Chapter 1

WIRELESS NETWORK SECURITY FUNDAMENTALS

1. INTRODUCTION

It's an epidemic waiting to happen to many security experts. While most IT managers today have their hands full securing wired networks, their companies have been spending billions of dollars on wireless. Businesses will have spent $60 billion on wireless communications services and wireless network security by the end of 2006; and, 80 percent of the U.S. work force will use some sort of wireless device, including cell phones, pagers and mobile computing devices. That's good news for employee productivity, but bad news for companies ill-prepared to head off wireless network security breaches and debilitating viruses [10].

There's been a lack of functionality and a lack of mature infrastructure globally. And, that's the only reason the wireless viruses of today have not been more damaging. But, that's about to change. Industry analysts predict dramatic increases in wireless handheld use and the proliferation of new mobile capabilities. They expect to see 5.9 billion handsets, personal digital assistants (PDAs) and Internet appliances equipped with wireless capabilities by the end of 2008—^with that, you get a fiill scale epidemic in the works. Simply put: It's coming [10].

For many IT managers, the wireless world, with its often-incompatible alphabet soup of standards, may be new territory. Many enterprises have felt that protecting their wireless processes against viruses is one piece of the complicated puzzle they can afford to omit. They'll soon need to face threats that could wreak havoc on a very large scale.

4 Chapter 1

Therefore, in order to fight the viruses and security breaches of the future, wireless network security vendors (even giants Uke IBM) are busy developing products. In addition, within applications and on devices, they are also heading off problems on a wireless network level.

2. OVERVIEW OF WIRELESS NETWORK SECURITY

In markets where wireless devices are more widely used, to date, most wireless attacks have happened outside the U.S. Nevertheless, one virus that did hit U.S. handhelds was known as the Liberty virus.

For example, some personal digital assistant users received what they thought was a program that would allow them to play a certain game for free. However, it launched a virus that erased all the data on the devices when they double-clicked on the link.

Nonetheless, the virus wasn't devastating for people who regularly back up their PDA information on their PCs. Nevertheless, more serious problems have occurred overseas in the form of viruses and/or malicious code that forced phones to dial particular numbers, intercepted transmissions and perpetuated the theft of data.

Disguised as a short message, one vims was distributed in Scandinavia. The virus rendered the buttons useless, when a user received the message. In order to get their phones fixed, users had to take them in to their service providers.

New types of malicious code have been written that force wireless devices to make phone calls, because many of them also have telephony capabilities. One incident in Japan caught the attention of wireless operators and software companies around the globe. Users of NTT DoCoMo's (http://www.nttdocomo.com/top.html) popular I-mode service [1] received an e-mail with what looked like an embedded Web site link. When customers clicked on the link, their phones automatically dialed Japan's emergency response number. Luckily, they could stop it before it got too bad; but, that could shut down a 911 system that could have life-and-death consequences.

For example, similar viruses could be unleashed that might flood a company's call center, or cause phones to dial a 900 number. If a virus that spread to all its mobile workers racked up significant charges, a corporation could be seriously affected.

The threat of data theft, perhaps, is more alarming to businesses. In order to prevent the interception of information as it's being transmitted, all wireless transmission standards have security built in, but they're known to

7. 5

be fallible. Encryption technology designed to head off the threat of sniffing, has been included by developers of standards such as Wireless Application Protocol (WAP) and the wireless LAN 802.1 lb standard [10].

Because the wireless network is essentially everywhere, sniffing is an inherent problem in wireless. Sniffers must have access to physical parts of the network in order to break in the wired world. The problem is, with wireless, they don't even have to be in the network. They can be in a van outside with a transmitter.

When researchers at the University of California at Berkeley figured out how to crack its built-in encryption, the widely used wireless LAN standard, 802.11, came under fire recently [10]. Because developers addressed wireless network security from the start and are working to beef it up before wireless LANs become more pervasive, there is still some hope.

Companies will also have to secure wireless transactions. There will be attacks on the devices themselves, but they quickly will be focused on transactions.

As devices develop more capabilities, these threats are expected to grow more serious and frequent. Typically, you should look to the past to predict the future. Also, new possible threats come into play every time there is a technology advancement.

Each time software companies release popular technologies in the PC environment, people use them to write malicious code. The same is expected with regard to wireless. For example, a Windows program can currently run on a Windows CE device, but CE doesn't yet support macros. So, the ability for viruses to spread is nil, because the device doesn't support macros.

Nevertheless, wireless devices are rapidly developing other capabilities. In the beginning the PDA was just something used to store contacts. But, today they are little computing devices. There's more of a chance of things being used improperly, as you create more functionality.

Most viruses have been regional so far. But, the threat of viruses spreading around the globe grows, as regions of the world begin to standardize wireless technologies. NTT DoCoMo, for example, plans to open its wireless network globally by 2006 [10]. This would then allow the worldwide spread of NTT DoCoMo threats.

In addition, there is a greater potential for viruses to spread between PCs and mobile devices (which could enable viruses to spread very quickly), because more of the capabilities are supported by devices. So that the same applications can run on PCs and handheld devices, Windows CE will support Java script in the future. Then viruses can spread easily via e-mail or programs that synchronize PCs and handheld devices. A version of Java is already supported by most wireless phones (including versions Nextel Communications sells primarily to businesses).

6 Chapter 1

2.1 Firewall Building

What's really becoming readily available, are more wireless network security measures and products. Still, uncertainty about how to address potential threats is preventing some enterprises from deploying wireless.

Still though, many companies have to contend with wired security issues. And, it is difficult for IT managers to stay on top of new developments, because both the wired and wireless worlds change quickly. It's a tremendous challenge for IT managers to understand the space and issues, and what the solutions are to address it.

Many enterprises aren't yet concerned about protecting against viruses, because wireless viruses haven't been widespread. Also, many enterprises haven't heard very much about wireless viruses, and so, it's not a real issue right now. Although the data from wireless devices passes through the corporate firewall [8], additional wireless network security isn't necessary, because the information wouldn't be valuable to anyone else.

For example, at Final Mile Communications (http://www.finalmilecom.com/), a professional services company, field service workers use Nextel phones to receive trouble tickets and report status back to the dispatch center [10]. They haven't seen any viruses yet, but when and if a virus does present itself, it will be a serious issue to be dealt with.

Warning: URLs may change without notice!

There seems to be more concern about the possibility of data being stolen by other companies. By determining what's acceptable and what isn't, the first decision an enterprise must address when implementing a secure wireless system is to define its security model.

It's ponderous; that's part of the problem. For example, in the wired world, encryption based on public key infrastructure [7] hasn't taken off because it is difficult to use. An enterprise that wants to give a field service worker access to important data is aiming to make that worker more efficient. However, you've negated the advantage of going after wireless network security, if it introduces more error and takes longer to use. You have to take a holistic approach.

Coming to market, are more products purporting to provide end-to-end wireless network security that starts with the device and includes transmission and the software that runs applications. Thus, giving companies more options that fit their specific needs. One of the simplest problems, though, has not been widely addressed: Should the device be lost or stolen, few mobile devices have mechanisms for protecting information stored on them. So that only the owner can access stored data [6], there are some early products that companies can add to user devices to encrypt data.

L 7

For example, F-Secure (http://www.f-secure.se/foretaget/) has encryption and antivirus software for Pocket PCs, and Palm and Symbian devices [10]. F-Secure also offers antivirus engines for WAP gateways at the operator level. A further example is Trend Micro (http://www.trendmicro.com/), which has antivirus software for devices and guards against all entry points, including beaming, synching, e-mail and Internet downloading.

Programs similar to those available on laptops could be developed to allow a user whose device is lost or stolen to remotely destroy information or make it useless to anyone else. So, to protect important information stored on devices, such capabilities can be crucial.

Although serious threats aren't expected for some time, activity has begun to create virus protection software that lives on devices. The consumer electronics (CE) environment will probably be the first to see viruses written on a constant basis. But, it probably won't happen on a regular basis until sometime in 2006 [10].

It isn't easy to create antivirus software for devices. On phones, the real estate is owned by the operating company and there's a turf battle over what software can do. Virus protection could be required for each piece of software. The patchwork on the phones makes it difficult for a virus scanner to cover all parts of the device.

Note: For example, F-Secure's PDA solution includes antivirus software for PCs that are constantly updated via the Intemet aad uploaded to PDAs when users synch with their PCs.

Because short-range communications techniques such as Bluetooth or infrared connections bypass wireless networks, software on devices become an important component of an antivirus campaign. Without sending the data through a server, users can beam information (and viruses) directly to one another.

Note: Phones sold by NTT DoCoMo since December incorporate software to defeat viruses like the one that commanded the handset to automatically dial the emergency phone number.

By buying handsets that have authentication technology built in, IT managers can also protect the devices of mobile workers. For example, in order to make phones capable of accepting digital signatures, RSA Security (http://www.rsasecurity.com/) is one company working with handset vendors [10]. Unless they have the IT manager's digital signature, IT managers that send out updates or regular messages to mobile workers, could program workers' devices not to accept messages.

Presently being built into handsets, consists of such authentication technology. And, phone makers are interested in adding such capabilities, because they represent the potential for additional revenue. For the complete

8 Chapter 1

authentication platform, a device manufacturer could charge an enterprise per user.

Another line of defense concerns the servers accessed by mobile workers—^that being in addition to virus protection on user devices. Currently, most platforms that support mobile e-mail carry antivirus and antispam software. For example, as threats pass through firewalls using the same technology that's been used to detect viruses in the PC environment, Trend Micro helps enterprises and wireless operators detect threats. Trend Micro will give its customers updated tools that can block viruses (usually within an hour), as new threats arise. According to Trend Micro, the stopping of viruses in the infrastructure is the best way to block their spread. The last line of defense is the device.

But, that type of protection gets more difficult in the fixture environment of always-on communications that will come with next-generation of packet wireless networks. Unlike a mail client, applications like instant messaging (IM) and location- or presence-based applications are chatty. So, the number of messages and the frequency go up by a factor of 10 [10]. Antivirus efforts become more complicated, as the sheer number of applications and messages are being sent.

2.1.1 Paranoia

Some space-age solutions are already available for the seriously paranoid. For example, for phones that can encrypt conversations, Siemens (http://www.siemens.com/index.jsp) has introduced an add-on capability [10]. Such technologies are used primarily by government workers, but certain industry segments might be interested in such rigorous precautions. Oil companies, for example, spend billions on exploration and want that information kept confidential. Some of their wireless network security is more stringent than that of governments.

Note: There have also been some products designed for Palm devices with fingerprint-identification technology.

In order to fit the wireless security needs of some corporations, even more far-out ideas could be morphed from their original intent. Some law enforcement agencies have been working on a technology that could render a handgun (such as one carried by a police officer) useless if someone else tries to use it. Such technology could be ported to a handheld device.

