1. Overview
With the development of information technology, various network security problems are emerging. Although WLAN has the advantages of easy to expand, flexible to use and economical, it is particularly vulnerable to the security aspect because of its use of RF working mode. The wireless network based on ieee802.1l has been widely used, but it has also become an attractive target. Due to the serious defects of IEEE802.11 's WEP encryption mechanism and authentication protocol, a series of extended protocols have been created to enhance the access control and confidentiality of wireless networks. But wireless networks are vulnerable to attack because of their openness, and distributed denial of service attacks are the hardest to detect and control. All levels of WLAN can be attacked by DDoS.
2, the physical layer of DDoS attacks
The IEEE802.1L protocol defines two kinds of media access control protocols for access control of wireless channels. A competitive mode based on distributed coordination function (Dcf:distributedcoordinationfunction) is used to realize asynchronous communication; another one is based on point coordination function (Pcf:pointco-ordinationfunction) Of the non competitive mode to achieve synchronous communication mode. The current 802.1l wireless devices are basically using the DCF method of communication.
In DCF, 802.11 adopts carrier interception/collision Avoidance (csma/ca:car-riersensemultipleaccesswithcollisionavoidance) mechanism for wireless media sharing, Its basic idea is to let the sender trigger the receiver to emit a short frame, so that the site near the receiver can monitor the transmission to be carried out, so that they will not send data to the receiving station during this period. The implementation of this mechanism is accomplished through the Free Channel Assessment (cca:clearchannelassessment) program of the physical layer. It determines whether the channel is idle by receiving the strength of the signal energy, and every time the channel is free from idle to busy or idle, the PLCP (physicallayerconvergenceprocedure) of the physical layer produces a primitive: Phy-cca. Indicate (state),
State is the status variable, and when PLCP detects a busy channel, its value is busy, and vice versa, idle. The attack method is simple but highly efficient, and does not require special equipment and technology. In addition, the attack device used does not need high transmit power, it is difficult to find and locate the attacker. The Australian computer crisis emergency Response team has announced a DDoS attack that utilizes the CCA mechanism and a test pattern provided by the 802.1L Physical Layer management Entity (plme:physicallayermanagemententity) ( Plmedssstesmode) to implement. It attacks the physical layer using direct sequence spread spectrum (DSSS:DIRECTSEQUENCESPREADSPECTNLM) mode of operation of wireless devices, including the use of ieee802.1l, 802.1lb and low-speed (less than 20Mbps) 802.11G standard DSSS wireless devices.
3, the Mac DDoS attack
In the 802.1L network, in order to solve the problems such as site hiding and message collision, the communication control mechanism such as Rts/cts is adopted. In WPA, the message Integrity Check (MIC:MESSAGEINTEGRITYCODE) mechanism is used to prevent forgery of messages, and these mechanisms improve the performance of the network, but also bring new security risks.
802.1L protocol, the CSMA/CA technology is used to achieve multiple access.
To prevent a node from consuming the channel over a long period of time and causing other nodes to fail to transmit data, each node must wait for a sifs after sending the Protocol data unit (MPDU:MACPROTOCOLDATAUNIT) of a Mac layer (SIFs: Shortinterframespace) time. The core idea of the Mac based denial of service attack is to make the sifs of the attacking device more short by modifying the communication module program, then the attacker will occupy the channel with high probability, thus delaying the communication of the legitimate node.
Csma/ca The Rst/cts control mechanism is introduced to solve the hidden node problem, it can reserve a certain time channel for a node. The node that wants to send the data must first send a RTS frame to the destination node that contains the ID of the node and a duration domain. The duration domain is used to inform you of the time required to reserve subsequent data transfers for that node, and NAV (Nav:networkallocationvector) is used on each node to measure the retention time value, which has a maximum value of 215-1. The node can send data only when nav=0, and this value is updated by the duration value. Once the destination node receives a RTS frame from a node, it responds immediately to a CTS frame, which also contains the ID, duration domain. Other nodes within the coverage range update the NAV value through the CTS frame, which resolves the conflict caused by the hidden node. This rst/cts policy can easily trigger a denial-of-service attack. If an attacker continues to send a RTS frame with a larger duration value, then, according to CSMA/CA, the legitimate node receiving the RTS frame responds with the CTS frame, and the control of the channel is discarded soon after the response. And because legitimate nodes wait for a sifs or even a difs to send data frames again, and attackers continue to send RTS, so that legitimate nodes can not get the time slot, coupled with the impact of these nodes on the CTS, the entire channel will basically only be occupied by attackers. Therefore, this attack can severely reduce the communication efficiency of the nodes in the compromised WLAN. In addition, the integrity check value in 802.11 (ICV) is designed to ensure that the data in the transmission is not due to noise and other physical factors caused by the message error, so a relatively simple and efficient CRC algorithm. But an attacker could modify the ICV to match a tampered message, without any security features. The mic in WPA is designed to protect against tampering by an attacker, using Michael's key and the Michael algorithm to find a 8-byte message integrity check Value (MIC) appended to each data packet. When a wireless client or AP receives two or more data packets with incorrect MIC values within a second, WPA believes that the network is under attack and will then take a series of safeguards, including interrupting communications for one minute, changing the key, and so on, giving the opportunity to a denial-of-service attack. Because an attacker would only need to send at least two messages per second to the destination node that had the wrong mic value, it would cause the node to trigger MIC error protection and interrupt the communication for a minute. As soon as the network returns to normal, the attacker repeats such an attack, which will eventually result in a network paralysis.
