Final taxo


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Final taxo

  1. 1. Abstract:Even if networks have been evolved from wired to wireless,network security objectives remain thesame for both. Previous taxonomies classifies attacks according to categories or dimensions thatapplies to both wired and wireless networks, but these categories cannot be applied specifically onwireless network attacks.Some aspects that are particularly important for wireless networks are notcovered in the previous work for example power consumption, stage at which attack occurs etc.This research focuses on classification of wireless network attacks; providing a taxonomy thatcovers both general and specific aspects of wireless networks .This will help end user to combatemerging wireless attacks and improve wireless network security.The proposed taxonomy consistof eight categories in order to classify attacks.The first category classifies attacks according tostage at which they occur.The second category covers the effects of attack on power consumptionwhich is more inherent in wireless networks.The third category classifies attacks according tolayers of OSI model. The fourth category explains the utilization of security attribute for eachattack.The fifth category classifies attacks according to vulnerabilities.Effects of attacks areclassified in the sixth category.The seventh category is about precautions for each attack. In lastcategory, attacks are classified according to network type.The taxonomy is very benificial for endusers with little knowledge about wireless networks and their security measures.Acknowledgements:We would like to express our deep and sincere grattitude to our honourable SupervisorsSir Azhar Mushtaq and Sir Ahmad Fareed,our Advisors, for their support and advisorywork during the course of this project.They inspired us greatly to work in this project. theirwillingness to motivate us contributed tremendously to our project. Also,we would like to credit the CS & I.T department providing us with resources forwhich we are very grateful.Lastly,We would like to thank our families and friends for all theirlove and encouragement,for our parents who raised us with love and supported us in all ourpursuits.Contents:1 Introduction2 Computer and network attacks 2.1 What is a computer and network attack? 2.2 Wired and wireless attacks 2.2.1 Attack Method 2.2.2 Viruses
  2. 2. Types of Viruses Macroviruses 2.2.3 Worm Mass Mailing Worm Network-Aware Worms 2.2.4 Trojan 2.2.5 Replay Attacks 2.2.6 War Driving 2.2.7 Rogue Access Point 2.2.8 Denial of service attacks Host Based Network Based Distributed 2.2.9 Power Consumption Attacks Sleep Deprivation Attacks Barrage Attack 2.2.10 Man In The Middle Attack 2.2.11 Forced Deauthentication/Deassociation Request Deauthentication Attack Deassociation Attack 2.2.12 Wormhole Attacks 2.2.13 Spoofing 2.2.14 Physical Attacks 3 Related Work 3.1 Requirnments of taxonomy 3.2 Previous taxonomies 3.2.1 Landveirs Taxonomy 3.2.2 Howards Taxonomy 3.2.3 Loughs Taxonomy 3.2.4 Hansman Taxonomy 3.3 Critical Review4 Taxonomy 4.1 The Proposed Taxonomy 4.2 Classification 4.2.1 Stage Discovery Authentication Association 4.2.2 Power Consumption 4.2.3 Layers Physical Layer Data Link Layer Network Layer Transport Layer Application Layer
  3. 3. Multi-Layer 4.2.4 Attributes Utilized Integrity Confidentiallity Access Control Availability 4.2.5 Flaw Utilization Design Flaws Implementation Flaws Configuration Flaws Exposed Medium 4.2.6 Effects Disclosure of information Theft of resources Denial of service Corruption of information 4.2.7 Precautions 4.2.8 Network Type Adhoc Network Infrastructure Network5 Evaluation Of Proposed Taxonomy 5.1 Wireless Attacks Categorization 5.2 Table6 Conclusion7 ReferencesChapter 1IntroductionThe field of wireless networks has witnessed tremendous growth in recent years and it has becomeone of the fastest growing segments of telecommunication industry.Wireless communicationsystems have found widespread use and have become an essential tool to many people in everydaylife.The popularity of wireless networks is so great that we will soon reach the point where thenumber of worldwide wireless subscribers will be higher than the number of wirelinesubscribers.This popularity of wireless communication is due to its advantages compared to wiredsystems.The most important of these advantages is the freedom from cables, which enablescommunication with anyone,anywhere and anytime.However wireless network security is still amajor issue in deployment of wireless networks.
  4. 4. In this paper,focus is done at security of wireless networks.Apart from their excessive use,wirelessnetworks are much more vulnerable to attacks as compared to wired networks.An attack is anattempt on a computer or network that either damages; discloses information;subverts; or denies orsteals services.When it comes to wireless networks,there is no such thing as physical security as inwireless networks,radio waves are used that have the ability to penetrate carrying data with them.A taxonomy is a method of classifying attacks.In this paper,wireless attacks have been classifiedaccording to categories.The classification is done in order to provide simplicity in language so thatan end user can understand the security requirnments for his wireless network.Chapter 2 is based on attacks on both wired and wireless networks in order to provide awareness touser with comprehensive knowledge of attacks.Chapter 3 describes the requirnments of ataxonomy and previous work on taxonomies.Previous security taxonomies are critically reviewedso as to point their advantages and disadvantages.In chapter 4,need for proposed taxonomy isdiscussed alongwith features of proposed taxonomy.In chapter 5,evaluation of proposed taxonomyis done in detail.Chapter 2Computer And Network Attacks2.1 What is a computer and network attack?It is necessary to know about computer and network attacks to combat these attacks.A computerattack is an attack on computer which results in degradation of performance of computersystem,disruption of data or stealing information.A network attack is mostly an attack on acomputer in a network that may destroy some part of a network or whole network. For exampleworm is a network attack that propagate across network.Some network attacks does not attack asingle computer in a network rather whole network.2.2 Wired And Wireless AttacksWired networks use physical medium for transmission of data while in wireless there is nophysical medium.Instead of wires and cables,elecromagnetic radiations like radio waves are usedto transmit data from one end of wireless network to another end.Beacause of openness ofmedium,wireless networks are more susceptible to attacks as compared to wired networks. 2.2.1 Attack Methodology
  5. 5. There are several distinct stages that make up an attack on a computer or network. In general thereare four main stages:1. Attacker Motivation and Objectives2. Information Gathering/Target Selection3. Attack Selection4. Attack ExecutionHoward has a detailed taxonomy built on attack processes, similar to the above stages.An attacker may have many different reasons for launching an attack. Some attackers may simplywant to test their skills, others may want to prove a point.Each attacker has his own motivation inlaunching an attack.Before launching the attack, the attacker must select a target and gatherinformation. These two activities take place either concurrently or consecutively, depending onwhat the attacker wishes to achieve.Information gathering involves extracting useful informationfrom the target network or host, while target selection is the choosing of a target. During thesestages, the attacker will usually use tools such as packet sniffers and port scanners to gatherinformation on potential targets.Once the attacker has a target and some information on thepotential weaknesses of the target, they can select an attack that is appropriate. The final stage isthe execution of the attack, in which the attackerproceeds to launch the attack against the target[19].2.2.2 VirusesA virus is a piece of software that can infect other programs by modifying them as viruses attachthemselve to a program and propagates copies of themselves to other programs[31].Once a virus isexecuting,it can perform any function such as erasing files and programs.Usually viruses willattach themselves to a file and run when the file is opened. There are several main types of viruseswhich are described below[22]. Types of Viruses The following categories are the most significant types of viruses. Parasitic Virus: It attaches itself to executable file and copies itself to other executable files when the infected program is executed. Memory-resident Virus: It resides in main memory(Random Access Memory) and infect every program that executes. Boot Sector Virus:It installs into master boot record file on hard disc.The virus can run itself every time the computer is booted up. Stealth Virus:A stealth virus is designed to hide itself from detection by antivirus software as it uses compression so that the infected program is of same length as uninfected version of the same program. Polymorphic Virus:A virus that has the ability to change itself as time goes by, or when it replicates Such type of virus is called polymorphic virus. Metamorphic virus:It changes itself with every infection.The difference between a
  6. 6. polymorphic and metamorphic virus is that a metamorphic virus rewrite itself completely at each itration increasing the difficulty of detection, while polymorphic virus only changes its signature. Macro VirusesMacro viruses infect Microsof Word documents.For example, they may delete information from adocument or insert phrases into it. Propagation is usually through the infected files. If a user opensa document that is infected, the virus may install itself so that any subsequent documents are alsoinfected. Some macro viruses propagate via email1, such as the Melissa virus.The Melissa virus is the best known macro virus. It targeted MicrosoftWord 97 and 2000. Thevirus worked by emailing a victim with an email that appeared to come from a known contact. Theemail contained an MicrosoftWord document as an attachment, that if opened, would infectMicrosoft Word and if the victim used the Microsoft Outlook 97 or 98 email client, the virus wouldbe forwarded to the first 50 contacts in the victim’s address book. 2.2.3 WormsWorms are special types of viruses that can replicate themselves and use memory but cannot attachthemselves to other programs.Unlike viruses,worms do not require human interaction and canspread automatically from ane computer to the other across the network[32].Worms are not alwaysmalicious,they can occur as a result of a logic error in a well-intentioned program[33].There aretwo main types of worms are described below. Mass-Mailing WormsMass-mailing worms can be classified as a worm, virus or both. A mass-mailing worm is a wormthat spreads through email. Once the email has reached its target it may have a payload in the formof a virus or trojan. Network-Aware WormsNetwork-aware worms are a major problem for the Internet. Network-aware worms need fourstages for propagation.The first step is target selection. The compromised host(an attackedcomputer) targets a host. The compromised host then attempts to gain access to the target host byexploitation. Once the worm has access to the target host, it can infect it. Infection may includeloading trojans onto the target host, creating back doors or modifying files. Once infection iscomplete, the target host is now compromised and can be used by the worm to continuepropagation. 2.2.4 TrojanTrojan horses are one of the serious threats.The name has been derived from a Greek story inwhich the Greeks won the trojan war by hiding in a huge hollow wooden horse to get into thefortified city of Troy.Trojan horse is a malicious, security breaking program that seems to bebeneficial to user in the form of a screen saver or a game.Many trojan horses permit passwordcrackers(People who crack password) to control a persons computer remotely in order to use thecomputer for denial of services attacks.Moreover trojans can be designed for destroying