Still, no one actually believes that they'll stop the troublemakers, even after all of these impressive wireless network security solutions are created and deployed. This is not a sense of resignation. It's a battle of attrition. It requires constant understanding and vigilance [10].

1.

In continuing with the preceding concept of sci-fi parania, let's look at N a wireless network attack intercepts wireless Internet messages. how a

2.1.2 Interception

It's the stuff of sci-fi thrillers! By using gear that can be picked up at any electronics store (and is an easily downloadable piece of fi'eeware), a group of wireless network security researchers have discovered a simple attack that enables them to intercept Internet traffic moving over a wireless network.

The attack, accomplished by @Stake Inc. (http://www.atstake.com/), a wireless network security consulting company in Cambridge, Mass., affects a popular consumer version of Research In Motion Ltd.'s (http://www.rim.com/) BlackBerry devices as well as a variety of handhelds that send unencrypted transmissions over wireless networks such as Mobitex [11].

Like other wireless standards such as Global System for Mobile Communications and General Packet Radio Service, the Mobitex specification sends packets in unencrypted form by design. With customers using the wireless network for everything fi*om point-of-sale verification to e-mail, the network, which handles data transmissions only, has been in operation since 1986 and has a large base of installed devices [11].

In other words, the attack is fairly simple. The problem is, this isn't a bug. It's part of the spec that data is transmitted in the clear, just like it's part of the spec that Internet data is transmitted in the clear. Thus, the risk depends on when and what data they're sending, and who is using the wireless network.

The researchers were able to intercept traffic destined for BlackBerry Internet Edition devices by using a scanner with a digital output, an antenna and fi*eely downloadable software. And, the attackers can read the messages they intercept without fiorther work, because the packets aren't encrypted.

Note: The Internet Edition handhelds are sold mainly through co-branding relationships with ISPs such as AOL Time Warner Inc.'s America Online service, EarthLink Inc. and Yahoo Inc.

According to executives at Research In Motion Ltd (RIM), they don't see the attack as a problem because they have never touted the Internet Edition devices as being secure [11]. Internet traffic isn't supposed to be secure. It's kind of like a company making beer and cola; and, someone saying that there's alcohol in the company's drinks when the children are drinking cola.

Nevertheless, the attack serves as a reminder to users that e-mail and other Internet traffic is open to snooping and is inherently insecure. You can always figure that anything that's sent via e-mail can be read by at least hundreds of people which have either legitimate or compromised access to

10 Chapter 1

systems sitting between you and your recipient. All of this just adds another potential access point. The disappointment here is that they didn't make at least a modest attempt to obscure the content.

Note: The messages are only as secure as the wireless networks of the ISPs that relay them, none of which provide encrypted e-mail.

The attack also applies to other devices on the Mobitex wireless network, many of which are proprietary solutions developed for in-house corporate uses [11]. This attack does not work on the BlackBerry Enterprise Edition, which uses Triple Data Encryption Standard encryption in addition to other wireless network security features.

Customers are typically advised by Mobitex operators, that they should choose the wireless network security scheme that fits their particular needs. It was a conscious decision not to put wireless network-level security in because customers have said that they don't want the overhead associated with security if they're just doing things like instant messages. Customers can absolutely add on their ovm encryption to whatever application they're using the wireless network for [11].

Now, let's look at a classification of wireless network denial-of-service-and distributed denial-of-service attacks; and, a classification of the defense mechanisms that strive to counter these attacks. Using both known and potential attack mechanisms, the attack classification is illustrated next. Along with this classification, a discussion ensues about important features of each attack category that will in turn define the challenges involved in combating these threats. Using only the currently known approaches, the defense system classification is illustrated in this part of the chapter. Thus, in order to gain a better understanding of challenges in the distributed denial-of-service field, the goal of this part of the chapter is to unpose some order to the multitude of existing attack and defense mechanisms.

2.1.3 Denial Of Service

Today, denial of service (DOS) and distributed denial of service (DDoS) attacks are still on the rise and getting worse. After the year 2000 first wave of DDoS attacks against several of the largest commercial Internet sites including Yahoo!, eBay, E'Trade, Amazon.com and Buy.com, major e-commerce and wireless information sites worldwide still remain very very vulnerable [12].

In a recent survey of 649 wireless network security administrators fi*om industry, government and academia, conducted by the Computer Security Institute (CSI) of San Francisco and the FBI, 49 percent detected denial of service attacks. That number is up fi*om 36 percent in 1999 and 38 percent in 2001 [12].

7. 11

Denial of service attacks are becoming incessant. Recently, researchers at the University of CaHfomia, San Diego, reported 23,916 observed DoS attacks over a recent three-week period. In more than 3,000 distinct domain name servers, there were more than 6,000 distinct victims [12].

DOS and DDoS attacks are also growing in ferocity. Most attacks usually last only a few minutes. However, for example, EFNet.org, a provider of IRC chat services, experienced an attack lasting almost 20 days in 2001, at times subjecting EFNet to almost 700 Mbps of traffic. During the attack, several ISPs null-routed EFNet's wireless networks, essentially preventing customers fi*om reaching them [12].

In 2001, a worm-virus, dubbed Code Red, infected more than 400,000 systems worldwide in one day. This is an astounding propagation rate [12]. The amount of traffic that could be generated by such a veritable army of computers would certainly overwhelm any modem wireless network infi-astructure, if not threaten the stability of the Internet itself

Recently, a variant of Code Red has appeared, called Code Blue. Some observers consider this virus even more threatening than its predecessor. While computers affected by Code Red were largely able to continue functioning normally with no obvious degradation in system performance. Code Blue gradually increases its usage of system resources. If Code Blue is not stopped, it could bring computers running Windows NT or Windows 2000 or XP to a hah [12].

There are technologies available now that can detect a simple DoS- or DDoS attack, and protect a wireless network system fi-om the increasing damage these malicious acts can bring. In other words, DDoS attacks themselves pose an immense threat to the Internet and wireless networks. Consequently, many defense mechanisms have been proposed to combat them. Attackers constantly modify their tools to bypass these wireless network security systems. Researchers in turn, modify their approaches to handle new attacks. The DDoS field is evolving quickly. It is becoming increasingly hard to grasp a global view of the problem. This part of the chapter strives to introduce some structure to the DDoS field by developing a classification of DDoS attacks and DDoS defense systems. The goal of this part of the chapter is to stimulate discussions that might lead to a better understanding of the DDoS problem and highlight the important features of both attack and wireless network security mechanisms [12].

The proposed classifications are complete in the following sense: the attack classification covers known attacks and also those that have not currently appeared, but are potential threats that would affect current defense mechanisms; and, the defense systems classification covers not only published approaches, but also some commercial approaches that are sufficiently documented to be analyzed. Along with classification, important

12 Chapter 1

features of each attack are emphasized; as well as, the defense system category. Representative examples of existing mechanisms are also provided. Even though some parts of the chapter might point out vulnerabilities of certain classes of defense systems, this part of the chapter does not propose or advocate any specific DDoS defense mechanism. The purpose here is to draw attention to these problems so that they might be solved, not to criticize.

2.1.4 Overview Of A DDoS Attack

A DoS attack is characterized by all explicit attempts by attackers to prevent legitimate users of a service from using that service. A DDoS attack deploys multiple machines to attain this goal. The service is denied by sending a stream of packets to a victim that either provides the attacker with unlimited access to the victim machine so he can inflict arbitrary damage or consumes some key resource, thus rendering it unavailable to legitimate clients.

In other words, a computer bombards another system with floods of packets in DoS attacks. The goal is to prevent legitimate users from accessing the target host or wireless network. In order to provide a cover for other cracking activities, crackers sometimes use DoS attacks.

DoS attacks are not a new phenomenon. One of the earliest DoS attacks was a late 1996 strike against Panix.com, an ISP in New York [2]. That attack used a method considered primitive by today's standards: A single computer sent Panix' systems thousands of copies of a simple message that computers use to start a two-way dialog. The Panix machines receiving the messages had to allocate computer capacity to handle the dialogs. As the requests continued to pour in, the Panix machines soon used up their resources, and were effectively crippled.

DoS techniques had grown more sophisticated by the fall of 1999: Crackers began infiltrating multiple computers on the Internet—using them to launch coordinated assaults against other computers.

In these DDoS attacks, a cracker installs a program on a machine that, later on, in conjunction with other wireless networking systems, will be called on to participate in an attack. Usually distributed geographically, these pawn-like computers that forward DDoS attacks are called zombies. After the zombie computers (as few as three but sometimes more than 200) have been infiltrated, a "wakeup" command causes them all to begin sending bogus messages to the ultimate target of the attack.

Because DDoS attacks deliver a much heavier volume of messages (basically they are many single DoS attacks occurring simultaneously), they have the potential to be much more disruptive than relatively simple DoS

1. 13

attacks originating from a single computer. Contributing to the prevalence of DDoS attacks, is the raw number of computer operating systems in use on the Internet.

Most of the systems connected over the public Internet were running Unix or other type of proprietary mini-computer OS in the early 1990s. Mostly based on the Linux and BSD kernels, since 1992, over 30 companies have released their own proprietary operating systems. This caused a proliferation of software modules (such as Telnetd, sshd, bind and httpd) that fimction in the same way but operate different software algorithms.

A daunting, if not impossible task, is assessing the wireless network security of hundreds of independent operating systems. Furthermore, the subsequent closure of many of those independent OS manufacturers has made the task of identifying and closing wireless network security holes all the more challenging. The result, is the availability of thousands upon thousands of computers connected to the Internet running insecure operating systems.

An attacker can build a veritable army of zombie systems to launch attacks at will, armed with little more than a port-scanner, a root-kit and a little hubris (extreme arrogance). Thus, with the preceding in mind, this part of the chapter will answer the following questions: 1. How do these attacks occur'? 2. Why do they occur? 3. What makes DDoS attacks possible'? [2]

2.1.4.1 Strategy of a DDoS Attack The attacker needs to recruit the multiple agent (slave) machines, in

order to perform a distributed denial-of-service attack. By looking for wireless network security holes that would enable subversion, this process is usually performed automatically through scanning of remote machines. In addition, by using the discovered vulnerability to gain access to the machine, they are also infected with the attack code by vulnerable machines that are exploited. The exploit/infection phase is also automated. And, the infected machines can be used for fiirther recruitment of new agents (see discussion of propagation techniques later in this chapter). Agent machines perform the attack against the victim. Through spoofing of the source address field in packets, attackers usually hide the identity of the agent machines during the attack. Thus, the agent machines can be reused for future attacks [2].

2.1.4.1.1 The Workings of a DDoS For resource-intensive computing tasks, including a massive DoS attack,

DDoS leverages one of the inherent benefits of distributed computing. To

14 Chapter 1

distribute the work across many systems in a wireless network, is one of the best approaches to completing resource-intensive tasks.

Enlisting numerous computers in a DDoS assault makes it both more devastating and harder to stop, in the same way, due to DDoS's distributed nature. It also makes tracing the original source of the attack virtually impossible.

