in memory being allocated or set aside due to the half-open TCP connections.
Beyond a certain stage the victim's device would run out of memory causing the device to crash. Should the connection be performed under normal circumstances, the memory would have been released. Here again the TCP/IP protocols are not geared to handle TCP half-open connections even though some servers implement a limit to the number of half-open connections and release the memory after a certain time period.
The above attack is possible using sequence-number prediction techniques. Mitnick used this technique while he intruded into Shimumora's machine. In a sequence number prediction, a sequence number identifies all three messages. For instance, the first message may have a sequence number 23456, the second one may have 23457, and the third one is 23458, assuming there are no other messages in that time period. However, in reality, many messages pour in by the time the acknowledgement of the first message is received, resulting in the generation of a sequence number which is not successive.
Successive attempts to send and receive messages will enable the sender to predict the sequence numbers series or patterns. A hacker will generate an acknowledgment (without sending the first message), using the sequence number patterns, and can break into the system. The system presumes that it is a valid sequence number and accepts the acknowledgement.
TCP/IP spoofing: This is an extension of the SYN Flood where the attacker has used a spoofed IP address, i.e., an internal IP address as source address, resulting in impairing the service or crashing the system.
Man in the middle: This attack is aimed at intercepting messages. The interceptor has managed to take control of the very first message exchanged between two persons without their knowledge. The interceptor manages to get hold of the key pairs of one of the people and replaces them with a bogus key pair and continues to communicate with the bogus key with one end and the real key with the other end. Both ends feel that the messages are genuine and have not been intercepted.
Port scan: Port scanning is one of the most popular reconnaissance techniques hackers use to discover services they can break into. A potential victim computer runs many services that listen at well-known ports. By scanning which ports are available on the victim, the hacker finds potential weaknesses that can be exploited.
DNS Hijack: In the case of web site hijack, someone diverts traffic to a fake web page after gaining access to an upstream DNS server. The intruder accesses the DNS server and temporarily modifies its DNS records so those queries destined for the original web site divert to the fake web site. People think they have landed on the real site when, in fact, they simply are on a spoofed site at another IP address.
And the list will be growing
AN EXAMPLE NETWORK
The example network shown in Fig. 1 is assumed. The network is split into three segments: the Internet, a wireless network containing access points and wireless clients, and a wired network containing workstations, servers, and other devices. A gateway mediates the traffic between these three segments. All of these network components must work together, and implement complimentary security, to establish a secure network.
Denial-of-Service (DoS) attacks, which aim to prevent access to network resources, can be devastating and difficult to protect against. Typical DoS attacks involve flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network. DoS attacks can target many different layers of the network. At the application and transport layers, there is nothing fundamentally different between DoS attacks on wireless and wired networks. However, there are critical differences in the interaction between the network, data-link, and physical layers that increase the risk of a DoS attack on a wireless network.
The DoS attacks on the various network layers are briefly gone through.
Application (OSI Layer 7)
An application-layer DoS is accomplished by sending large amounts of otherwise legitimate requests to a network-aware application, such as sending a large amount of page requests to a web server, swamping the server process. The goal of this type of attack is to prevent other users from accessing the service by forcing the server to fulfill an excessive number of transactions. The network itself may still be usable, but since the web server process cannot respond to the users, access to service is denied.
Transport (OSI Layer 4)
A transport-layer DoS involves sending many connection requests to a host. This type of attack is typically targeted against the operating system of the victim's computer. A typical attack in this category is a SYN flood. In a SYN flood (SYN packets are the first step of a TCP connection), an attacker sends an excessive number of TCP connection requests to a host hoping to overwhelm the operating system's ability to track active TCP sessions.
Most operating systems have a limit to the number of connections per second they will accept and a limit on the maximum number of connections they will maintain. A successful SYN flood will overwhelm the operating system on one of these two limits, thereby denying access to the services running on that host. As is the case in the application-based DoS, the network is usually still functional, but the target host is unresponsive.
Network (OSI Layer 3)
If a network allows any client to associate, it is vulnerable to a network-level DoS attack. Since an 802.11 network is a shared medium, a malicious user can flood the network with traffic, denying access to other devices associated to the affected access point. As an example, an attacker can associate to a victim 802.11b network and send an ICMP flood to the gateway. While the gateway may be able to withstand the amount of traffic, the shared bandwidth of the 802.11b infrastructure is easily saturated. Other clients associated to the same AP as the attacker will have a very difficult time sending packets. Given the relatively slow speed of 802.11b networks, a network DoS may happen inadvertently due to large file transfers or bandwidth-intense applications. A few bandwidth hungry applications on a WLAN can hamper access for all associated stations. With the deployment of higher-speed WLAN technologies, these unintentional attacks will become less frequent.
Data-Link (OSI Layer 2)
Even with the Wired Equivalent Privacy (WEP) turned on, an attacker has access to the link layer information and can perform some DoS attacks. Without WEP, the attacker has full access to manipulate associations between stations and access points to terminate access to the network. If an AP is incorrectly utilizing diversity antennas, an attacker can potentially deny access to clients associated to the AP. The use of diversity antennas is normally intended to compensate for multipath fading.
However, diversity antennas are sometimes used also to cover a larger area with an AP by using antennas that cover disparate physical regions. If the diversity antennas do not cover the same region of space, an attacker can deny service to associated stations by exploiting the improper set-up, as shown in Fig. 6. There, diversity antennas A and B are attached to an AP, and are setup to cover both sides of the wall independently.