4, the network layer of DDoS attacks
Attacks against the network layer are also a very threatening means of attack, listed below are several common methods of attack:
(1) The illegal node becomes the routing node. They lose a certain number of packets, making the connection quality drop. If the TCP protocol is used at the transport layer, it will have a greater impact. For example: a black hole attack (which silently discards all arrival information); Gray hole attack (optionally discarding some of the information, such as forwarding the routing protocol packet and losing the packet). In response to these two attacks, Stanford University's Mani and others have proposed a watchdog and selection algorithm. A watchdog is a packet sent by the sender of the packet to monitor the next hop node, if the next hop node did not forward the package, which indicates that the node may have problems. As a response, it evaluates the level of trust in each path, allowing packets to avoid paths that might be illegal. The combination of watchdog and selection algorithm is a good way to avoid the illegal node becoming a routing node. In addition, in order to encourage idle normal nodes to send multiple packets, Buttyan and Hubaux introduced the idea of economics into a wireless local area network, and they proposed the concept of virtual currency as a reward for forwarding packets.
(2) Illegal nodes transmit false routing information or replay outdated routing information, which will cause routing failures and thus affect the performance of the transmission. Wormhole attacks (Wormholeattack) and loop attacks are typical of this type of attack. The principle of wormhole attack is to establish an abnormal link in wireless local area network via wired or long-distance wireless means. The routing protocol is spoofed through the establishment of link, which leads to false routing information.
(3) Through IP spoofing to hide the real location of attackers and the use of node mobility to enable the rapid transfer of the source of attack, which makes the tracking of the source of the attack becomes extremely difficult. To some extent, the research of DDoS attack source tracking in WLAN can be used for reference to the DDoS attack source tracking technology of wired network, but there are still many differences between them. We can transplant the attack source tracking technology of the wired network ppm (sampling mark method), Itrace (ICMP message localization method) to the wireless LAN, and has been proved by experiments that the attack source tracking technology and attack source tracking technology, Network routing protocols and the size of wireless LAN have a certain connection.
5, transmission layer, application layer and other high-level network structure of DDoS attacks
In the wireless local area network, the upper structure such as transport layer and application layer has the same characteristics as that of the wired network, so the DDoS attack in the wireless local area is basically the same as the DDoS attack in the wired network. Among them, Tcpsyn flood, Tcprst flood attack is a typical attack on the upper network. In addition, the defense against DDoS attacks in Wired networks also applies to wireless LANs. The research shows that the attacking object of DDoS attack in the wired network mainly concentrates on the upper layer protocols, such as network level and transport layer. But the physical layer, MAC layer, network layer and transport layer of the nodes in WLAN are the attacking object of DDoS attack. Therefore, the defense against DDoS attacks in WLAN is particularly important.
6, the imperfect authentication mechanism caused by the DDoS attack
The IEEE802.11 standard provides two types of authentication: Open system authentication and shared key authentication. Open system authentication is essentially an empty authentication process, shared key authentication gives a preshared key to authenticate the customer with the WEP protocol: The AP sends a query string and requires the client to encrypt it and return it, if the customer's response is validated, the customer is authenticated. This authentication protocol has a number of publicly available flaws that attackers can use to attack the network.
Third, concluding remarks
This paper mainly introduces the attack mode of DDoS in Wireless LAN, and describes the principle and attack method of various attacking methods in detail. DDoS attacks are more difficult for wireless networks to defend than wired networks, so it is very meaningful to study the DDoS attacks of various wireless networks.
This article comes from the http://www.mkddos.com-geek DDoS Group specializes in providing DDoS attackers, DDoS attack software, DDoS attack tools and tutorials, as well as traffic attackers, web site attackers to download