By spoofing, or faking, the source address or destination address fields of an IP packet, DDoS attacks exploit the inherent "trust" that wireless networked computers have for each other. Wireless Internet routers (trusting every packet that appears to be correctly formed) will route the packet to its marked destination. Thus, the receiving system (again trusting the data in the packet) will reply to the forged source address.

It's easy to launch a DDoS attack. To create a force of zombie computers, there are a growing number of attack tools that are downloadable from Internet sites. The attacker needs only to select a Web site to attack, once a zombie force is established. From a central "command console" which can activate zombies located anywhere in the world, the attack itself can be initiated from a single computer,.

One common variable is shared by many types of DDoS attacks: large wireless Internet traffic flows. The IP protocol itself is very trusting. Attackers are fi*ee to forge and change IP data with impunity. By fooling the victim's firewall or target host into accepting this seemingly legitimate traffic, the cracker uses the IP address of a trusted source [12].

2.1.4.1.2 Today's Practices Being of little value in defending against DDoS attacks, wireless network

firewalls are indispensable for countering many kinds of malicious incursions. Firewalls are designed to manage an environment where everyone outside the enterprise is untrusted and everyone inside the enterprise is trusted.

However, the model of trusted and untrusted wireless networks is no longer viable in today's wireless Internet, with service providers delivering the means for user access to the Web. Colocation and Web-hosting providers allow many different companies (each with its own wireless network security requirements) to reside within a single Internet data center. Because an ISP cannot inherently trust every host on their wireless network, this has diminished the effectiveness of firewalls for use in colocation and Web-hosting data centers.

ISPs and colocation providers created an environment where their systems could easily become the source of DoS and DDoS attacks, with little overall wireless network security. By implementing bi-directional firewall filtering (managing outbound traffic as vigilantly as inbound traffic),

/. 15

wireless network administrators in these organizations can lower the likeHhood of these attacks. While bi-directional filtering is a good method to protect the wireless Net at large, unless it is implemented everywhere, there is still the threat of attacks from those wireless networks that are not well protected. Extensive filtering of this nature is rarely implemented, because filtering is cost heavy on a CPU (creating traffic bottlenecks) [12].

2.1.4.1.3 Fighting DDoS Attacks: The Technologies Advanced implementation of intrusion detection system (IDS)

technology is required as an effective defense against DDoS attacks. Intrusion detection systems fall into two broad categories: wireless network-based and host-based (see sidebar, "Pros And Cons Of Intrusion Detection Systems").

Normally, wireless network-based IDS systems are placed near the wireless system or systems being monitored. They examine the wireless network traffic and determine whether it falls within acceptable boundaries (looking deep into the payload portion of the packet for signs of malicious activity). In order to match suspicious traffic, signature files are compared to those of known attack patterns.

Signature-based systems must update their libraries of known attacks continuously, like software that protects against known viruses. They also cannot learn new traffic patterns. This allows a large number of attacks to go undetected and leaves the wireless network vulnerable [12].

Pros And Cons Of Intrusion Detection Systems

Intrusion detection systems (IDS) are more complicated than firewalls and can be pricey but they have definite benefits. Let's briefly look at the pros and cons of such systems.

Wireless network security is a key consideration for network design. IDS must strike a balance between wireless network security and network usability, for it to be useful in real world conditions.

IDS Defined And How It Differs From Traditional Firewall Technology

IDS is different from traditional firewalls because it involves the detecting of a security breach. In most cases, it translates into defending against a wireless network security breach. It's sort of part system administration. If you took at the way IDS evolved originally, the idea was that if you set up a particular probe or a

16 Chapter 1

particular application, you'd be able to detect unauthorized access. Most of those things prior to the creation of the wireless network security industry, were things that network engineers already implemented. So, a lot of the earlier tools such as Transmission Control Protocol (TCP) wrappers and the original ISS applications, and several others were originally developed and released as open-source tools. Ten or eleven years ago, IDS was very different than it today.

The Workings af IDS Technology

There are three approaches to how IDS technology works. The first is a blind a barricade, which is similar to a firewall You implement a wrapper or some sort of a scanner that looks for specific events. When it sees the event, it correlates it and decides whether or not it's an acceptable event or an unacceptable event. So, if you try and log into a system and it tells you that you don't have the right credentials, when that failure occurs, an application will then alarm some other console to say that there is an unauthorized access.

Second Approach To How IDS Technology Works

The second approach is signature based. Signature based works on a host or a network basis where a particular type of packet or data stream is looked for. When the scanner sees it, it generates an alarm. The issue with signature based applications is that they're really only as good as the signatures are. So, in terms of total effectiveness, they leave a large area to be desired.

Lust Approach To How IDS Technology Works

Profile or anomaly detection is the last approach to how IDS technology works, and the most recent. As an administrator, you create profiles of your system; you determine what their normal operational parameters are; and, you look at' events that are out of profile. So, for instance, if you have a Web server (and as a Web server), it only runs SSH. Then, one day all of a sudden, it starts running HTTP clients. That in itself should set up a major flag. Now, if you were running a Microsoft server for

7. 17

example, that youVe got a Code Red like virus or something like that, it would be an indication.

Deep Packet Inspection And How It Relates To I0S

In order to be able to determine the potential attack, you have to eliminate the problem with most signature-based events; and, that basically is that they are looking at just the packet header The idea of deep packet inspection now is that you can actually look inside the data-stream to determine whether or not an attack is really being perpetrated. This is a very relevant form of IDS that is just starting to be developed. Now, developers can write around firewalls and keep their applications in use, because they've become a lot smarter

For example, if you are running in a firewall environment, and the firewall administrator doesn't want you to run AOL Instant Messenger (AIM), he or she doesn't permit the service to happen. If you turn on Secure Socket Layer (SSL) now, all of a sudden you can run AIM and the firewall administrator can't do anything about it. Because they will be interpreted as normal traffic, the idea is that this sort of work around will be incorporated into the tools that hackers make, in order to be able to completely evade IDS.

Factors That Should Be Considered When Tuning An IDS To Your Wireless Network

Factors that should be considered when tuning an IDS to your wireless network, is all based on success and cost. Success means that IDSes need to be tuned, and that they need an enormous amount of tuning. That is probably the biggest problem with them. Secondly, they cost an excessive amount of money. So, typically what happens, is that someone will buy an IDS and implement it, and it will be the alarm for everything, because it needs to be tuned. Of course, when it goes through the tuning process, they then have to make assumptions about what to permit and what not to permit. Then, as part of your wireless network security policy, you have to make these decisions about what youYe going to permit.

18 Chapter 1

The Result

What typically happens is that a company will decide that they need to implement IDS. So, they will go out and buy a product; and, they will put the product in and it will sit dormant, because nobody wants to take the time to actually fix it Or, they'll have just spent a lot of money, and they'll implement it without dealing with all the underlying issues (which is not running a wireless secure environment to begin with).

IDS Architecture

IDS architecture is driven by cost, but the ideal architecture would be multi-faceted. It would start with a standard border filter where youVe just filtering out all the noise, stufl" that just happens randomly, and people looking for holes in your wireless network that shouldn't be there if youYe running any type of security at all. The second component would typically be some sort of wireless network probe for looking at network-based events. The third level might be some sort of host or signature-based system. An anomaly-based system is also a big value, depending on what you are looking at and what you are defending.

IDS Market

The IDS market has had a lot of fluctuation. For example, Enterasys has been severely impacted in the market overall, so they are making a desperate attempt to try and grow their product out. It has a very big following; so, the product will survive and continue to grow. ISS has been very aggressively developing a globalized system, integrating technologies from other companies that they've acquired to build out their original product base. Cisco is radically redesigning its IDS package. The Cisco Security Policy Manager is growing out and they are beginning to integrate IDS functionality in both their switches and routers. So here, there is a potential growth market.

Emerging Trends In IDS Technology?

Centralized collection, analysis and reporting, are what people are going to be looking for. Also, people will be looking at things

1. 19

like profiler trending. That is looking at how the wireless network is behaving in the context of a multi-faceted system, and using that profiling to detect events that you wouldn't see with a signature based system. Finally, you can detect anomalies ahead of time before they have a significant impact on your wireless network, with profiling [4].

Similar to critical system files, host-based IDSes (HIDSes) run directly on the system being monitored and monitor log files. For instance, an HIDS would send alerts to wireless network security administrators if an attacker managed to compromise a system and tried to modify the netstat command. Often, in a DDoS attack, the unauthorized user or cracker has installed code that may enable the computer to be used later as an agent or zombie.

Anomaly-based detection engines are used by HIDSes. Anomaly detection identifies any unacceptable deviation from expected behavior. Expected behavior must be defined in advance by an automatically developed profile or by a manually developed profile. An anomaly can be an increase in traffic from a known good source or simply a synchronized attack from zombies sending malicious traffic.

False alarm problems with anomaly-based systems are usually very high, as is with signature-detection systems. A frequently-updated IDS can alert wireless network managers of known attacks. That's the good news!

Finally, the goal of a DDoS attack is to inflict damage on the victim. This could be either for personal reasons (a significant number of DDoS attacks are against home computers, presumably for purposes of revenge); for material gain (damaging competitor's resources); or, for popularity (successful attacks on popular Web servers gain the respect of the hacker community) [2].

2.1.5 DDoS Attacks Classification

In order to devise a classification of DDoS attacks, let's look at the types of DDoS attacks; means used to prepare and perform the attack; the characteristics of the attack itself; and, the effect it has on the victim. Fig. 1-1 summarizes the classification [2].

2.1.5.1 Types Of DDoS Attacks There are several common types of dedicated denial of service attacks

(DDoS) attacks, including the following: • Smurf or Reflector Attack. • Amplified Reflector Attack. • TCP/UDP Floods. • Spoofed-Source SYN Attack [12].

20 Chapter 1

DDoS Attacks

Classification by degree of

Classification by exploi ted vulnerabi lny

Classification by attack rate dynamics

Classification by Impact

Autonomous

— ^ Brute-force

Classification by relation of packet contents wi th viclim services

oJNon fi l terable I

H Disruptive

Classification by rate change mechanism

Figure 1-1. Classification of DDoS attacks.

2.1.5.1.1 Smurf or Reflector Attack Here, an attacker spoofs Internet Control Message Protocol (ICMP) Echo

Request (PESTG) packets with the IP address of the target host in the source address field of the IP packet. The destination field is chosen with a list of known reflectors (any device on the Internet that will respond to PING) or randomized. Each reflector responds to the intended target (the host that legitimately own the spoofed address) with an ICMP Echo Reply packet, thus overflowing the target wireless network with useless traffic, as these packets are flooded onto the Internet.

2.1.5.1.2 AmpUfied Reflector Attack The amplified reflector attack is a variation on the Smurf or Reflector

attack. The destination field is the broadcast address of an amplifier network. When the packet hits the reflector address, every device on the reflector-network will reply to the target. Ten (10) Echo Request packets become 1,000 Echo Reply packets, if 100 devices on the wireless network answer to the target [12].