  7. 7. data,software and hardware,or transferring a computer virus or worm. Logic BombsLogic bombs are a special form of trojans that only release their payload once a certain condition ismet.Logic bombs involves installing a hidden program that is designed to activate after apredefined date and time[34].2.2.5 Replay AttacksA replay attack is a kind of active attack (that involves modification,redirection,blockage ordestruction of data,devices or communication links ) where attacker records a communicationsession(a period devoted to a specific activity) or a part of it and later replays the entire session ora portion of the recorded session to take advatage of it[35].Replay attacks are used to gain access tothe network with the authorizations of the target, but the actual session is not altered. This attack isnot a real-time attack i.e the attacker will access the network after the original session. The attackercaptures the authentication of a session and then either replays the authenticated session at a latertime[36].2.2.6 War DrivingWar Driving is a process of driving around an area searching for wireless network. It is mostlyperformed by the hackers looking for unsecure networks[6].Attacker search for a wireless network bylistening to beacon frames(The beacon frame advertise the existence and basic configuration of a networkafter periodic intervals,described in detail in section or sending probe requests(The probe request issent by the client looking for a specific SSID or any SSID within its area,details in section to accesspoint.Attacker uses wardriving softwares like netstumbler and airodump in order to attain followinginformation: The Basic service set identifier(MAC address of access point(A.P))[37] The Service Set Identifier(SSID) or network name which identifies network to users. The channel number.Channel used by Access Point or independent basic service set(IBSS:Adhoc network;where stations or nodes communicate directly with each other without an access point ).2.2.7 Rogue Access Point
  8. 8. After attaining probe responses by sending probe requests or sniffing(listening) beaconframes(The beacon frame advertise the existence and basic configuration of a network after periodicintervals,described in detail in section Attacker sets his own access point with the same MACaddress and Service set identifier(SSID;name of the network) as the legitimate Access Point(A.P),but with the stronger signals,that access point is called rogue access point. When a stationconfigured with legitimate A.P enter within the coverage area of rogue access point, the defaultconfiguration of the network will make the station automatically associated with rogue accesspoint.Rogue access point perform illegal acts for example it can direct fake traffic to the associatedstation or can drop the disassociated request made by the station[38].Rogue access point can alsopose a significant threat to wireless networks by creating a backdoor(A software that allows accessto a system without normal authentication[39]).2.2.8 Denial of service attacksDenial of Service (DoS) attacks, sometimes known as nuke attacks, are designed to denylegitimate users of a system from accessing or using the system in a satisfactory manner. DoSattacks usually disrupt the service of a network or a computer, so that it is either impossible to use,or its performance is seriously degraded. There are three main types of DoS attacks: host based,network based and distributed[22]. Host BasedHost based DoS attacks aim at attacking computers. Either a vulnerability in the operating system,application software or in the configuration of the host are targeted.Crashers are a form of hostbased DoS that are simply designed to crash the host system, so that it mustbe restarted. Crashers usually target a vulnerability in the host’s operating system. Many crasherswork by exploiting the implementation of network protocols by various operating systems. Someoperating systems cannot handle certain packets, and if received, cause the operating system tohang or crash. Network BasedNetwork based DoS attacks target network resources in an attempt to disrupt legitimate use.Network based DoS usually flood the network and the target with packets. To succeed in flooding,more packets than the target can handle must be sent, or if the attacker is attacking the network,enough packets must be flooded so that the bandwidth left for legitimate users is severely reduced.Three main methods of flooding have been identified :TCP Floods: TCP packets are streamed to the target.ICMP Echo Request/Reply: ICMP packets are streamed to the target.UDP Floods: UDP(User Datagram Protocol) packets are streamed to the target. DistributedThe last type of DoS attack is perhaps the most interesting. Distributed DoS (DDoS) attacks are a
  9. 9. recent development in computer and network attack methodologies.he DDoS attacks are effectiveenough to disrupt the websites operation for several hours.DDoS attacks work by using a largenumber of attack hosts to direct a simultaneous attack on a target or targets.2.2.9 Power Consumption attacksPower consumption attacks occurs in wireless sensor networks(WSNs;a network that consists of number oflow cost and resource limited sensor nodes that sense important data and trasmit information[41] ).When anattack occurs,it may consume power of the wireless device or wireless network under attack.Sensor nodesare mostly equipped with limited power supply.There are two types of power consumption attacks inWSNs. Sleep Deprivation AttackA sleep deprivation attack is severe attack in WSNs because recharging or replacing batteries of nodes maybe impossible.In the sleep deprivation attack, the malicious node makes requests to sensor nodes tokeep them awake[25].This attack causes large amount of power consumption so that the limitedpower sensor nodes stop working, ultimately causing denial of service attacks through denial ofsleep attack[41].In case of densely populated area,this attack may also lead to more energyconsumption due to congestion and contention at the data link layer. Barrage AttackThe barrage attack bombards victim nodes with legitimate requests.It causes its victims to spendslightly more energy, it is more easily detected and requires more effort on behalf of the attacker ascompared to sleep deprivation attack.The purpose of these requests is to waste the victim’s limitedpower supply by causing it to stay out of its sleep mode and perform energy intensiveoperations.The main difference between sleep deprivation attack and barrage attack is that in sleepdeprivation attacks,victim nodes are kept awake, but are not made to perform energy intensiveoperations as is the case in the barrage attack[25].2.2.10 Man In The Middle AttackA man-in-the-middle attack occurs when an attacker is able to place itself in the middle of twohosts that are communicating.The attacker can observe all traffic before relaying it to intendedrecipient,modify or block traffic,thus violating the integrity of a session. This is a real-time attack,meaning that the attack occurs during a target machine’s session.To the target host,it appears thatall communication is taking place normally since all expected replies are being received.In case ofencrypted traffic,attacker will gain limited information but sensitive information may still beobtained since knowing what communication is being conducted between which individuals mayprovide valuable information[40].There are multiple ways to implement this attack. One example is when the target has anauthenticated session underway. In step one, the attacker breaks the session and does not allow thetarget to re-associate with the access point. In step two, the target machine attempts to re-associate
  10. 10. with the wireless network through the access point and is only able to associate with the attacker’smachine which is mimicking the access point. Also in step two, the attacker associates andauthenticates with the access point on behalf of the target[36].2.2.11 Forced deauthentication/disassociation request AttackDisassociation and deauthenication attacks exploit the unauthenticated nature of managementframes in wireless networks.When a station wants to connect to an access point,it first exchangesauthentication frames and then association frames.Any station can spoof a disassociate ordeauthenticate message,pretending to be another station.As a result the access point disassociatesthe targeted station,which cannot send traffic until it is associated again[45].By repeating the attackpersistently,a client may be kept from transmitting or receiving data.To accomplish this attack,it is requiredthat attacker promiscuously moniter the channel and send deauthentication messages only when a newauthentication has successfully taken place[24].802.11w allows the receiving station to refuse disassociation and deauthentication when managementframe protection(MFP) is on and message integrity check(Message integrity check adds two new fieldsinside an encrypted frame;the sequence number and the integrity check.Sequence number checks the orderof the packet and discard unordered packet) fails[46]. this attack occurs at Layer 2 i.e MAC layer.2.2.12 Wormhole AttacksDuring this attack, a malicious node captures packet from one location in the network and transferthem to another malicious node at a distant point,which replays them locally Wormhole link can beestablished by an ethernet cable,optical link or long range wireless tranmission antennas .This linkmakes the packet arrive either sooner or with less number of hops compared to the packetstransmitted over normal multihop routes.As a result the two end points of a wormhole link appearsto be close to each other. This can disrupt network routing protocols,clustering protocols, preventcritical messages to be received by intended recipients and disrupt location based wireless securitysystems[47].Wormhole attack is possible even if the attacker has not compromised any hosts and even if allcommunication provide authenticity and confidentiallity.Prevention:Wormhole attack can be prevented by security policy that is designed such that agroup A only trusts connections to group B.Because this is an asymmetric trust, a wormhole attackfrom B to A is not possible.this is an important step in preventing wormhole attack that seeks toskip a sensor or group of sensors in a sequence by generating a wormhole around it[47].2.2.13 SpoofingSpoofing is a type of attack in which a hacker modifies the source address of a network packet(which is a piece of information sent on a network containing data alongwith headerinformation;the header contains the source and destination address of the packet[43]).In this typeof attack,the attacker can convince any computeror network to be a legitimate user[42]There are three major types of spoofing. MAC SpoofingMAC spoofing occurs when the hacker modifies the source MAC address of the packet.MACaddress is the address at the data-link layer that identifies each networks physical networkconnection[44].MAC addresses are also called burned-in-addresses because the address is burned