User C is on the left side of the wall, so the AP will choose antenna A for the sending and receiving frames. User D is on the opposite side of the wall, and will therefore send and receive frames with antenna B. User D can take user C off the network by changing his MAC address to be the same as user C's.
Then user D can guarantee that his signal is stronger on antenna B than user C's signal on antenna A by using an amplifier or other enhancement mechanism. Once user D's signal has been detected as the stronger signal on antenna B, the AP will send and receive frames for the MAC address on antenna B. As long as user D continues to send traffic to the AP, user C's frames will be ignored.
If a client is not using WEP authentication (or the attacker has knowledge of the WEP key), then
the client is vulnerable to DoS attacks from spoofed APs. Clients can generally be cond to associate with any access point or to associate to an access point in a particular ESSID (Extended Service Set Identifier). If a client is cond to associate to any available AP, it will select the AP with the strongest signal regardless of the ESSID. If a client is cond to associate to a particular ESSID, it will select the AP in the ESSID with the strongest signal strength. Either way, a malicious AP can effectively black-hole traffic from a victim by spoofing the desired AP.
Physical (OSI Layer 1)
A physical DoS attack against a wired network requires very close proximity to the victim host. However, this is not the case with a wireless network. The medium is everywhere and attacks can launch a physical attack from much farther distances. Instead of being inside of a building to perform a physical DoS attack against a LAN, an attacker can be outside of the building. Unlike a wired network where is usually evidence of a physical attack (destroyed cabling, removed cable, attackers on video surveillance cameras), there are no visible signs that something has changed. The 802.11 PHY specifications define a limited range of frequencies for communication.
The 802.11 devices that use a specific PHY are constrained to these frequency ranges. An attacker can create a device that will saturate the 802.11 frequency bands with noise. If the attacker can create enough RF noise to reduce the signal-to-noise ratio (SNR) to an unusable level, then the devices within range of noise will be effectively taken offline.
The devices will not be able to pick out the valid network signal from all the random noise being generated and therefore will be unable to communicate. Creating a device that produces a lot of noise at 2.4 GHz is a relatively easy and inexpensive to construct.
However, there are common commercial devices available today that can easily take down a wireless network. Unfortunately, many 2.4 GHz cordless phones that can be purchased in electronics stores have the capability to take an 802.11b network offline. While not a refined electronic weapon, these phones can interfere or completely disable a WLAN. Cordless phones use several different modulation techniques and can overlap on the frequencies used by 802.11b.
This overlapping is simply noise to an 802.11b radio. The cordless-phone-induced noise can drop the SNR enough to bring down any WLAN network nearby. There are also problems with DoS from other networking protocols. In particular, Bluetooth uses the same ISM (Industrial, Scientific and Medicine) band as 802.11b and 802.11g. The DSSS modulation in 802.11b is susceptible to interference from the modulation used in Bluetooth networks. While there are potential solutions to prevent Bluetooth from stepping on 802.11b transmissions, large-scale Bluetooth deployments may still interfere to the point of inoperability with 802.11b networks
Chapter 6 PROTECTING WLAN OR WLAN IDS
Chapter 7 COMPARATIVE STUDY OF TECHNIQUES (Existing) FOR INTRUSION DETECTION IN WLAN
As a countermeasure, the WLAN operator can periodically monitor the network using e.g. a protocol analyzer and a signal strength indicator every time the throughput appears to decrease. Another possible technique that can be considered to minimize the effect of jamming is to turn off the ability of clients and access points to use the RTS-CTS frame sequence. For example, assume that the attacker has modified driver software to continuously transmit RTS (Request-To-Send) frames. As a response to these RTS frames, a sequence of CTS frames are tying up the airway. Alternatively, the attacker could setup the radio Network Interface Card (NIC) (or a 802.11 frame generator) to send a continuous stream of CTS (Clear-To-Send) frames, which mimics an access point informing a particular radio NIC to transmit and all others to wait. The radio NIC being given permission to transmit could be a fictitious user. In both cases, the legitimate radio NICs in end user devices will continually delay access to the medium. The RTS-CTS frame sequence is normally used to overcome the hidden node problem; however, when the RTS-CTS frame sequence is used it can significantly reduce overall network throughput. For this reason most WLAN adapter products by default disable the use of the RTS-CTS frame sequence.
As a countermeasure, the WLAN operator can periodically monitor the network using e.g. a protocol analyzer and a signal strength indicator every time the throughput appears to decrease. Another possible technique that can be considered to minimize the effect of jamming is to turn off the ability of clients and access points to use the RTS-CTS frame sequence. For example, assume that the attacker has modified driver software to continuously transmit RTS (Request-To-Send) frames. As a response to these RTS frames, a sequence of CTS frames are tying up the airway. Alternatively, the attacker could setup the radio Network Interface Card (NIC) (or a802.11 frame generator) to send a continuous stream of CTS (Clear-To-Send) frames, which mimics an access point informing a particular radio NIC to transmit and all others to wait. The radio NIC being given permission to transmit could be a fictitious user. In both cases, the legitimate radio NICs in end user devices will continually delay access to the medium.
The RTS-CTS frame sequence is normally used to overcome the hidden node problem; however, when the RTS-CTS frame sequence is used it can significantly reduce overall network throughput. For this reason most WLAN adapter products by default disable the use of the RTS-CTS frame sequence