2.1.5.1.3 TCP/UDP Floods TCP/UDP floods are mainly used to disrupt wireless network

communications or otherwise hinder performance. TCP and UDP traffic can be directed at specific ports on a host. But, to simply overwhehn a target wireless network with traffic, TCP and UDP traffic are more often than not used.

7. 21

2.1.5.1.4 Spoofed-Source SYN Attack An attacker randomizes the source address field and sets the destination

address field of the IP packet as the target host. The target host will process each SYN packet, open a port and respond with a SYNACK to the address in the source field. So, in order to disable Web servers, this is the most common assault used.

2.1.5.2 Degree Of Automation Classification The attacker needs to locate prospective agent machines and infect them

with the attack code during the attack preparation. Based on the degree of automation of the attack, this part of the chapter differentiates between manual, semi-automatic and automatic DDoS attacks [2].

2.1.5.2.1 Manual Attacks Only the early DDoS attacks belonged to the manual category. The

attacker scanned remote machines for vulnerabilities, broke into them and installed the attack code, and then commanded the onset of the attack. During the lead to the development of semiautomatic DDoS attacks (the category where most contemporary attacks belong), all of these actions were soon automated.

2.1.5.2.2 Semi-Automatic Attacks The DDoS wireless network consists of handler (master) and agent

(slave, daemon) machines in semi-automatic attacks. The attacker deploys automated scripts for scanning and compromise of those machines and installation of the attack code. He or she then uses handler machines to specify the attack type and the victim's address and to command the onset of the attack to agents, who send packets to the victim. Based on the communication mechanism deployed between agent and handler machines, let's divide semi-automatic attacks into attacks with direct communication and attacks with indirect communication.

2.1.5.2.2.1 Direct Communication Attacks The agent and handler machines need to know each other's identity in

order to communicate during attacks with direct communication. This is achieved by hard-coding the IP address of the handler machines in the attack code that is later installed on the agent. Each agent then reports its readiness to the handlers, who store its IP address in a file for later communication. The obvious drawback of this approach is that discovery of one compromised machine can expose the whole DDoS wireless network. Also, agents and handlers are identifiable by wireless network scanners, since they listen to wireless network connections.

22 Chapter 1

2.1.5.2.2.2 Indirect Communication Attacks To increase the survivability of a DDoS v^ireless network, attacks with

indirect communication deploy a level of indirection. Recent attacks provide the example of using Internet Relay Chat (IRC) channels for agent/handler communication. Since the IRC channel offers sufficient anonymity to the attacker, the use of IRC services replaces the function of a handler [2]. Agent communications to the control point may not be easily differentiated from legitimate wireless network traffic, since DDoS agents establish outbound connections to a standard service port used by a legitimate wireless network service. The agents do not incorporate a listening port that is easily detectable with wireless network scanners. An attacker controls the agents using IRC communications channels. Thus, discovery of a single agent may lead no further than the identification of one or more IRC servers and channel names used by the DDoS wireless network. From there, identification of the DDoS wireless network depends on the ability to track agents currently connected to the IRC server. There is nothing to prevent attackers from subverting other legitimate services for similar purposes, even though the IRC service is the only current example of indirect communication.

2.1.5.2.3 Automatic Attacks By avoiding the need for commimication between attacker and agent

machines, automatic DDoS attacks additionally automate the attack phase. Preprogrammed in the attack code is the time of the onset of the attack, attack type, duration and victim's address. Since the attacker (he or she) is only involved in issuing a single command (the start of the attack script), it is obvious that such deployment mechanisms offer minimal exposure to the attacker. The hardcoded attack specification suggests a single-purpose use of the DDoS wireless network. However, by enabling easy future access and modification of the attack code, the propagation mechanisms usually leave the backdoor to the compromised machine open.

By deploying automatic scanning and propagation techniques, both semi­automatic and automatic attacks recruit the agent machines. Based on the scanning strategy, you should be able to differentiate between attacks that deploy random scanning, hitlist scanning, topological scanning, permutation scanning and local subnet scanning. Thus, by gaining a larger agent population, attackers usually combine the scanning and exploitation phases. Here, the description of scanning techniques relates to this model [2].

2.1.5.2.3.1 Random Scanning Attacks By using a different seed during random scanning, each compromised

host probes random addresses in the IP address space. Since many machines

L 23

probe the same addresses, this potentially creates a high traffic volume. Here, random scanning was performed by Code Red (CRv2 or higher) [2].

2.1.5.2.3.2 Hitlist Scanning Attacks From an externally supplied list, a machine performing hitlist scanning

probes all addresses. It sends one half of the initial hitlist to the recipient and keeps the other half, when it detects the vulnerable machine. This technique allows for no collisions during the scanning phase and great propagation speed (due to exponential spread). An attack deploying hitlist scanning could obtain the list fi-om netscan.org of domains that still support directed IP broadcast and can thus be used for a Smurf attack.

2.1.5.2.3.3 Topological Scanning Attacks In order to select new targets, topological scanning uses the information

on the compromised host. By exploiting the information fi-om address books for their spread, all E-mail worms use topological scanning.

2.1.5.2.3.4 Permutation Scanning Attacks All compromised machines share a common pseudo-random permutation

of the IP address space during permutation scanning. In this permutation, each IP address is mapped to an index. By using the index computed from its IP address as a starting point, a machine begins scanning. It chooses a new random start point whenever it sees an already infected machine. While maintaining the benefits of random probing, this has the effect of providing a senti-coordinated, comprehensive scan.

2.1.5.2.3.5 Local Subnet Scanning Attacks To preferentially scan for targets that reside on the same subnet as the

compromised host, local subnet scanning can be added to any of the previously described techniques. A single copy of the scanning program can compromise many vulnerable machines behind a firewall by using this technique. Code Red II and Nimda Worm used local subnet scanning [2]. A differentiation is made here between attacks that deploy central source propagation, back-chaining propagation and autonomous propagation that is based on the attack code propagation mechanism [2].

2.1.5.2.3.6 Central Source Propagation Attacks The attack code resides on a central server or set of servers during central

source propagation. The code is downloaded from the central source through a file transfer mechanism after compromise of the agent machine. The liOn [2] worm operated in this manner.

24 Chapter 1

2.1.5.2.3.7 Back-Chaining Propagation Attacks The attack code is downloaded from the machine that was used to exploit

the system during back-chaining propagation. During the next propagation step, the infected machine then becomes the source. Since back-chaining propagation avoids a single point of failure, it is more survivable than central-source propagation. Back-chaining propagation was used by the Ramen worm [2] and Morris Worm [2].

2.1.5.2.3.8 Autonomous Propagation Attacks By injecting attack instructions directly into the target host during the

exploitation phase, autonomous propagation avoids the file retrieval step. Autonomous propagation is used by Code Red [2], Warhol Worm [2] and numerous E-mail worms [2].

2.1.5.3 Exploited Vulnerability Classification In order to deny the service of the victim to its clients, DDoS attacks

exploit different strategies. There is a differentiation between protocol attacks and brute-force attacks that are based on the vulnerability that is targeted during an attack.

2.1.5.3.1 Attacks with Protocol In order to consume excess amounts of its resources, protocol attacks

exploit a specific feature or implementation bug of some protocol installed at the victim. Examples include the authentication server attack, the Transmission Control Protocol synchronous idle character. (TCP SYN) attack, and the Common Gateway Interface (CGI) request attack.

The exploited feature in the TCP SYN attack is the allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN request. The attacker initiates multiple connections that are never completed, thus filling up the connection queue indefinitely. The attacker consumes the CPU time of the victim by issuing multiple CGI requests in the CGI request attack. Also, the attacker exploits the fact that the signature verification process consumes significantly more resources than bogus signature generation in the authentication server attack. He or she sends numerous bogus authentication requests to the server, thus tying up its resources.

2.1.5.3.2 Attacks with Brute-Force By initiating a vast amount of seemingly legitimate transactions, brute-

force attacks are performed. This exhausts the victim's resources, since an upstream wireless network can usually deliver higher traffic volume than the victim wireless network can handle. Here, based on the relation of packet

L 25

contents with victim services into filterable and nonfilterable attacks, brute-force attacks are further divided [2].

2.1.5.3.2.1 Attacks Which are FUterable For non-critical services of the victim's operation, filterable attacks use

bogus packets or packets, and thus can be filtered by a firewall. Examples of such attacks are an Internet Control Message Protocol (ICMP) request flood attack on a Web server or a User Datagram Protocol (UDP) flood attack.

2.1.5.3.2.2 Attacks Which Are Non-Filterable Packets that request legitimate services from the victim are used by non-

filterable attacks. Thus, filtering all packets that match the attack signature would lead to an immediate denial of the specified service to both attackers and the legitimate clients. Examples are a domain name server (DNS) request flood targeting a name server or a HTTP request flood targeting a Web server.

The line between protocol and brute force attacks is thin. Protocol attacks also overwhelm a victim's resources with excess traffic. Badly designed protocol features at remote hosts are frequently used to perform "reflector" brute-force attacks, such as the DNS request attack [2] or the Smurf attack [2]. The difference is that a victim can mitigate the effect of protocol attacks by modifying the deployed protocols at its site. This takes place all the while it is helpless against brute-force attacks due to its own limited resources (a victim can do nothing about an attack that swamps its wireless network bandwidth) or due to their misuse of legitimate services (non-filterable attacks).

If you counter protocol attacks by modifying the deployed protocol, it pushes the corresponding attack mechanism into the brute-force category. For example, if the victim deploys TCP SYN cookies [2] to combat TCP SYN attacks, it will still be vulnerable to TCP SYN attacks that generate more requests than its wireless network can accommodate. However, to inflict damage at the victim, the brute-force attacks need to generate a much higher volume of attack packets than protocol attacks. So, by modifying the deployed protocols, the victim pushes the vulnerability limit higher. Evidently, classification of the specific attack needs to take into account both the victim's configuration and the attack mechanisms used.

Note: It is interesting that the variability of attack packet contents is determined by the exploited vulnerability.

Packets comprising protocol and non-filterable brute force attacks must specify some valid header fields and possibly some valid contents. For example, unless they hijack connections from legitimate clients, TCP SYN attack packets cannot vary the protocol or flag field, and HTTP flood packets

26 Chapter 1

must belong to an established TCP connection and therefore cannot spoof source addresses.

2.1.5.4 Attack Rate Dynamics Classification Now, let's differentiate here between continuous rate and variable rate

attacks [2]. Of course, your ability to differentiate between the two all depends on attack rate dynamics.

2.1.5.4.1 Attacks With A Continuous Rate A continuous rate mechanism is deployed by the majority of known

attacks. Agent machines generate the attack packets with full force after the onset is commanded. This sudden packet flood disrupts the victim's services quickly, and thus leads to attack detection.