  11. 11. into read only memory(ROM) and copied into random access memory(RAM).MAC addressspoofing is only useful to an attacker if their target is on the same subnet as they are.MAC operatesat the data-link layer, and so is only used locally. To spoof beyond the local subnet, an attackermust spoof at a higher layer, for example the network layer. IP SpoofingAttacker uses an IP address of another computer to acquire information or gain access to networkresources.Attacker will alter the source IP address of the packet.ip spoofing occurs at networklayer. Further information is provided in [48]. Email SpoofingEmail spoofing may occur in different forms, but all have a similar result: a user receives emailthat appears to have originated from one source when it actually was sent from another source.Email spoofing is often an attempt to trick the user into making a damaging statement or releasingsensitive information (such as passwords)[50].Examples of spoofed email that could affect the security of your site include: Email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do thisEmail claiming to be from a person in authority requesting users to send them a copy of a passwordfile or other sensitive information 2.2.15 Physical AttacksA physical attack disrupts the reliability of computer equipment and availability of data. Physicalattack is implemented either through use of conventional weapons, creating heat, blast, andfragmentation, or through direct manipulation of wiring or equipment, usually aftergainingunauthorized physical access.In 1991, during Operation Desert Storm, the U.S. military reportedly disrupted Iraqicommunications and computer centers by sending cruise missiles to scattercarbon filaments that short circuited power supply lines. Also, the Al Qaeda attacks directedagainst the World Trade Center and the Pentagon on September 11, 2001,destroyed manyimportant computer databases and disrupted civilian and military financial and communicationssystems that were linked globally.The temporary loss of communications links and important dataadded to the effects of the physical attack by closing financial markets for up to a week[49].Chapter 3Related Work3.1 Requirnments of taxonomyTo develop taxonomy for computer and network attacks is not a straight or easy task. Attacks can
  12. 12. be classified by many ways. Mostly depending on the environment one stays in. Scientificallyspeaking taxonomy is an approximation of reality that is used to gain greater understanding of afield of study. As such taxonomy should have classification categories with the followingcharacteristics:1. AcceptedThe taxonomy should be structured so that it can be become generally Approved.2. ComprehensibleA comprehensible taxonomy will be able to be understood by those who are in the security field, aswell as those who only have an interest in it.3. Completeness/exhaustiveFor taxonomy to be complete/exhaustive, it should account for all possible attacks and providecategories for them. While it is hard to prove taxonomy is complete or exhaustive, they can bejustified through the successful categorization of actual attacks.4. DeterminismThe procedure of classifying must be clearly determined.5. Mutually exclusiveA mutually exclusive taxonomy will categorize each attack into, at most, one category.6. RepeatableClassifications should be repeatable.7. Terminology complying with established security terminologyExisting terminology should be used in the taxonomy so as to avoid Confusion.8. Terms well definedThere should be no confusion as to what a term means.9. UnambiguousEach category of the taxonomy must be clearly defined so that there is no ambiguity as to where anattack should be classified.10. UsefulA useful taxonomy will be able to be used in the security industry
  13. 13. 3.2 Previous taxonomies 3.2.1 Landveirs TaxonomyThe taxonomy is based on computer program security flaws. A security flaw is a part ofa program that can cause the system to violate from its security requirnments.Firstly; we shouldknow what the security requirements of our system are and then identify flaws. Taxonomyproposed here classifies flaws according to how, when and where it was introduced into thesystem.Classification of FlawsLandveir has made following categories in order to classify flaws:1. By GenesisThis (the ―how‖ of error introduction) is the most key part of the taxonomy to this Dissertation.How does a security flaw find its way into a program? It may be introduced intentionally orinadvertently. Sub-Categories are: 1. Malicious Flaws 2. Intentional, Non-Malicious Flaws 3. Inadvertent Flaws2. By Time of IntroductionClassifying identified security flaws, both intentional and inadvertent, according to the Phase ofthe system life cycle in which they were introduced can help us understand where To look for moreerrors and where to focus efforts to prevent their introduction.Sub-Categories are: 1. during Development 2. during Maintenance 3. during Operation3. By LocationA security flaw can be classified according to where in the system it is introduced or found. Mostcomputer security flaws occur in software, but flaws affecting security may occur in Hardware as
  14. 14. well. 3.2.2 Howards TaxonomyHoward provides an incident taxonomy that classifies attacks by events, which is an attackdirected at a specific target intended to result in a changed state. The event involves theaction and the target. He highlights all steps that encompass an attack and how an attack develops.The attack consists of five logical steps which an attacker performs to achieve an unauthorizedresult. Those steps are: tools, vulnerability, action, target, andunauthorized result. The tool refers to the mechanism used to perform the attack The vulnerability is the type of exploit used to perform attack. The action refers to the method used by the attacker to perform the attack (i.e. Probe, Scan, Authenticate,Etc.). The target is the intention the attack is attempting to Compromise The unauthorized result is the change state caused due to the attack. Although Howard presents a useful Taxonomy that provides an informative baseline for cyberIntrusions, he lacks the details needed for thorough insight into the attack. 3.2.3 Loughs TaxonomyLough proposed an attack-centric taxonomy called VERDICT (Validation Exposure RandomnessDeallocation Improper Conditions Taxonomy). Lough focuses on four majorCauses of security errors: Improper Validation, Improper Exposure, Improper Randomness, andImproper Deallocation.He labels these four characteristics with a prefix of ―Improper‖With attacks being thought of as improper conditions. Validation refers to improperly validating or unconstrained Data, which also includes physical security. Exposure involves the improper exposure of information that could be used Directly or indirectly for the exploitation of a vulnerability. Randomness deals with the fundamentals of cryptography and the improper usage of randomness. Deallocation is the Improper destruction of information, or residuals of data, which also includes dumpster diving.He uses one or more of the above given Characteristics to describe vulnerability within a system. 3.2.4 Hansman TaxonomyHansman and Hunt aim to develop a ―pragmatic taxonomy that is useful to those dealing withattacks on a regular basis.‖ They also analyze a few of the existing taxonomies.They conclude that it is difficult to develop an effective tree-structure taxonomy of attacks. Insteadthey propose four taxonomies of attacks based on four differentdimensions of classification.DimensionsThis taxonomy works by using the concept of dimensions. Dimensions are a way of allowing for a
  15. 15. classification of an attack to take a more holistic view of the attack. The taxonomy proposes fourdimensions for attack classification.The First DimensionClassification in the first dimension consists of two options: If the attack uses an attack vector, categories’ by the vector. Otherwise find the most appropriate category.The attack vector of an attack is the main means in which the attack reaches its target. For example,the Melissa ―Virus‖ uses email as its main form of propagation, and therefore is, in the firstdimension, a mass-mailing worm.The Second DimensionThe second dimension covers the target(s) of the attack. As an attack may have multiple targets,there maybe multiple entries in this dimension.ike target can be hardware. in hardware it can beComputer, in computer main target can be Hard-disks.for example, if Code Red attacked Server A,the target would not be Server A, but the IIS server that Server A was running.The Third DimensionThe third dimension covers the vulnerabilities and exploits that the attack uses. An attack mayexploit multiple vulnerabilities, so there may be more than one entry in the third dimension.Entries in the third dimension are usually a Common Vulnerabilities and Exposures (CVE) entry.Howard suggests three general types of vulnerabilities: Vulnerability in implementation Vulnerability in design Vulnerability in configurationIf no CVE entry exists, then one of Howard’s types of vulnerabilities should be selected, and adescription of the vulnerability should be created.The Fourth DimensionThe third dimension deals with attacks having payloads or effects beyond themselves. Forexample, a worm may have a Trojan payload, or it may simply destroy some files. The payloadmay be another attack itself and so the first dimension can be used to classify the payload if this isthe case. The fourth dimension consists of five categories:1. First Dimension Attack Payload2. Corruption of Information
  16. 16. 3. Disclosure of Information4. Theft of Service5. SubversionA number of further dimensions could be added to enhance the taxonomy like damage, cost inrecovery etc. 3.3 Critical ReviewLandwehrs state taxonomy is most useful when it classifies threats in scope that correspond topotential defenses. This taxonomy differs from previous taxonomies, as it helps to not onlyidentify attacks, but also provides measures to mitigate attack vulnerabilities.One approach ingaining Insight into attacker’s target is to consider the attack paths, or Combination ofexploits.They did not limit their taxonomy to operating systems but provided a more generaltaxonomy of flaws in computer programs.Howard criticizes Landwehrs taxonomy because use of terms like ―Trojan horse, trapdoor,logic/time bomb for which there are no accepted definitions‖ is made in this taxonomy. AlthoughLandwehr give in his paper fairly standard definitions, they are a little vague. The authors quotethat, ―A time-bomb might be placed within either a replicating or nonreplicating Trojan horse.‖However, ―Trojan Horse‖ and ―Logic/Time Bomb‖ are on the same level.The authors recognizedthe limitations of their taxonomy. They know it is, ― approach for evaluating problems insystems as they have been built.‖ They also realize that, the assignment of a flaw to a category mayrest on relatively fine distinctions.‖ Their 50 flaws documents are just a small set of data, andstatistically valid conclusions cannot be made from such a set. Although the taxonomy may notmeet the stringent standards of taxonomies, it does give the system user an idea of how, when, andwhere errors come from. This is precisely what they intended to show.Howard presents a useful taxonomy that provides an informative baseline for cyber Intrusions, helacks the details needed for thorough insight into the attack.In such a taxonomy the classes are notmutually exclusive, but it is useful for understanding the nature of attacks.Lough’s taxonomy directly includes the cause of the attack as a category; it is useful for a securityassessment process. However, Lough’s taxonomy has many limitations. First, Lough’s taxonomyis not application-specific. Lough combines information from a wide variety of attacks andvulnerabilities, including operating system flaws and network attacks. This makes his taxonomyvery general. Second, Lough uses both attack and vulnerability taxonomies to derive his newtaxonomy. He compares attack classes with vulnerability classes and even equates many of them.From a security assessment perspective this has two side effects. First, it mixes cause and effects.Vulnerability is the cause for an attack. Therefore, it is beneficial to the assessment process toorganize information such that these causes and effects are properly separated. Second, as we haveseen so far, the number of attack classes is limited, and the number of vulnerabilities can be veryhigh. Therefore, equating attacks and vulnerabilities has the effect of hiding many of thevulnerabilities under a single class of attacks. This leads to the third limitation in using Lough’swork for security assessment: Lough has a single- level taxonomy. This implies that many types ofvulnerabilities are abstracted under a single category. All attacks are put into four categories, and