2.1.5.4.2 Attacks Which Are Of A Variable Rate Variable rate attacks are more cautious in their engagement. They also

vary the attack rate to avoid detection and response. You can also differentiate between attacks with increasing rate and fluctuating rate soley based on the rate change mechanism [2].

2.1.5.4.2.1 Attacks Which Are Of An Increasing Rate A slow exhaustion of victim's resources are attacks that have a gradually

increasing rate lead. A state change of the victim could be so gradual that its services degrade slowly over a long time period. This could result in delaying detection of the attack.

2.1.5.4.2.2 Attacks With A Fluctuating Rate By occasionally relieving the effect to avoid detection, attacks that have a

fluctuating rate adjust the attack rate based on the victim's behavior. There is also the example oi pulsing attacks at the extreme end [2]. Agent hosts periodically abort the attack and resume it at a later time during pulsing attacks. The victim experiences periodic service disruptions if this behavior is simultaneous for all agents. The victim experiences continuous denial of service if, however, agents are divided into groups who coordinate so that one group is always active.

2.1.5.5 Impact Classification Now, let's differentiate between disruptive and degrading attacks [2]. Of

course, this again depends on the impact of a DDoS attack on the victim.

7. 27

2.1.5.5.1 Attacks Which Are Disruptive To completely deny the victim's service to its clients is the goal of

disruptive attacks. All currently known attacks belong to this category.

2.1.5.5.2 Attacks Which Are Degrading To consume some (presumably constant) portion of a victim's resources

is the goal of degrading attacks. These attacks could remain undetected for a significant time period, since they do not lead to total service disruption. Damage inflicted on the victim could be immense on the other hand. For example, an attack that effectively ties up 40% of the victim's resources would lead to denial of service to some percentage of customers during high load periods, and possibly slower average service. Some customers dissatisfied with the quality would consequently change their service provider and the victim would thus lose income. To upgrade its servers and wireless networks, alternately, the false load could result in a victim spending money.

2.1.6 Classification Of DDoS Defense Mechanisms

The advent of numerous DDoS defense mechanisms, were the result of the seriousness of the DDoS problem and the increased fi'equency of DDoS attacks. Some of these mechanisms address a specific kind of DDoS attack such as attacks on Web servers or authentication servers. Other approaches attempt to solve the entire generic DDoS problem. If deployed in an environment where these requirements are not met, most of the proposed approaches require certain features to achieve their peak performance, and will perform quite differently.

There is no silver bullet against DDoS attacks, as is fi^equently pointed out,. Therefore you need to understand not only each existing DDoS defense approach, but also how those approaches might be combined together to effectively and completely solve the problem. The proposed classification, shown in Fig. 1-2, should help you reach this goal [2].

2.1.6.1 Activity Level Classification Now, let's differentiate hQtwQcnpreventive and reactive mechanisms [2].

This is based on the activity level of DDoS defense mechanisms.

28 Chapter 1

DD»:i.S Dcft-ne^c: Mechanisms,

r iiiKstftc-Uioa bv

CJa.ssi fk" all on by pfeveniion goal

- ^ Attack prcv'tyntton |

CI a :5si tl.c au on b y

- W S)'.stcai Securit-v

1 F.L-otoco| Sf^cuiity

*|DoS pR'vcntifcm

C'LassiricLiuoft by

\Ji Clyftstt'JcyluYn by

dficc lion fvli aicj2)

[—iq Am>r(i;jly |

H>-b:i;id

Tltifd-paity

C'lassitiicatftni b y

dcgrcrt

C.•]3.s ^ tlcytu>•n by

fcsponsc strategy

• Agt'iU HkimfiaiUoxi

\TAm-m>i\

Ctas-ijfication by

Vtctirn nctvvctrk [

Irik-f rncrdi.'tT.c .uetvvc.-fk |

Source notwu/k

I CaopcraHV' Ki-;f;onfi<rumtion ^ i -, ; 1

Figure 1-2. Classification of DDoS defense mechanisms.

2.1.6.1.1 Preventive Mechanisms Goal To enable potential victims to endure the attack without denying services

to legitimate clients or to eliminate the possibility of DDoS attacks altogether, is the goal of preventive mechanisms. According to these goals, let's further divide preventive mechanisms into attack prevention, denial-qf-serv'ice prevention, intrusion prevention systems mQchanisms [2].

2.1.6.1.1.1 Modification Of Attack Prevention Mechanisms In order to eliminate the possibility of a DDoS attack, attack prevention

mechanisms modify the system configuration. Based on the target they secure, let's further divide them into wireless network security system and protocol security mQchanisms [2].

2.1.6.1.1.1.1 Wireless Network Security System Mechanisms Wireless network security system mechanisms increase the overall

security of the system, guarding against illegitimate accesses to the machine, removing application bugs and updating protocol installations to prevent intrusions and misuse of the system. DDoS attacks owe their power to large numbers of subverted machines that cooperatively generate the attack streams. If these machines were secured, the attackers would lose their army and the DDoS threat would then disappear. On the other hand, systems

L 29

vulnerable to intrusions can themselves become victims of DDoS attacks in which the attacker, having gained unlimited access to the machine, deletes or alters its contents. Potential victims of DDoS attacks can be easily overwhelmed if they deploy vulnerable protocols. Examples of wireless network security system mechanisms include monitored access to the machine; applications that download and install security patches; firewall systems; virus scanners; intrusion detection systems; access lists for critical resources; capability-based systems; and, client-legitimacy-based systems [2]. The history of computer wireless network security suggests that this approach can never be 100% effective. But, doing a good job here will certainly decrease the frequency and strength of DDoS attacks.

2.1.6.1.1.1.2 Protocol Wireless Network Security Mechanisms The problem of bad protocol design is addressed by protocol wireless

network security mechanisms. Many protocols contain operations that are cheap for the client but expensive for tile server. Such protocols can be misused to exhaust the resources of a server by initiating large numbers of simultaneous transactions. Classic misuse examples are the TCP SYN attack, the authentication server attack, and the fragmented packet attack, in which the attacker bombards the victim with malformed packet fragments forcing it to waste its resources on reassembling attempts. Examples of protocol wireless network security mechanisms include guidelines for a safe protocol design in which resources are committed to the client only after sufficient authentication is done, deployment of powerful proxy server that completes TCP connections or the client has paid a sufficient price, etc [2].

The victim is completely resilient to protocol attacks, by deploying comprehensive protocol and wireless network security system mechanisms. Also, these approaches are inherently compatible with and complementary to all other approaches.

2.1.6.1.1.2 Enabling Denial-Of-Service Prevention Mechanisms Without denying service to legitimate clients, denial-of-service

prevention mechanisms enable the victim to enable attack attempts. This is done either by enforcing policies for resource consumption or by ensuring that abundant resources exist so that legitimate clients will not be affected by the attack. Consequently, based on the prevention method, let's differentiate here between resource accounting and resource multiplication mechanisms [2].

2.1.6.1.1.2.1 Using Resource Accounting Mechanisms To Police Based on the privileges of the user and his or her behavior, resource

accounting mechanisms police the access of each user to resources. Such

30 Chapter 1

mechanisms guarantee fair service to legitimate well-behaving users. In order to avoid user identity theft [9], they are usually coupled with legitimacy-based access mechanisms that verify the user's identity [2].

2.1.6.1.1.2.2 Resource Multiplication Mechanisms Counter DDoS Threats

In order to counter DDoS threats, resource multiplication mechanisms provide an abundance of resources. The straightforward example is a system that deploys a pool of servers with a load balancer and installs high bandwidth links between itself and upstream routers. This approach essentially raises the bar on how many machines must participate in all attack to be effective. While not providing perfect protection, for those who can afford the costs, this approach has often proven sufficient. For example, Microsoft has used it to weather large DDoS attacks.

2.1.6.1.1.3 Intrusion Prevention Systems Mechanisms Intrusion Detection Systems form a small but critical piece of the

computer security jigsaw, alerting to intrusions and attacks aimed at computers or networks. They're not the computer security panacea. But, they are your eyes and ears, essential in knowing whether you are under attack. Intrusion Prevention Systems (IPS) mechanisms take this concept to the next level and sit inline blocking the packets you tell them to based on signatures as per the IDS. They can be highly effective as a defensive tool but need to be configured with great care and attention in stages.

IPS mechanisms sit inline on the network, statefiiUy analyzing packet content and block certain packets that match a signature and alert on others. It is sometimes easier to explain what isn't an IPS mechanism, for instance, products that just block by port such as routers and many firewalls. Furthermore, the IPS mechanism must block the packet and not just use TCP resets, spoof reject packets fi*om border devices or update border devices to shun addresses.

2.1.6.1.2 Reactive Mechanisms Alleviate The Impact Of An Attack Reactive mechanisms strive to alleviate the impact of an attack on the

victim. In addition, they need to detect the attack and respond to it in order to attain this goal [2].

To detect every attempted DDoS attack as early as possible and to have a low degree of false positives, is the goal of attack detection. Upon attack detection, steps can be taken to characterize the packets belonging to the attack stream and provide this characterization to the response mechanism. Based on the attack detection strategy into mechanisms that deploy pattern

L 31

detection, anomaly detection, hybrid detection, and third-party detection, is the classification of reactive mechanisms [2].

2.1.6.1.2.1 Pattern Attack Detection Mechanisms The signatures of known attacks in a database are stored by mechanisms

that deploy pattern detection. Each commimication is monitored and compared with database entries to discover occurrences of DDoS attacks. Occasionally, the database is updated with new attack signatures. The obvious drawback of this detection mechanism is that it can only detect known attacks, and it is usually helpless against new attacks or even slight variations of old attacks that cannot be matched to the stored signature. Nonetheless, no false positives are encountered and known attacks are easily and reliably detected.

2.1.6.1.2.2 Anomaly Attack Detection Mechanisms Deployment of anomaly detection mechanisms have a model of normal

system behavior, such as a model of normal traffic dynamics or expected system performance. The current state of the system is periodically compared with the models to detect anomalies. The advantage of anomaly detection over pattern detection is that unknown attacks can be discovered. However, anomaly-based detection has to address two issues: threshold setting and model update [2].

2.1.6.1.2.2.1 Setting The Threshold When the current system state differs from the model by a certain

threshold, anomalies are detected. While a high threshold reduces the sensitivity of the detection mechanism, the setting of a low threshold leads to many false positives.

2.1.6.1.2.2.2 Update The Model With time, systems and communication patterns evolve. And, models

need to be updated to reflect this change. Anomaly-based systems usually perform automatic model update using statistics gathered at a time when no attack was detected. The detection mechanism are made vulnerable by this approach to increasing rate attacks that can delay or even avoid attack detection and mistrain models.

2.1.6.1.2.3 Hybrid Attack Detection Mechanisms Using data about attacks discovered through an anomaly detection

mechanism to devise new attack signatures and update the database, have allowed many intrusion detection systems to use hybrid detection.

32 Chapter 1

Mechanisms that deploy hybrid detection combine the pattern-based and anomaly-based detection.

Property extracting a signature from a detected attack can be challenging, if these systems are fully automated. Also, the system itself can become a denial-of-service tool. Therefore, the system must be careful not to permit attackers to fool it into detecting normal behavior as all attack signature.

2.1.6.1.2.4 Third-Party Attack Detection Mechanisms By relying on an external message that signals the occurrence of the

attack and provides attack characterization, mechanisms that deploy third-party detection do not handle the detection process themselves. Easily found among traceback mechanisms, are examples of mechanisms that use third-party detection [2].

While imposing minimal collateral damage to legitimate clients of the victim, the goal of the attack response is to relieve the impact of the attack on the victim. The reactive mechanisms are classified here based on the response strategy into mechanisms that deploy agent identification, rate-limiting, filtering and reconfiguration approaches [2].

2.1.6.1.2.5 Mechanisms For Agent Identification The identity of the machines that are performing the attack, are reveled

by agent identification mechanisms that provide the victim with information. This information can then be combined with other response approaches to alleviate the impact of the attack. To eliminate spoofing, are agent identification examples that include numerous traceback techniques and approaches. So, for agent identification, this enables the use of the source address field [2].

2.1.6.1.2.6 Mechanisms For Rate-Limiting On a stream that has been characterized as malicious by the detection

mechanism, rate-limiting mechanisms impose a rate limit. Rate limiting is a lenient response technique that is usually deployed when the detection mechanism has a high level of false positives or cannot precisely characterize the attack stream. Even if all traffic streams are rate-limited, the disadvantage is that they allow some attack traffic through, so extremely high scale attacks might still be effective.

2.1.6.1.2.7 Mechanisms Filtering In order to filter out the attack stream completely, filtering mechanisms

use the characterization provided by a detection mechanism. Examples include dynamically deployed firewalls, and also a commercial system called TrafficMaster (http://www.mazunetworks.com/) [2]. Unless detection

7. 33

strategy is very reliable, filtering mechanisms run the risk of accidentally denying service to legitimate traffic. Thus, clever attackers might leverage them as denial-of-service tools. And, that is even a worse situation.

2.1.6.1.2.8 Mechanisms for Reconfiguration The topology of the victim or the intermediate wireless network are

changed by the reconfiguration mechanisms to isolate the attack machines or to either add more resources to the victim. Reconfigurable overlay wireless networks, resource replication services, attack isolation strategies, etc., are examples [2].

Detection and response can be performed by reactive DDoS defense mechanisms that are either in cooperation with other entities in the Internet or alone. So, based on the cooperation degree, let's differentiate between autonomous, cooperative and interdependent mQchamsms [2].

2.1.6.1.2.9 Mechanisms Which Are Autonomous Independent attack detection and response are performed by autonomous

mechanisms. They are usually deployed at a single point in the Internet and act locally. Firewalls and intrusion detection systems provide an easy example of autonomous mechanisms.

2.1.6.1.2.10 Mechanisms Which Are Cooperative Capable of autonomous detection and response, are what are known as

cooperative mechanisms. But, they can also achieve significantly better performance through cooperation with other entities. Mechanisms deploying pushback [2] provide examples of cooperative mechanisms. They detect the occurrence of a DDoS attack by observing congestion in a router's buffer, characterize the traffic that creates the congestion, and act locally to impose a rate limit on that traffic. Nevertheless, if the rate limit requests can be propagated to upstream routers who otherwise may be unaware of the attack, they achieve significantly better performance.

2.1.6.1.2.11 Mechanisms That Are Interdependent Interdependent mechanisms caimot operate autonomously. In other

words, ilnterdependent mechanisms rely on other entities either for attack detection or for efficient response. Traceback mechanisms [2] provide examples of interdependent mechanisms. Almost no benefit would be provided by a traceback mechanism deployed on a single router.

34 Chapter 1

2.1.6.2 Deployment Location Classification Now, let's look at deployment location. In other words, let's differentiate

between DDoS mechanisms deployed at the victim, intermediate, or source wireless network.

2.1.6.2.1 Victim- Wireless Network Mechanisms This network is protected from DDoS attacks by DDoS defense

mechanisms deployed at the victim wireless network; as well as, a response to detected attacks by alleviating the impact on the victim. Historically, most defense systems were located at the victim since it suffered the greatest impact of the attack and was therefore the most motivated to sacrifice some resources for increased wireless network security. Examples of these systems are provided by resource accounting and protocol wireless network security mechanisms [2].

2.1.6.2.2 Intermediate- Wireless Network Mechanisms Infrastructural service is provided to a large number of Internet hosts by

DDoS defense mechanisms deployed at the intermediate wireless network. Victims of DDoS attacks can contact the infrastructure and request the service, possibly providing adequate compensation. Examples of intermediate-wireless network mechanisms, are pushback and traceback techniques [2],

2.1.6.2.3 Source- Wireless Network Mechanisms To prevent customers that are using this network from generating DDoS

attacks, is the goal of DDoS defense mechanisms deployed at the source wireless network. Such mechanisms are necessary and desirable, but motivation for their deployment is low since it is unclear who would pay the expenses associated with this service [2].

2.1.7 Traffic Limiting And Profiling IDS Technology: The Next Step

Finally, a particularly important development in anomaly-based intrusion detection system (IDS) technology for countering DDoS attacks is the capability to taking action against traffic flows that exceed admin-configured thresholds. This entails the use of traffic restriction and profiling measures that leverage a key feature of TCP/IP to validate whether or not the core wireless network is receiving real traffic from non-spoofed sources * a requirement in order to take appropriate action.

The relevant TCP/IP feature is the way the protocol reframes to manage communication between two hosts. Legitimate TCP/IP hosts will react if the destination system slows down the rate of acknowledgments used in the

7. 35

communication protocol. Bad traffic (such as traffic originating from flooding hosts) cannot react and, therefore, is an anomaly.

With this implementation of IDS technology, network managers can configure custom policies that expose wireless network traffic anomalies. These policies may include data traffic thresholds, wireless network protocol, source and destination port, source and destination IP addresses, and timeout intervals. The IDS could then alert, throttle (traffic limit), redirect or block traffic based on the configured policy. All the while, legitimate traffic is allowed to pass with no added latency.

User-defined timeout intervals are used to progressively enforce the policy for a specified duration and then execute the next action. These policies may also be used to deny traffic from a set of source IP addresses for a user-specified amount of time after the attack subsides. Once the malicious traffic is no longer present, the IDS automatically removes the policies and filters that were applied during the attack and logs all actions taken during the attack.

A traffic-limiting and profiling IDS works optimally when implemented "inline" within the wireless network, not on the edge like many IDS products. Accordingly, its functioning does not involve logging into the network router. This is an important architectural consideration since an edge IDS product that sends a user name and password across a wire to a router, even if it is a secure login, presents a wireless network security risk.

An advanced implementation of traffic-limiting and profiling IDS technology can execute policies within one second of detecting an anomaly. As a result, wireless network managers have a powerful tool for countering: • Reflector attacks. • Flood attacks. • Spoofed-Source attacks [12].

2.1.7.1 Reflector Attacks Because all hosts answering an Echo Request will reply with their native

IP address, the IDS will immediately deny traffic from any responding host. The IDS can be configured to dynamically adapt itself and deny traffic from all reflecting hosts.

2.1.7.2 Flood Attacks Any IP host that refuses to lower its outbound traffic-rate to meet

administrator-set thresholds is most likely running an attack tool of some type. Traffic from this host will be denied until the attack subsides.

36 Chapter 1

2.1.7.3 Spoofed-Source Attacks The IDS can complement existing edge devices to provide egress, or

outbound, filtering of packets. This is essential to any ISP's Good-Neighbor policy, as it would prevent a wireless network fi-om being the source of such an attack.

The increasing sophistication of DoS and DDoS attacks serves as a serious wakeup call to the importance of proactive information protection in today's Internet economy. As more types of attacks continue to be developed, it is more critical than ever that organizations take the appropriate actions to prevent their systems and wireless networks fi-om being overwhelmed, while protecting the availability and integrity of their networks and Web sites. To this end, IDS technologies that utilize traffic restriction and profiling techniques can play a key role [12]. Finally, IDS technology will be discussed later in this chapter and in greater detail in Chapters 8, "Standards Design Issues;" 11, "Wireless Network Security Planning Techniques;" and 18, "Management Of Wireless Network Security."

Now, let's look at wireless security in business networks. First of all, let's begin by discussing the basic access control methods that form the basis of the 802.11 architecture. These methods are best suited to small networks with low-to-medium security requirements. Second, a more robust virtual private network (VPN)-based security solution is presented that provides better security and scales well to large networks. Finally, a possible future solution based on the upcoming 802. IX security standard is discussed, which enables port-level access control.

2.2 Business Wireless Network Security

IT organizations are working to implement security mechanisms that are equivalent to those existing today for wire-based networks, with the increasing deployment of 802.11 wireless networks in business environments. An important aspect of this is the need to provide secure access to the network for valid users. Existing wired network jacks are located inside buildings already secured from unauthorized access through the use of keys, badge access, and so forth. A user mixst gain physical access to the building in order to plug a client computer into a network jack. In contrast, a wireless access point (AP) may be accessed from off the premises if the signal is detectable (for instance, from a parking lot adjacent to the building). Thus, prior to user authentication into the network domain, wireless networks require secure access to the AP and the ability to isolate the AP from the internal private network.

1. 37

2.2.1 802.11 Security Basics

To secure access to an AP that are built into 802.11 networks, there are currently three basic methods: • Service set identifier (SSID). • Media Access Control (MAC) address filtering. • Wired Equivalent Privacy (WEP) [3][5].

One or all of preceding methods may be implemented, but all three together provide a more robust solution.

Note: Network administrators may also choose not to implement any of these methods.

2.2.2 SSID

By using an SSID associated with an AP or group of APs, network access control can be implemented. The SSID provides a mechanism to "segment" a wireless network into multiple networks serviced by one or more APs. Each AP is programmed with an SSID corresponding to a specific wireless network. To access this network, client computers must be configured with the correct SSID. A building might be segmented into multiple networks by floor or department. So, for users who require access to the network fi'om a variety of different locations, typically, a client computer can be configured with multiple SSIDs.

The SSID acts as a simple password and, thus, provides a measure of security, because a client computer must present the correct SSID to access the AP. However, this minimal security is compromised if the AP is configured to "broadcast" its SSID. When this broadcast feature is enabled, any client computer that is not configured with a specific SSID is allowed to receive the SSID and access the AP. In addition, because users typically configure their own client systems with the appropriate SSIDs, they are widely knovm and easily shared.

Note: It is strongly recommended that APs be configured with broadcast mode disabled.