  17. 17. there is no refinement of the upperlevel categories into lower-level details. Such taxonomy is notideally suited for security assessments.In Hansman and Hunt aim to develop a ―pragmatic taxonomy that is useful to those dealing withattacks on a regular basis.‖ They also analyze a few of the existing taxonomies.They conclude that it is difficult to develop effective tree-structure taxonomy of attacks. Insteadthey propose four taxonomies of attacks based on four different dimensions of classification. Thefour dimensions are:• Attack vector• Attack target• Vulnerabilities and exploits• Attacks with payloadsEach of the four taxonomies is hierarchical with subsequent layers providing greater details of theattack. The four taxonomies taken together provide useful information and meet the goals ofdeveloping a ―pragmatic taxonomy.‖ It might be true, as argued by Hansman and Hunt, thatdeveloping a single tree-structure taxonomy incorporating all these dimensions would becumbersome. However, if the taxonomy were application- specific instead of trying to incorporateall possible kinds of attacks, it might not be very difficult to develop single tree-structuretaxonomy of attacks. A tree structure in the taxonomy provides the basis for the systematic processof security assessment. The assessment must cover the breadth of attacks while simultaneouslyexploring the depth of the system’s functional blocks to unearth vulnerable features.Chapter 4Taxonomy 4.1 The Proposed TaxonomySecurity is a key service for both wired and wireless communications.The previous taxonomiesfocus mostly upon wired networks while there is a limited work corresponding to security ofwireless networks.The evolution in the variety and application of wireless networks has vastlyincreased the urgency of identifying security threats and countermeasures to combat these threats.Maintaining a secure wireless network is an ongoing process that requires greater effort than thatrequired for other networks and systems.Our taxonomy actively addresses risks inherent in wireless networks to protect these networks beforedeployment.We have proposed the necessary and sufficient categories to create a satisfactorytaxonomy of wireless network attacks.Basicaly these categories can be extracted from theconception of attack generation.Taxonomies such as Howard’s give a good overview of the attackprocess, but avoid examining the categories of attacks that face computers and networks each day.
  18. 18. The taxonomy may have two types of structure: Tree-Like Structure List-Based StructureThe taxonomy resulting from a tree-like structure will have more general categories at the top, andspecific categories at the leaves. However, while such a taxonomy is certainly desirable, inpractice it is not possible to do so in an acceptable manner.The first problem with such a taxonomyis how to deal with attacks that cause other attacks. To allow for attacks to contain other attacksthere are two possible solutions. One is to allow for cross-tree references, that is when one leafnode points to another leaf node somewhere else in the taxonomy. This approach leads to a messytree and would be hard to use in classifying. The second is to have recursive trees, so that each leafon the base tree may have another tree (or more) under it. This again leads to a messy structure andwould be of limited use.The second problem is that attacks, unlike animals, often do not have many common traits. Thismakes the creation of broad categories hard. While worms and viruses can be related, there is littlein common between them and a buffer-overflow. This means that the taxonomy tree would have tobranch out immediately into a number of categories that are unrelated. The benefits of the tree-likestructure are therefore lost. With these two problems, the tree-like taxonomy was discarded.Another way taxonomies are sometimes created, is through lists. A list based taxonomy contains aflatlist of categories. There are two approaches that could have been taken in the proposedtaxonomy. Firstly, a flat-list with general categories could be suggested, or secondly, a flat-listwith very specific categories could be proposed. We have utilize both these approaches for theproposed taxonomy.Our classification consist of general and specific categories so as to give adetail classification of each attack leading towards specific taxonomy. 4.2 Classification 4.3.1 Stage In wireless networks, there are three stages that need to be passed before transmission of data.Thesestages are:• Discovery• Authentication• AssociationIn the Proposed taxonomy, firstly the attacks have been categorized according to stage at which they occuras each of the attack occurs during one of the stage or after passing through the above mentioned threestages. According to Lough[2],When a station wishes to join a Basic Service Set (BSS)( a collection ofstations communicating with each other through an access point ) , it first has to "authenticate" to the BSSby a challenge-response protocol (Challenge-response authentication is a family of protocols in which oneparty presents a question ("challenge") and another party must provide a valid answer ("response") to beauthenticated). After authentication, the station then "associates" with the BSS.When a station wants toleave a BSS, it "disassociates" the BSS. Discovery/Probing/scanning:In wireless world,station must identify a compatible network before joining it. Discovery is a stage where a
  19. 19. station or access point(A.P) discovers the presence of other stations or access points.Access Points (andtheir equivalent stations in adhoc networks) send management packets at periodic intervals for examplebeacon frames and probe requests[27] Beacon Frames:The beacon frame is a management frame for synchronization,power management and deliveringparameters.The beacon frame advertise the existence and basic configuration of a network.The access pointof a basic service set sends beacon frames and clients listens to the beacon frames.In adhoc network(wherestations or nodes communicate directly with each other without an access point),clients themselves transmitbeacon frames[29].MAC(Medium access control) layer is responsible of generating beaconframes[30].Beacon frames are generated at regular intervals called target beacon transmissiontime(TBTT).Beacon frames includes the following: Time Stamp:Each beacon contains the timestamp which is used by stations to keep their clocks synchronized with access point. Channel information:Channel used by AP or independent basic service set(IBSS:Adhoc network). Data Rates:supported data transfer rates Service Set Identifier(SSID):The name of the Wireless Network.All devices in wireless network must use same SSID to communicate with each other Probe Requests/Probe Responses:The probe request is sent by the client looking for a specific SSID(Directed Probe request) or any SSIDwithin its area(Null Probe request).After the probe request is sent,all A.Ps in the area with the same SSIDwill reply with probe response.The probe responce frame contain same information that was contained inbeacon frame[29]. probing(use of probe requests) involves the attacker actively sending probe requestscontaining the desired identity in order to attain a probe response from an A.P that has matched identity inprobe request. Active probing cannot detect for access points that are cloaked(configured not to respond toprobe requests with no SSID set) or out of range of the attacker’s wireless transmission range. an attacker engages in Passive probing(use of beacon frames), he is listening on allchannels for all wireless packets without sending even a single packet. cloaked APs with no wirelessactivities would not be detected.Passive scanning is used when stations wants to conserve power. AuthenticationAuthentication is used by A.P or a station to verify identity of another station.This security service is criticalfor preventing unauthorized access to network resources. In an infrastructure wireless network,authentication provides protection against unauthorized users , since the AP is the entry point into theExtended Service Set. Improper authentication can undermine all security measures in an enterprise.Mutual authentication also allows the Wireless Network to prove its identity to the STA, which allows theSTA to validate positively that it is communicating with a legitimate Wireless Network, as opposed to anunauthorized or ―rogue‖ WLAN. The station sends an authentication request to the access point. Theaccess point authenticates the station.The IEEE 802.11 standard defines two types of WEP authentication: • Open System Authentication allows any device to join the network, assuming that the device SSIDmatches the access point SSID. Alternatively, the device can use the ―ANY‖ SSID option to associate with