2.2.3 Filtering Of The MAC Address

A client computer can be identified by the imique MAC address of its 802.11 network card, while an AP or group of APs can be identified by an SSID. To increase the security of an 802.11 network, each AP can be programmed with a list of MAC addresses associated with the client

38 Chapter 1

computers allowed to access the AP. Therefore, the client is not allowed to associate with the AP, if a client's MAC address is not included in this list.

Improved security is provided by MAC address filtering (along with SSIDs). But, it is best suited to small networks where the MAC address list can be efficiently managed. Each AP must be manually programmed with a list of MAC addresses, and the list must be kept up-to-date. So, the scalability of this approach is limited by this administrative overhead.

2.2.4 Security Of The WEP-Based Protocol

Transmissions over wired networks are harder to intercept than wireless transmissions. The 802.11 standard currently specifies the WEP security protocol to provide encrypted communication between the client and an AP. Ron's Code 4 Pseudo Random Number Generator (RC4 PRNG) is employed by the WEP symmetric key encryption algorithm [3]:

All clients and APs on a wireless network use the same key to encrypt and decrypt data under WEP. The key resides in the client computer and in each AP on the network. The 802.11 standard does not specify a key management protocol, so all WEP keys on a network must be managed manually. Support for WEP is standard on most current 802.11 cards and APs. Ad hoc (or peer-to-peer) 802.11 networks that do not use APs, do not have WEP security available to them.

A 40-bit encryption key is specified by WEP. And, there are also implementations of 104-bit keys. The encryption key is concatenated with a 24-bit "initialization vector," resulting in a 64-or 128-bit key. This key is input into a pseudorandom number generator [3]. The data to be transmitted is encrypted by the resulting sequence.

WEP encryption has been proven to be vulnerable to attack. Scripting tools exist that can be used to take advantage of weaknesses in the WEP key algorithm to successfiilly attack a network and discover the WEP key. The industry and IEEE are working on solutions to this problem. And, encryption technology for WEP will be replaced by the Advanced Encryption Standard (AES).

In the meantime, WEP-based security can still be a component of the security solution used in small, tightly managed networks with low-to-medium security requirements, despite the weaknesses. In these cases, 128-bit WEP should be implemented in conjunction with MAC address filtering and SSID (with the broadcast feature disabled). To minimize risk, customers should change WEP keys on a regular schedule.

The VPN solution discussed next, is preferable for networks with high security requirements. The VPN solution is also preferable for large networks, in which the administrative burden of maintaining WEP

7. 39

encryption keys on each client system and AP; as well as, MAC addresses on each AP, makes these solutions impractical. In addition, a lost or stolen client system requires that all keys be changed, because all clients and APs use the same WEP encryption key.

Depending on the organization's ability to administer the network; the choice of security methods (SSID; WEP; MAC address filtering); and, its tolerance for risk, the number of wireless client systems becomes unmanageable and varies. If MAC address filtering is used on a wireless network, the fixed upper limit is established by the maximum number of MAC addresses that can be programmed into each AP used in an installation. In some cases, this upper limit is 255.

However, the manageable number of clients when using MAC address filtering is likely to be considerably less than 255 clients for many organizations. Fig. 1-3 depicts WEP-based security with MAC address filtering [3].

addresses ^_^-"

V.

/A-

Figure 1-3. 802.11 Security Using SSID, MAC Address Filtering and WEP.

2.2.5 Wireless Security For VPN Solutions

A VPN solution for wireless access is currently the most suitable alternative to WEP and MAC address filtering for business networks. VPN solutions are already widely deployed to provide remote workers with secure

40 Chapter 1

access to the network via the Internet. In this remote user application, the VPN provides a secure, dedicated path (or "tunnel") over an "untrusted" network. The Internet Various tunneling protocols, including the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) are used in conjunction with standard, centralized authentication solutions, such as Remote Authentication Dial-In User Service (RADIUS) servers, in this particular case [3].

For secure wireless access, the same VPN technology can also be used. In this application, the "untrusted" network is the wireless network. The APs are configured for open access with no WEP encryption, but wireless access is isolated from the enterprise network by the VPN server and a VLAN between the APs and the VPN servers.

Note: The APs should still be configured with SSIDs for network segmentation.

Authentication and full encryption over the wireless network is provided through the VPN servers that also act as gateways to the private network. The VPN-based solution is scalable to a very large number of users, unlike the WEP key and MAC address filtering approaches.

Fig. 1-4 shows how VPN connections can provide flexible access to a private network [3]. Remote workers can use a dial-up, cable modem, or Digital Subscriber Line (DSL) connection to the Internet and then establish a VPN connection to the private network. Public wireless APs in locations such as airports can also be used to establish a VPN connection back to the private network. Finally, on-campus 802.11 wireless access can be im­plemented via a secure VPN connection. The user login interface is the same for each of these scenarios, so that the user has a consistent login interface. The VPN approach has a number of advantages: • Currently deployed on many enterprise networks. • Scalable to a large number of 802.11 cHents. • Low administration requirements for 802.11 APs and clients. The VPN

servers can be centrally administered. • Traffic to the internal network is isolated until VPN authentication is

performed. • WEP key and MAC address list management becomes optional because

of security measures created by the VPN channel itself. • Consistent user interface in different locations such as at home, at work,

and in an airport [3].

41

Secure VPN connection

Figure 1-4. 802.11 VPN Wireless Security.

The lack of support for multicasting is a drawback to current VPN solutions. See "Wireless Clients Multicasting" later in this part of the chapter.

Roaming between wireless networks is not completely transparent. However, it is another minor drawback. When roaming between VPN servers on a network or when the client system resumes from standby mode, users receive a logon dialog.

All VPN client computers should be equipped with personal firewall protection. This is highly recommended. See "Protecting Firewalls" later in this part of the chapter.

2.2.6 Port-Based Network Access With 802.1X

The IEEE standard, 802.IX, for generic, extensible port-based authentication has now been approved. The specification is general: it applies to both wireless and wired Ethernet networks. In the context of an 802.11 wireless network, 802.IX is used to securely establish an authenticated association between the client and the AP. Generally, the scenario would be as follows. The user of an 802.11 wireless client system (rather than the client system itself) requests access to an AP. The AP passes

42 Chapter 1

the request to a centralized authentication server that handles the authentication exchange and, if successful, provides an encryption key to the AP. The AP uses the key to securely transmit a unicast session or multicast/global encryption key to the client. At this point, the client has access to the network, and transmissions between the client and AP are encrypted.

Note: Currently, WEP is the only encryption method supported by the 802.11 standard, but AES is a replacement method.

At this point, the user may log on to the network domain. Fig. 1-5 summarizes this process [3].

to ^T^

Authentication Server

^Jl)'-Access T ^

point c : : : : ^ - - ^^,^^p^^^,

J WEP

• 1 1 I

(- )y

( 1 ) User requests authentication. AP prevents networl< access.

( 2 ) Encrypted credentials sent to authentication server (RADIUS).

f 3 ; Authentication server validates user and grants access rights

( 4 ) AP port is enabled and WEP keys are assigned to client (encrypted).

( 5 ) Wireless client accesses general network services securely.

Figure 1-5. Possible Future 802.1X/RADIUS Architecture.

802. IX does not require a specific protocol for authentication. Instead, it specifies that the Extensible Authentication Protocol (EAP) will be used. BAP is an encapsulation protocol that allows different authentication protocols to be selected and used. Effectively, EAP serves as a conduit for other authentication protocols such as RADIUS, Kerberos, and Secure IDs.

The 802. IX standard also includes a management specification for complete end-to-end management of the 802.IX protocol. The 802.IX approach has the following advantages: • Standards-based. • Flexible authentication: administrators may choose the type of

authentication method used.

L 43

• Scalable to large enterprise networks. • Centrally managed. • Encryption keys are dynamically generated and propagated. • Because authentication is central, rather than at each AP, roaming can be

made as transparent as possible. At most, the user may be asked for alternate credentials if an AP requires alternate identification [3].

Note: The 802. IX standard was finalized in June 2001 and future Microsoft® Windows® operating systems continue to include native 802. IX support.

2.2.7 VPNs And 802.1X

With the preceding in mind, 802. IX is designed to authenticate and distribute encryption keys (currently WEP) between the wireless client and an AP. It is not designed to be a generalized VPN solution suitable for secure remote access. Thus, from remote or home offices, VPNs are still required for remote access using public APs (in airports or hotels).

2.2.8 Wireless Clients Multicasting

From one source to many users over a network, multicasting is a technique used to deliver data efficiently in real time. In some large networks, a portion of the network bandwidth is used for multicasting applications such as streaming audio and video applications (press conferences, training classes, and so forth) to groups of users. These data streams, if unicast (that is, transmitted individually) to each end user, would be a much greater burden on the network. Multicasting uses network bandwidth more efficiently by transmitting these types of data as one common data stream over the backbone. Network switches then deliver individual data streams to each client connected to them, in most cases.

WTien designing an 802.11 wireless network, multicasting requirements must be carefixUy considered. While multicasting is supported in 802.11 networks, current bandwidth limitations at the AP, as well as W^P key management issues, restrict the ability to deliver these data streams efficiently and securely to wireless clients. Current 802.11 b (also referred to as Wi-Fi) APs have a maximum theoretical bandwidth of 11 Mbps [3], which must be shared by all clients accessing the AP. Depending on its volume, multicasting traffic can reduce the AP's available bandwidth significantly. In addition, if WEP encryption is used to secure the wireless network, a separate key must be configured on each client to support multicasting (in addition to the key required for unicast traffic). Furthermore, current VPN solutions only support multicast by unicasting the data stream

44 Chapter 1

individually to each wireless VPN client. Multicasting to wireless clients can be problematic in real-world, secure deployments, because of these limitations.

The 802.IX standard addresses some of these multicasting issues by enabling dynamic encryption key management. So that dynamic multicast key distribution becomes possible in large organizations, keys can be issued and managed in real time (provided authentication succeeds).

2.2.9 Protecting Firewalls

All 802.11 client systems should be equipped with personal firewall software protection (see sidebar, "Firewall Bypass Exploitation"), in addition to the security solutions presented in this chapter so far. Like PCs with always on [3] cable modem and DSL Internet access connections, 802.11 clients can be vulnerable to hacker attacks from other users connected to the AP. Thus, the goal of firewall software is to protect the roaming user's confidential local data against as many possible attacks as are currently known and understood. Although, the nature of these attacks may vary.

Firewall Bypass Exploitation

A new and some say troubling trend is emerging among wireless network carriers who are enabling users to lift data remotely from corporate networks without IT oversight, according to industry observers. Dissatisfied with the slow pace of corporate adoption of wireless networks, carriers are taking a new route, going directly to employees and bypassing the IT departments.

Cingular Wireless has followed Sprint PCS' lead to become the second major wireless network carrier to give users access not only to e-mail, calendars, and contacts residing on the network, but to just about any file on any directory; as long as, a user's desktop or a delegated co-worker's desktop is active. It is sneaking into the firewall, but sometimes you get to the IT department by showing them how many different individual users are already using a technology.