  20. 20. any available access point within range, regardless of its SSID. • Shared Key Authentication requires that the station and the access point have the same key toauthenticate.Shared key authentication is made possible because of challenge response protocol. Chalenge response Protocol:In challenge response protocol,one node selects a random number,encrypts it with a shared key and sendsthe ciphertext[encrypted text],which is called a challenge,to the other node.If the node that has receivedchallenge can decrypt the challenge and return the original random number,the identity of the challengednode will be proved because it has the correct key[28]. AssociationThe station sends an association request to the access point. The access point associates with the station.According to Mathew Gast[4] "Association is a recordkeeping process that allows the distribution system to track the location of eachmobile station,so that frames destined for the mobile station can be forwarded to correct access point"After association completes,the station gets registered on access point.Association is restricted toinfrastructure networks.Association process is a three step process:1-After station has authenticated,it can issue an Association request frame.Stations that have not yetauthenticated receives a deauthentication frame from the access point in responce.2-The access point then processes the association request.802.11 does not specify how to determinewhether an association should be granted.It is specific to access point implementation. A-When association request is granted,the access point responds with status code 0 and an association IDused to logically identify the station to which buffered frames need to be transmitted. B-Unsuccessful Association requests include only a status code and the procedure ends.3-After succesful association,access point begin processing frames for mobile station.4.3.2 Power ConsumptionMost adhoc nodes have limited power supply and no capability to generate their own power.Whenan attack occurs,it may consume power of the wireless device or wireless network under attack.Wehave added this category in order to distinguish attacks that consume much power.Some attacksdoesnt consume power,instead of power these attacks consume other resources such as ineavesdropping,information leakage occurs.Attacks like Sleep deprivation attacks[25] aims toconsume as much power of wireless network as causing Denial of service attack.Such attacks ofpower consumption mostly occurs on battery powered wireless devices or sensor nodes.Physicaland network level power conservation is an important security design consideration to extendbattery Life[54]. Sleep deprivation attacks are a form of denial of service attack whereby an attacker renders acomputing device inoperable by draining the battery more quickly than it would be drained undernormal usage[26].Moreover there are specific attacks that aims to attack only the power ofwireless node.For example: (1) Service request power attacks where repeated requests are made to the victim for services,typically over a network—even if the service is not provided the victim must expend energydeciding whether or not to honor the request;(2) Benign power attacks where the victim is made to execute a valid but energy-hungry task
  21. 21. repeatedly, and(3) Malignant power attacks where the attacker modifies or creates an executable to make thesystem consume more energy than it would otherwise.In order to save energy,wireless clients are allowed to enter a sleep mode in which they cannottransmit or receive messages.The client and the access points agree on a schedule of sleeping andwakeup period ahead of time.Access point buffer packets destined for station that is in sleepmode.When the client wakes up it poles the access point for the buffered messages.An attacker candesynchronize the client and the access point to make the client wake up at wrong interval.Thispolling frame can be spoofed by an attacker causing the AP to send the collected packets and flushits internal buffers. An attacker can repeat these polling messages so that when the legitimatestation periodically awakens and polls, AP will inform that there are no pending packets.4.3.3 LayersThe attacks can be furthur classified according to layers of Open System Interconnection(OSI)model.All kinds of networks including wireless networks are organized in a layeringhierarchy.The OSI model is the widely used layering model.It comprises seven layers[52].Eachlayer is made up of many protocols and serves some specific functionsAttacks may launch at oneof the layer of OSI layer while some attacks can be launched at more than one layer.We will consider only those layers that are involved in wireless network.Wireless networkmostly functions at lowest two layers of OSI model i.e physical layer and data link layer,howeverto some extent,layer 3 i.e network layer plays some role in launching attacks[53]. Physical LayerAs the name suggest the physical layer defines the physical media or hardware that carries signalsbetween end points of network connection.The physical layer might be a coaxial cable, twistedpair cable or fibre optic cable in wired while in case of wireless,radio frequency waves arecomponent of the physical layer that is responsible for specifying the frequency range and type ofmodulation.for example Jamming and Eavesdropping occurs at physical layer. Data Link LayerThe data link layer handles transmission of data across the link defined by the physical layer.Itensures that data is tranferred correctly between adjacent nodes.This layer detects and possiblycorrect those errors that occur at physical layer.The link layer is responsible for sendingframes(collection of bits)Frames contain a cyclic redundancy check(CRC)(Checksum for errordetection)When the frame is received,CRC is computed and compared to the value in frame.If thevalues donot match,the receiver requests the message to be retransmitted.The frame has a sourceaddress and destination address.It uses MAC(medium access control) address, 6 byte addressuniquely assigned to hardware.This layer has the responsibillity of flow control i.e it regulates therate at which endpoints sends data so that all nodes get fair chance.Attacks at this layer arefocussed on trying to hijack a users network connection,intercept traffic or spoof a devicesidentity[51].Examples:Traffic analysis,Man in the middle attack or session hijacking and Spoofing4.3.3.3 Network LayerThe fundamental unit of communication at this layer is IP (internet protocol) packet.IP packet
  22. 22. contain an IP header,which specifies the source and destination IP address (that is defined as anumerical identifier or logical address assigned to network device) alongwithsome amount of data[51].This layer is also responsible for routing functions of data.Examples:Wormhole,black hole,byzantine,flooding,spoofing,data alteration,replays of routinginformation,HELLO flood attacks4.3.3.4 Multi-LayerMany attacks can target multiple layers for example DoS,Impersonation,Man-In-The-Middleattack.The countermeasures for these attacks need to be implemented at different layers.We have used similar categorization.Main reason of categorizing attacks according to Layersmakes it easy to search for vulnerabilities at each layer.4.3.4 Attributes UtilizedThere are five main attributes of security for wireless networks that should be met in order toensure security.Violation of anyone of these attributes lead to insecure network.According to YanXiao: " Security is a combination of Processes,Procedures and systems used to ensureintegrity,confidentiality,authentication,availability, access control and non-repudiation"Every attack violates one or more than one security attributes.thats why we have categorized eachattack according to attibute it disrupts.Each security attribute is explained below: IntegrityData integrity addresses the threat of unauthorized manipulation of data.Data integrity is alsolinked to authentication,since any modification can be seen as a result of modification of origin ofdata[17].For example if packet fragmentation and aggregation cannot be performed securely ,theend-to-end security mechanisms assuring data integrity could fail[18]. ConfidentiallityThe goal of confidentiallity is to keep information sent unreadable to unauthorized users or nodesor to keep data secret for a defined set of recipients during transmission while the transmissionchannel can be unprotected[17].Attacks like Eavesdropping destroy confidential transmission ofdata. Access ControlThe goal of access control is to prevent unauthorized use of network services and systemresources.Access control is tied with is the ability that restrict access to resourcesto priviledged entities4.3.4.4 AvailabilityThe goal of availability is to keep the network services or resources available to legitimate users.Itensures that network services are available when required by various entities in network.4.3.5 Flaw Utilization
  23. 23. A vulnerability is a weakness or fault in system security procedures,design,implementation orcommunication medium that could be accidently triggered or intentionally exploited and result in asecurity break down[11].There are two main categories of wireless vulnerabilities, 1.Physical Vulnerabilities 2.Logical VulnerabilitiesPhysical vulnerabilities are exploited by tampering and vandalism() attacks.Our major focus is onLogical vulnerabilities which exist in network services,protocols and applications and can beexploited by logical attacks.Logical vulnerabilities are classified into four main categories[11]: Design FlawsDesign flaws refers to using a protocol to violate the assumptions of the normal behaviour in thenetwork,while conforming the protocol specification design[11].For example,an attacker canexploit the vulnerability in the TCP protocol design to undergo a TCP-SYN flooding attack.Theattacker violates the three way handshake operation of the TCP connection making a half openconnection that ties up the servers allocated resources.Denial of service attack at MAC layer is due to protocol vulnerabilities.There are a number ofnetwork management frame types that are required for connection and discovery in wirelessnetworks.because this management information and MAC address of every device isbroadcast,there is no security and no means of sender verification.Among the various managementsub frames,there are deauthentication and disassociation sub frames that are targeted for misuse inwireless networks[13].these two frames will disconnect clients[14].The deauthenticationsub-frame is sent by a client to an A.P or to another client,to inform that it wants to terminate thecurrent connection.The problem or flaw associated with this type of frame is that there is noverification of the sender;the receiver will trust that source MAC address is valid.The attacker canspoof the MAC address and send deauthenication and disassociation packets causing denial ofservice to the victim[13]. Implementation FlawsRefer to errors in hardware construction or software coding due to unfamiliarity with theprogramming language or the ignorance of security issues.For example,inadequate boundrychecking which may result in a buffer overflowing with attacker controlled contents[11].Moreover some access points produce initialization vectors using only 18 of the 24 bit space whichincrease the probability of collisions.Moreover Random IV selection results in random reuse ofIV(collisions) which results in more attacks.Some manufacturers select IVs simplysequentially[16]. Configuration FlawsConfiguration errors are result of improper settings of a particular envoirnment or threat model,programs/utilities that are installed in incorrect place or incorrect installation of program/utilitiesparameters[12]such as having system accounts with default passwords, having ―world write‖permission for new files, or having vulnerable services enabled[19]. Exposed Medium
  24. 24. Due to the openness of the exposed wireless medium,the attacker can easily access the wirelessnetwork with poor authentication.However most of wireless networks are not configured securelyand usually only MAC address spoofing is required to gain full access.4.3.6 EffectsThis category is similar to a category of "Results" in [19].According to Howard and Longstaff[19]:"the logical end of a successful attack is an unauthorized result. At this point, an attacker has useda tool to exploit a vulnerability in order to cause an event to take place" We divide unauthorized result into following categories: Disclosure of informationExposure of information to anyone who is not authorized to access that information. Theft of resources unauthorized use of computer or network resources4.3.6.3 Denial of serviceintentional degradation or blocking of computer or network resources4.3.6.4 Corruption of informationunauthorized alteration of data on a computer or network4.3.7 PrecautionsThe best way to prevent an attack to your wireless network is to be secure from the start.Thismeans designing a secure installation,maintaining firewalls and server logs and continuallypatrolling your network for possible points of attack.A secure wireless network is one which takesas many precautions as possible[23].We have added precautions for every attack.4.3.8 Network TypeA wireless network operates in one of two modes: Adhoc modeIn the ad hoc mode, each station has a peer to peer connection with the other stations andcommunicates directly with other stations within the network. No access point is involved in thistype of network. All stations can send Beacon and Probe frames. The stations in ad hoc mode forman Independent Basic Service Set (IBSS). Infrastructure modeA station in the infrastructure mode communicates only with an AP. Basic Service Set (BSS) is aset of stations that are logically associated with each other and controlled by a single AP. Togetherthey operate as a fully connected wireless network. The BSSID is a 48-bit number of the sameformat as a MAC address. This field uniquely identifies each BSS. The value of this field is theMAC address of the AP.5 Evaluation Of Proposed Taxonomy
  25. 25. 5.1 Wireless Attacks Categorization 5.1.1 War Driving War driving is the act of traveling around public areas and randomly accessing 802.11 wirelessaccess points with less security. StageThe stage of the war driving is Discovery/probing because it sends probe request or sniff packetsby probing to have SSID(Service Set Identifier).When attacker gains SSID it may launch otherattacks by behaving as a rogue access point. Discovery is described before in detail in section4.3.1.1. Power consumptionIn this attack, attacker just discover the existence of wireless network .This attack does not effectpower consumption of the wireless network it discovers. LayersThis attack occur on both physical and data link layer. All communication ultimately takes place atphysical layer and frames are created and sent at data link layer. War drivers sniff these frames andmake attack possible.This attack is a prime example of a vulnerability with both layer one and twoelements involved[4] Attributes UtilizedAfter sending probe request attacker may receive probe response.After discovering wireless LAN,attacker may authenticate with the access point. When it becomes authentic as a station or anaccess point,it may launch other attacks i.e. rogue access point attack where an attacker violatesthe access control Security attributes[5]. Flaw UtilizationWar driving utilize the flaw of openness of medium which may include broadcasting of SSID(through beacon frames), keeping factory default SSID(Service Set Identifier),unencryptedcommunication,Not filtering MAC addresses that are allowed to connect to specific A.P.Moreover
  26. 26. attacker make use of the fact that management frames are completely unauthenticated EffectsBy this attack,attacker come to know Basic service set id,whether WEP() is enabled or notalongwith MAC address of wireless device[2]. Many attacks can be done based on war driving forexample rogue access point, denial of service attacks. PrecautionsFor controlling war driving,following precautionery steps are to be taken: Change the default Admin password on your Access Point. Check if the firmware for your Wireless Access Point and drivers for your Wireless Adapter(s) are up to date. Update if necessary. Keep checking for new releases in the future. Use a high level of encryption Use WLAN security tools for securing the wireless network. Use a proxy (In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers) with access control for outgoing requests. Regularly test the security of your wireless network, using the latest war driving tools (the same tools the attacker will use). Dont use these tools on other networks, and always check local laws and regulations before using any war driving tools[6]. Network-TypeThis attack can occur on all type of wireless network whether networks are in ad hoc orinfrastructure mode.5.1.2 Rogue Access Point StageThe stage on which it occur is ―Discovery/probing‖ state of unassociated un authenticated,because Rogue Access point masquerade as an authenticated access point by using MAC addressand SSID of authenticated access point which it gains by sending probe request to the openwireless network. Power consumptionIn this attack an unautherize access point sends probe requests to be an autherize access point.Inthe act of doing this,it can degrade power of the original access point.
  27. 27. LayersThis attack use the vulnerabilities of physical layer and data link layer .At physical layer, physicalmedium for transmition is air which is open for any one to access. This is the reason that wirelessnetworks are harder to secure, it is needed to make link layer protection powerful that isresponsible for data encryption and user authentication. This attack starts from sending proberequest to take SSID and MAC address of authenticated access point, to act as a legitimate accesspoint after authentication due to unsecured or weak security at data link layer. Attributes UtilizedIt violates the access control attribute as access control means to prevent unauthorized use ofservices and when this attack occur it may leads the unauthorized access of resources[7]. Flaw UtilizationThis uses the flaw of expose medium in which Attacker can easily access the medium due to poorauthentication method.MAC addresses of the A.Ps can be forged by sending probe request and canget BSSID and MAC.[2]WEP is vulnerable to attack.(Wired Equivalent Privacy (WEP) is part ofthe 802.11 specification in which we use keys for encrypting data between A.P and station). Aswith WEP encryption, sniffing is eliminated but when we use weak WEP encryption technique itwill be possible [9]. EffectsThe result of this attack is data leakage,when it masqurade as a lagitimate access point it cancommunicate with any other station in the network and can take any kind of required data for itspurpose.When rogue access point act as a client it can get free internet access.Rogue access pointattack can also cause the Denial of service attack ,Man in the Middle attack and Evil twin A.Pattack. PrecautionsTo prevent this attack we should validate new joining access point according to their MACaddresses this technique is called distributed management Access point. In this technique allAccess point of the network should have the list of all access points with their MAC addresses bythis process whenever a rogue access point try to join its MAC address fist checked and then allowjoining [8].Public secure packet forwarding (PSPF) is a feature that can be enabled on WLAN access points toblock wireless clients to communicate with other wireless client with the same wireless segment inthis way when a rogue access point try to communicate with other clients in the same network itwill be bloked [23].
  28. 28. Network-TypeIt can be possible on all type of wireless network.In infrastructure mode it act as an access pointwith MAC address of original access point but with strong signal and in this mode all station ofthe network associated themselves with it due to stronger signal.In adhoc mode where peer-to-peercommunication takes place a rogue access point act as a client that can communicate directly withother station in the same segment of network 5.1.3 Probe Request Flood attackProbe request frames are used by station to actively scan an area in order to discover existingwireless networks.Any AP receiving a probe request frame must respond with a proper proberesponse frame that contain information about the network,to allow the station to associate.Proberequests are furthur explained in section request flooding occurs when an attackersends a burst of probe request frames very quickly,each request with a different MAC address tosimulate the presence of large number of scanning stations in the area.This results in a heavyworkload on A.P. StageProbe request flood attack can occur at discovery stage because this attack make use of probeframes that are transfered at the discovery stage. Power consumptionThis attack causes much power consumption as the A.P(in infrasture mode) or a station(in adhocmode) is continuously engaged in responsing the probe request frames with probe responseframes. LayersProbe request flood attack make use of vulnerabilities of MAC layer(explained furthur in5.1.5.6)as the transmission of frames occur at this layer.In this attack, an attacker transmits proberequest frames with different MAC addresses consequently. Attributes UtilizedThe probe request flooding attack leads to failure of availability.The goal of this attack is to keepthe network services or resources unavailable to authorized users. Flaw UtilizationIn this attack, attacker utilizes design flaw.Design flaws use a protocol to violate the assumptionsof the normal behaviour of the network, while protocol specification design remains the same [11].
  29. 29. Likewise in this attack,the normal operation of probe frames is disturbed.By identifying message sequences that could lead to an attack towards the AP,the attacker willcome to know that the management frames of the 802.11 protocol look like the most suitable forflooding because any management frame sent to an AP triggers an elaboration with consequentconsumption of computational resources. The scheme is quite simple; each request message sentby a station must be responded with a response message sent by the AP. EffectsThe aim of probe request flood attack is to largely reduce or completely deny the normal servicesprovided by a network or a host. This attack causes Denial of services as it uses up all of thenetworks resources and forces it to shut down.In this attack, workload on A.P increases resultingin the wastage of computing power and memory resources. PrecautionsThe most fundamental protection against DoS is developing and maintaining strong securitypractices. Actions such as implementing and updating firewalls, maintaining updated virusprotection, installing up-to-date security patches, ensuring strong passwords, and turning offnetwork devices when they are not in need should be routine practices for all companies. Inaddition, deploy DoS detection tools, such as Airdefence and airmagnet. Network-TypeThis attack occurs in both adhoc and infrastructure modes of wireless networks.In adhoc mode,anystation floods any other station with bursts of probe request frames.While in infrastructuremode,an attacker sends consequent probe requests to an A.P.5.1.4 Forced deauthentication/disassociation attack StageThis attack occurs when a station has already passed through stages of authentication andassociation as depicted in figure. Power consumptionPower is consumed as after this attack reauthentication and reassociation is required whichrequires energy. LayerThis attack occurs at data link layer of OSI model as the transmission of frames occur at thislayer.In a deauthentication/disassociation attack, an attacker transmits spoofed frames with thesource address of the access point. When the recipient receives the frames, they will bedisconnected from the network and will try to to reconnect[55].Another way to leave the networkis that a wireless station sends a deauthentication or disassociation frame to the access point.
  30. 30. Figure : A deauthentication attack on an open wireless network Attributes UtilizedAttacker destroys the integrity of the victims station as data integrity addresses the threat ofunauthorized manipulation of data(details in section message,that is meant to beoriginated from victims station,is actually altered by the attacker keeping the MAC address ofthe victim same.In other words,attacker is making unauthorized manipulation of message ofvictim.Access Point will interpret the message as it has been originated from the client butactually that message was originated from attacker.Thus this attack will lead to integrity failure. Flaw UtilizationAttacker utilizes design flaw here.In this attack,two frames are involved i.e deauthentication anddisassociation frames. These two frames, however, are sent unencrypted and are notauthenticated by the access point. This vulnerabillity allows an attacker to launch this type ofattack by spoofing the frames involved [56].The attacker even does not need to break theauthentication protocol or to obtain shared secret keys between the Stationss and the AP. Effects After the deauthentication and disassociation attack, communication between wireless devicesand their access points is disabled.For communication again,devices will have to reconnect withaccess point that causes delay in communication and power is also consumed.If this attack
  31. 31. continues for long time,it can lead to permanent denial of service attack.If the attacker sends adisassociation frame, the victim clients must set up a new association session with the AP.Eventhough the deauthentication frame and the disassociation frame are similar, spoofing thedeauthentication frame is more effective since it requires that stations and the access pointsperform the authentication again in order to resume the connectivity. PrecautionsThere are a number of ideas that have been proposed to defend against this attack[56] but eachhas some drawbacks that are covered in detail in [56].Some of the important solutions arediscussed below:•eliminating the deauthentication and disassociationframes, or allowing them for a fix intervalof time.• detecting spoofed frames based on framesequence number.• developing a lightweight authenticationprotocol for management frames, such as using 1 bitfor authentication• modifying the current authenticationframework to authenticate deauthentication and disassociationframes. Network-TypeThis attack mostly occurs in infrastructure networks because association is restricted toinfrastructure networks only(Section authentication and association,If a station(STA) wants to disassociate with an AP, it sends a disassociation frame to that AP. In case thestation wants to gracefully leave the network, it sends a deauthentication frame to the AP.Similarly, when the AP wants to disconnect a client, it sends a disassociation frame to that client.In case the AP wants to disassociate with all the STAs , it broadcasts the disassociation frame toall clients. 5.1.5 MAC Address SpoofingMAC address (also called physical or link address) is the address of a node identified by itsLocal Area Network (LANs).It is included in the frame by data link layer[61].The MAC addressof a station is used as an authentication mechanism for granting various levels of network orsystem privilege or access to a user.This method of client authentication through MAC addressesis also employed in 802.11 wireless networks.Attackers targeting wireless LANs have the ability
  32. 32. to change their MAC address to pass through network security measures [60]. The original MACaddress is burnt and imprinted to the network card, and cannot be changed. However, operatingsystem can spoof as if there is different MAC address for the network interface card .Aftersniffing the legitimate MAC addresses out of the air in MAC Address filtering, the attacker willspoof the MAC address of the authorized user. StageAs far as stage is concerned,MAC address spoofing can occur at any of the stage.If an attacker isnot authenicated and associated,he can launch this attack in order to gain access to systemresources that are used by an authenticated and authorized user.If the attacker is authenticatedand associated, it can launch the attack in order to gain sensitive information that is intended forthe victim station. Power consumptionWhen an attacker spoof the MAC address of an authorized user,he can utilize the power used bythe targeted node.Thus,In this attack power is consumed. LayersMAC address spoofing,as the name indicates,make use of attributes of MAC layer i.e MACaddressing at MAC layer.This attack cause its effects on other layers also for example it disturbsthe network layers routing mechanism (explained furthur in Attributes UtilizedSpoofing destroys access control mechanisms as it provides access to unauthorized users. Flaw UtilizationIn this attack,attacker make use of design flaw.Nearly all 802.11 cards in use permit their MACaddresses to be altered, often with full support and drivers from the manufacturer. Using Linuxopen-source drivers, a user can change their MAC address with the ifconfig tool, or with a shortC program [60]. EffectsThis attack is used for any of the following effects depending on the intent of the attacker[60]. Hiding presence of the attackers stationAn attacker might choose to change their MAC address in anattempt to pass through network intrusion detection systems (NIDS). A common example is anattacker executing a brute- force attack script with a random MAC address for each successiveconnection attempt. Bypassing access control listsAdministrators typically have the option to configure access points or neighboring routers to
  33. 33. permit only registered MAC addresses to communicate on the network. An attacker couldcircumvent this form of access control by passively monitoring the network and generate a list ofMAC addresses that are authorized to communicate. With the list of authorized MAC addressesin hand, an attacker is free to set their MAC address to any of the authorized addresses,bypassingthe intended security mechanism. Impersonation of authenticated userCertain hardware WLAN security authentication devices rely on matching user authenticationcredentials to the source MAC address of a client. After a user has successfully authenticated, thesecurity gateway permits traffic based on a dynamic list of authorized MAC addresses. Anattacker wishing to circumvent the security of the device only needs to monitor network activityfor an authorized client MAC address and then alter their sMAC address to match theauthenticated client before communicating on the network. Launch denial of service attacksMAC spoofing also potentially triggers a Denial of Service (DoS) attack by causing routingproblem by duplicating MAC addresses that exists in the network.Especially duplicating theMAC addresses that are similar to gateway and Access points BSSID (Basic Service SetIdentifier) will lead to routing problems. PrecautionsThe attack can be prevented by using encryption and wireless intrusion preventionsystems.Another way to prevent this attack is by comparing the unique signatures exhibited bythe signals emitted by each wireless device against the known signatures of pre-authorizeddevices[62].Moreover MAC based authentication should not be used alone for authenticationrather it should be used with EAP. Network-TypeMAC address spoofing occurs in both infrastructure and adhoc mode wireless network as thisattack make use of MAC addresses that are present in both networks.5.1.6 Man In The Middle attackMan in the Middle Attack is a form of active eavesdropping (in active eavesdropping attackernot only listen transmission; it can modify the data packets also). In which the attacker makesindependent connections with the target nodes and relays messages between them, making thembelieve that they are talking directly to each other over a private connection when in fact theentire conversation is controlled by the attacker.
  34. 34. StageThe stage at which this attack occurs depends on the intent of the attacker and scenarioinvolved.An attacker can be an authenticated or unauthenticated. Power consumptionIn this attack attacker do not force hosts to consume their power so power of the network is notaffected by this attack. LayersIt is a multi layer attack [5]. If the packets being transmitted are encrypted only at the networklayer, or layer 3, then the attacker can obtain the header information (senders and receiversaddresses) from the data link layer and information about encryption technique from networklayer [14].As a result,attacker breaks the session of the sender and the receiver and fix himself inthe middle of them. Attributes UtilizedIn Man In the Middle attack,confidentiality is exploited as attacker can read data that istransmitted between any two wireless devices.Also,the attacker can modify the messages it hascaptured,thus violating integrity of the session between authorized users as integrity is violatedby unauthorized manipulation of data which can happen in Man in The Middle attack [14]. Flaw UtilizationIn this attack attacker can exploit vulnerabilities of management frames. First of all attacker findsthe client which is associated with an access point in the wireless network and will get thechannel information and MAC address of this client and now he will enforce the client to
  35. 35. disassociate from the access point by sending disassociation and deauthentication frames to theclient station. After this he will use the SSID and MAC address of original access point by sniffingbeacon frames. Attacker now broadcast the SSID of the original access point with strong signals;all clients with the same network segment will associate with the attacker. EffectsA Man In The Middle (MITM) attack is done in order to hijack a connection or to sniff traffic.Itmay steal required information.It can read or modify data for some purpose.Replay attacks, fakeaccess points, 802.11 protocol manipulation. PrecautionsIn recent years the threat of man in the middle attack on wireless network has increased. Becauseit’s no longer necessary to connect to the wire, a malicious rogue can be outside the buildingintercepting packets, altering them and sending them on. A common solution to this problem is toenforce mutual authentication and wired equivalent privacy (WEP) across the wireless network. Network-TypeIn the infrastructure mode, this attack occurs by spoofing an access point by deauthenticating anddisassociating a client.Now the attacker force the client to reauthenticate with the A.P that iscontrolled by the attacker.5.1.7 Sleep deprivation attackThe idea behind this attack is to request the services a certain node offers, over and over again,so it can not go into an idle or power preserving state.This results in depriving the target node ofits sleep[64].This attack can occur by requesting excessive route discovery, or by forwardingunnecessary packets to the victim node.A malicious user may interact with a node in anotherwise legitimate way, but for no other purpose than to consume its battery energy. StageThis attack mostly occur when the intruder is authenticated and able to send legitimate requeststo the target node.However the requests are sent just for exausting power of the target node. Power consumption All the power of the victim device ultimately is exausted in this attack leading towards denial ofservice.This attack aims to maximize power consumption.Battery life is the critical parameter formany portable devices,and many techniques are used to maximize it; Mostly sensor nodes try tospend most of the time in sleep mode to save their energy.In this environment,energyexhaustion attacks are a real threat, and are much more powerful than better known denial of
  36. 36. service threats such as CPU exhaustion; once the battery runs out the attacker can stop and walkaway, leaving the victim disabled. LayersAs the attacker sends packets or frames in this attack,it will occur at MAC layer.Attacker canalso send route discovery requests to consume energy,then this will occur at network or routinglayer. Attributes UtilizedAvailaibility is disrupted in sleep deprivation attack by an attacker.Attacker will make theservices, given by sensor nodes,unavailable.Availability is discussed further in section Flaw UtilizationWireless sensor nodes are of limited battery power.If an attacker engages sensor nodes inexcessive operation by sending packets or requests,the nodes will not be able to perform theirwork,rather they will response to the requests send by a malicious user.The unattended nature ofwireless sensor networks makes them more susceptible to this attack as compared to wireless adhoc networks because they can be under user control [58]. EffectsThe effects of this attack are to maximize power consumption of the target node,ultimatelydecreasing battery life of that node.This attack also lead to denial of service attack as the sensornodes stop working due to high consumption of energy [11].Once the battery power of targetnode is exausted and the node is diabled,the attacker looks for another victim. for example intelemedicine,if a sensor is out of order due to low power,patient data can no longer be read andnetwork will not receive vital information. PrecautionsMeasures to prevent such attacks are hard to take, but the effects can be minimized by prioritizingfunctions of the targeted node, so that constant requests of low-priority services do not blockhigh-priority requests. Furthermore, resources can be shared unequally between different types ofservices.Emphasis has been put on making it as hard as possible to intrude a network.As we haveseen, many attacks are only possible or only effective, if the malicious party is a participant of thenetwork, so it is highly important to implement secure mechanisms to authenticate entities enteringthe network[64]. Network-TypeSleep Deprivation Attack mostly occur in wireless adhoc sensor networks but may be encounteredin conventional or wired networks as well.As this attack can be very harmful to nodes that havelimited resources, for example battery power,it targets mostly ad hoc sensor networks[64]
  37. 37. 5.1.8 Wormhole AttackIn this attack,an attacker captures packets at one location in the network and tunnels them toanother location.The tunnel is created between two or more compromised malicious nodes thatare linked through a hidden network connection.This hidden connection is created by using longrange directional antennas [18].The tunneled packets are then replayed at another point in thenetwork. StageIn this attack,the attacker might be unauthenticated and unassociated.Malicious nodes involvedin this attack enter the network during its establishment or operation phase, while others mayoriginate by compromising an existing node. The attacker just use discovery stage to discovernetworks in order to make the target for attack.The compromised nodes,that are used to transfertraffic from one location to another,may be authenticated because they can only receive packetsfrom other nodes if they are authenticated in the network.Whereas if mutual authentication isabsent in the network,then the nodes have no need to be authenticated.Moreover, MAC spoofingcan be done by an attacker so as to pretend to be an authenticated user. Power consumptionWormhole attacks also increase the time in which data is transmitted to the destination.As aresult,power consumption is increased by posing extra node to node data transmissions when onewormhole node attracts packets near the base station and replays them at the other end that is farfrom the base station[65]. Layers
  38. 38. Wormhole attack acts against ad hoc routing algorithms.As routing is done by network layer,soattacker in wormhole attack,disrupts the attributes of this layer.If the attacker is spoofing MACaddress of an authenticated user,then both MAC layer and network layer are involved in thisattack. Attributes UtilizedThe severity of the wormhole attack comes from the fact that it is difficult to detect, and iseffective even in a network where confidentiality, integrity, authentication, and non-repudiationare preserved. Flaw UtilizationWormhole attack occurs due to broadcast nature of radio waves.Ad hoc network routingprotocols are in particular vulnerable to Wormhole attacks.For example launching the wormholeagainst a routing protocol allows the attacker to tunnel each route request packet,which istransmitted during the route discovery phase,straight to the target destination node.As a result,any routes other than through wormhole are unable to discovered.The attacker creates anappearance to know the shortest path to a desired destination node.This grants an exceptionallyhigh probability to the attacker in forwarding packets.Attacker can also discard all packetsleading toward Denial of service Attack [18]. Due to the nature of wireless transmission, theattacker can create a wormhole even for packets not addressed to itself, since it can overhearthem in wireless transmission and tunnel them to the colluding attacker at the opposite end of thewormhole. EffectsWormhole attack allows an adversary to create paths with lower hop counts that appear to bemore desirable than legitimate routes.Wormholes can either be used to analyze the trafficthrough the network i.e eavesdropping or to drop packets selectively or completely.When anattacker discard all packets,this leads towards Denial of Service Attack. PrecautionsA wormhole attack is implemented with few resources and is difficult to detect..Severaltechniques such as localization schemes and packet leashes can possiblyprevent wormhole attacks. Localization systems verify the relative locations of nodes ina wireless network. Packet leashes restrict the packet’s maximum allowed distance oftransmission. Network-Type The wormhole attack is particularly dangerous against many ad hoc network routingprotocols.In all ad hoc networks,neighbour discovery is an important phenomena thats whywormhole attack is successful in these types of wireless networks.
  39. 39. 5.1.9 Traffic AnalysisTraffic analysis means making use of the traffic data of a communication to extractinformation.There are many techniques for traffic analysis for example an attacker canmanipulate routing tables on a network forcing traffic to pass through a specific device that willanalyze traffic. StageTraffic analysis attack is possible on the stage of discovery/probing .When any access pointbroadcast its service set identifier (SSID) to identify itself to wireless nodes desiring access tothe network. Attacker masquerades as a desiring node and associate itself to the access point.When attacker place itself in the network; it can analyze traffic and can also manipulates routingtable as wells. Power consumptionIn this attack, attacker just analyze traffic so this attack does not consume power. LayersThis attack occurs on data link layer and network layer. From data link layer attacker gain theheader information (source and destination addresses) and network layer header gives him IPaddresses of hosts [63]. Attributes UtilizedLoss of confidentiality occurs in traffic analysis attack. After authentication attacker analyzetraffic of the network and manipulate the routing tables. Flaw UtilizationDue to the openness of the exposed wireless medium, the attacker can easily access the wirelessnetwork with poor authentication. EffectsFrom data link layer attacker gain the header information (source and destination addresses) andnetwork layer header gives IP addresses of hosts [63].So here disclosure of information is done.
  40. 40. Attacker can redirect the traffic after association with access point. PrecautionsUsing a wireless Intrusion Detection System (IDS) and monitoring the network with productssuch as AirDefence we can prevent Man in the Middle Attack. By using directional antennas,lowering the APs broadcast range or explicitly turned off, broad casting of SSID.As well as astrong encryption mechanism is the best countermeasure against Man in the Middle Attack. Network-TypeTraffic analysis can occur in both infrastructure and ad hoc mode.5.2 TableChapter 6ConclusionSince the invention of wireless networks, attackers have found various ways to attack them. Thisresearch has focused on wireless network attacks and providing a taxonomy of them to helpcombat new attacks.In chapter one, a brief introduction of our taxonomy along with attackdescription is provided.In Chapter 2, a wide range of wired and wireless attacks were discussed in order to lay down afoundation for the proposed taxonomy. Taxonomy requires knowledge of the area beingclassified, thus examining the attacks was crucial.In chapter 3, existing taxonomies were examined and critically evaluated. Requirements for thetaxonomy were also defined with the help of past research.In chapter 4,the proposed taxonomy isexplained.The proposed taxonomy consists of eight categories in order to classify attacks.Thesecategories were both general and specific.Moreover,each category is divided furher into
  41. 41. sub-categories.The first category covered the stage at which attack occurs.The "stage" categoryis furthur divided into three sub categories;discovery,authentication and association.The secondcategory is the most specific category of wireless networks that is particularly important forattacks in battery powered adhoc wireless devices.The third category explains the layers that arespecific to wireless networks i.e physical,MAC and routing/network layer.Attacks are furthurclassified according to the attributes that are disrupted by the attacker.The fifth categoryclassifies attacks according to flaws that are utilized by the attacker to make attack possible.Inthe sixth category,effects of the attacks are explained.The seventh category explains the attacksprecautionary measures.The last category classifies attacks according to the type of network thatare attacked.In Chapter 5, the evaluation of the proposed taxonomy is done by classifying wireless attacksaccording to the given categories.A taxonomy allows for better understanding of attacks, and better understanding allows for betterdefence.The proposed taxonomy will benefit the security of networks and computers as itprovides a more systematic way of understanding attacks.Chapter 7References
  42. 42. 1.WIRELESS NETWORKS: Security Problems and Solution by jonathan weiss2:TAXONOMIES OF ATTACKS AND VULNERABILITIES IN COMPUTER SYSTEMSVINAY M. IGURE, AND RONALD D. WILLIAMS, UNIVERSITY OF VIRGINIA3:Study of the Impact of Wormhole Attacks On DV-Hop Positioning in Wireless SensorNetworks4:Security in Ad hoc Networks‖, Refik Molva and Pietro Michiardi.5:A Survey of 802.11a Wireless SecurityThreats and Security MechanismsA Technical Report to theArmy G6 InvestigatorsColonel Donald J. Welch, Ph.D.Major Scott D. Lathrop.6:Securing Wireless Networks from ARP CachePoisoning ByRoney PhilipMay 2007.7:Denial-of-Service Attacks inWireless Sensor Networks byAnthony D. Wood and John A. Stankovic8:Modeling of Man-in-the-Middle Attack in theWireless NetworksZhe Chen, Shize Guo, Kangfeng Zheng and Yixian Yang.9:Wireless Hacking - A WiFi Hack By Cracking WEPbyS Vinjosh Reddy*.KRijutha.K SaiRaman.Sk Mohammad Ali.10:An Examination of Security Algorithm Flaws in Wireless NetworksErica Simcoe, Hirsh Goldberg, and Mehmet UcalAdvisor: Dr. Sennur Ulukus.11.Wormhole Attacks in Wireless NetworksYih-Chun Hu, Member, IEEE, Adrian Perrig, Member, IEEE, and David B. Johnson, Member,IEEE.12:Jamming Attack Detection and Countermeasures In Wireless SensorNetwork Using Ant SystemRajani Muraleedharan and Lisa Ann Osadciw.13:Estimating the Effects of Jammers via Conservationof Flow in Wireless AdHoc NetworksUsman Yaseen, Ali Zahir, Faraz Ahsan and Sajjad MohsinDepartment of Computer Science,COMSATS Institute of Information Technology, Islamabad, Pakistan.{(usman_yaseen, alizahir, fahsan, smohsin)}.14 Grouped black hole attacks security model for wireless adhoc S.Bajvah and K. Khan.15:Protecting your Daily In-Home Activity Information from aWireless Snooping Attack by Vijay SrinivasanUniversity of Virginia