Behind Cingular's service and Sprint's Business Connection Personal Edition is Redwood City, California.-based Seven, which offers its System Seven architecture in two flavors: one

1. 45

for IT departments and another for individuals. The Seven solution also supports Lightweight Directory Access Protocol (LDAP) access. It makes the cell phone a wonderful extension to the PC.

Seven establishes an outbound connection and gains access by using Port 443, the same Web link used to surf the Web and send email. The System Seven server registers itself as an available resource, allowing queries back to the desktop. Company officials insist that System Seven conforms to the highest levels of transport wireless network security.

But, unsupervised port access can be harmful. Network intrusions and lost or stolen devices could lead to information loss or theft. At the very least, companies need to acknowledge the issue. They need to find out what people are doing and put a policy or device restrictions in place [13].

As previously discussed earlier in the chapter, the threat of denial of service attacks has caused a backlash in the ISP market. As a result, ISPs are demanding higher levels of wireless network security and information warfare countermeasures from their customers—levels that seem unreasonable to some IT departments.

2.2.10 Information Warfare

Finally, the prevalence of denial-of-service (DoS) attacks shows that cyberterrorism is alive and well—and that e-businesses and their service providers aren't doing enough to stop it. Unfortunately, most of corporate America and ISPs seem to only focus on is who to blame. After an attack on Microsoft, access was shut off to everything from Expedia to Hotmail. The company attributed the problem to one employee's misconfiguration of a router. Yet, experts noted it was a failure to distribute DNS servers that made the company vulnerable to begin with.

If a private company is going to minimize the number and effect of DoS attacks, what's required is a spirit of cooperation between companies and their ISPs, as well as among the ISPs themselves. ISPs are starting to tackle the subject of wireless networkwide security, but they're doing it by laying out requirements for their corporate customers, rather than working with them. In many cases, customers either follow the ISP's wireless security guidelines or find a new ISP— there's no room for negotiation. It's high time ISPs and their clients start sharing information about what works (and doesn't work) in terms of network architecture, data access, wireless network

46 Chapter 1

security systems and information warfare (see Chapters 22 to 28 for a detailed discussion of information warfare).

2.2.11 The Danger Of DoS

As previously discussed earlier in the chapter, everyone along the e-business food chain has something to lose when a DoS attack succeeds. The site that's been hit loses traffic, revenue, and customer loyalty. The ISP loses customer confidence and spends significant resources combating the attack. Ultimately, every site that relies on the ISP must spend time and resources reassessing its wireless network security levels.

ISPs must ask themselves whether they're doing everything possible fi-om a wireless network monitoring and warning perspective. They should be giving serious thought to the latest wireless network security tools that can stop DoS attacks at their routers. After all, once an attack gets through the ISP, it's a lot tougher for an individual site to fend it off.

ISPs must communicate the types of attacks they're experiencing. They also must be prepared to notify one another of attacks, and even coordinate their responses when they do get hit. With so much at risk, it's hard to imagine why these conversations haven't been taking place all along.

2.2.12 Reasonable Expectations?

Many ISPs have some kind of policy that dictates what companies can and can't do as customers, and the kinds of wireless network security systems that must be in place before they can purchase services. Service providers that have such a policy include Ameritech, AT&T, and CTC Communications, and national ISPs such as EarthLink, Exodus Communications, and PSINet.

These service providers want to see IT managers install information warfare (IW) countermeasures like encryption and authentication products (see sidebar, "Countermeasures"), firewalls that interact with intrusion detection software, dedicated servers, and VPN links to secure data. They also want IT shops to use tools such as antivirus software, specified intrusion detection systems and anti-spam content filtering. With the recent increase in cyberterror attacks, it would seem that the preceding information warfare countermeasures request from the ISPs is very reasonable.

Countermeasures

The various legal roadblocks and technical wizardry contrived by governments and law enforcement to block encryption's spread have, of course, curbed neither the need for the

L 47

technology nor the ingenuity of privacy-loving programmers- As a result, a number of countermeasures have been engineered to augment or replace encryption- Among them are anonymizers, which conceal the identity of the person sending or receiving information, and steganography, which hides the information itself.

The need for anonymity in a democratic society has long been recognized, to shield whistleblowers and political dissenters from retaliation, to protect the records of medical patients, and so on. Less dramatic situations also justify anonymity, such as placing a personal ad or seeking employment through the Internet without jeopardizing one's current job. To be sure, anonymity can be exploited by sociopaths seeking to avoid accountability for their actions. But, in general, it serves a useful social function.

Anonymous and pseudonymous remailers are computers accessible through the Internet that launder the true identity of an e-mail sender Most are operated at no cost to the user. A pseudonymous remailer replaces the sender's e-mail address with a false one and forwards the message to the intended recipient. The recipient can reply to the sender's pseudonymous address, which, in turn, fonA/ards the response to the sender's true address.

Anonymous remailers come in three flavors: cypherpunk, mixmaster, and Web-based, Cypherpunk remailers strip away the message header, which describes where the message came from and how it got there, before forwarding the message to the recipient Conceivably, someone with physical access to such a remailer's phone tines could correlate the incoming and outgoing traffic and make inferences,

Mixmaster remailers avoid that problem by using stronger encryption and tricks for frustrating traffic analysis, such as padding messages to disguise their true length, But even mixmasters can be compromised. For example, through a concerted effort, it would be possible to detect a correlation between Mr. A sending an encrypted message through a

48 Chapter 1

remailer, and Ms. B receiving a message at some variable time afterwards.

Web-based anonymizers range from sites offering conventional anonymizer services, to others where the connection between the user's computer and the anonymizer is itself encrypted with up to 128-bit encryption. The job is done using the standard Secure Socl et Layer (SSL) encryption, built into all Web browsers of recent vintage.

For extra privacy, a message may be routed through a series of remailers. Two popular remailer software packages, Private Idaho and Jack B. Nymble, enable the sender to do this automatically.

The Onion Router project (see the site at http://www.onion-router.net) of the Naval Research Laboratory in Washington, D.C., offers another way to string together remailers. What's more, it allows anonymized and multiply encrypted Web browsing in real time.

Onion routing is a two-stage process. The initiator instructs router W (in this case, a proxy server at the firewall of a secure site) to create an onion, which consists of public-key-encrypted layers of instructions. Router X peels off the first layer of the onion, which indicates the next step in the path and supplies a symmetric decrypting key for use when the actual message comes through later

The onion then goes to Routers Y and Z, depositing keys at each stop. Once the connection is established, the encrypted message is sent through and successively decrypted, arriving at the recipient as plaintext. To respond, the recipient sends the message to Router Z, which encrypts the text, onion-style, and sends it back through the already established path.

A good example of this emerging trend is CTC Communications in Waltham, Mass., one the largest Competitive Local Exchange Carriers (CLECs) in New England. CTC bans the use of spamming and pornography; and, doesn't let its customers use a router for more than one core application.

Note: Of course, there are free speech issues here; but, some CLECs and/or ISPs in their Terms Of Use contract with

L 49

customers, reserve the right in some states to filter out spamming and pornography. Customers reserve the right not to do business with these CLECs and/or ISPs—and, take their business elsewhere.

The company also demands its customers protect all servers with firewalls. Companies either comply or they don't become a CTC customer.

Precisely when ISPs started getting tougher is hard to determine. But it's clear that ISPs weren't making these types of wireless network security demands before the denial-of-service (DoS) attacks occurred. The attacks made service providers aware that it's not just corporate customers getting hacked. The ISPs' systems were commandeered and used to launch virus attacks and DoS attacks; as well as, for vandalism and theft. That's why some of the most common requirements of the ISPs have to do with customers' outgoing traffic, which can directly affect the ISPs. From the ISPs' point of view, their ovm customers or prospective customers are now secu wireless network security threats.

This new approach by ISPs is being felt by IT shops. When an IT manager at CLD Consulting Engineers Inc. in Manchester, N.H., wanted to lease a Tl line from CTC in May 2001, CTC wouldn't agree to deliver service until the civil engineering firm beefed up its wireless network security. CLD spent nearly $14,000 to build a hardware firewall, change the IP address scheme to be much more secure, and install separate routers—one dedicated to Internet access, the other for branch office access.

CLD's experience is not unique. Customers of Boston ISP Breakaway aren't allowed to have dial-up Internet access to company databases fi-om offsite locations, and they must use a VPN or dedicated Tl/partial Tl link. This makes it tough on smaller companies, many of whose employees access company data remotely via a dial-up Internet connection. Analysts also say many companies use basic wireless network security mechanisms such as IDs and passwords to secure this access. But, standard wireless network security methods don't cut it for companies that want to sign on with Breakaway.

Now, all architecture has to be approved by the wireless network security desk before services are offered, and a customer with single-tier access won't be approved, even though it may want to be. They have to lease a site-to-site VPN or a dedicated Tl link. The VPN (the cheaper of the two options) costs an additional $570 per month.

The ISP demands don't always result in higher costs for corporate customers. Sometimes providers want to look under the hood, which can be just as objectionable to some companies.

But, ISPs' fears may be justified. According to a survey in 2004 by the Computer Securities Institute and the San Francisco FBI Computer Intrusion

50 Chapter 1

Squad, 83 percent of CSFs 1,000 member companies detected unauthorized use of their systems over the previous year, up from 87 percent in 2003. The rate of hacking is growing faster than e-commerce itself. CSI has 1,080 security professionals onboard (more than one IT person per company in some cases), and 96 percent worry about disgruntled employees as the biggest security threat. In the past year, ISPs have set up entire departments devoted to fielding phone calls and handling subpoenas from individuals and companies, claiming that ISP customers are spamming, sending viruses, vandalizing Web sites and launching DoS attacks.

One example is the Policy Enforcement Group at Exodus Communications. The group has an official abuse policy that covers unintentional as well as intentional abuses. It specifically supplies evidence of wrongdoing so Exodus can shut down services if a customer is abusing the service, even if it's doing so unwittingly. For instance, if Exodus is monitoring a company's wireless network and sees traffic patterns that look like a DoS attack, it can shut down the company's network to clean machines and do whatever else is necessary.

Note: Cleaning machines means that all applications have to be reloaded.

Service providers, in effect, are establishing rules that make it clear that they no longer want to bear the burden of the risks corporate customers are willing to take. They say it's no longer up to clients to determine how risk-free they want to be when it comes to e-commerce. Ultimately, companies that want ISPs to deliver any service at all (even a simple pipe to the Internet) will pay more in hard costs, internal policy changes, infrastructure and business processes.

How much more depends on how secure the ISP thinks its customer's wireless network should be. But, the ISP in many cases is dictating the terms. And whether the customer buys the needed wireless network security technology from the ISP or elsewhere, it will have to be bought before network services begin. This could mean a huge cash outlay before service even starts.

Note: Service providers, in effect, are establishing rules that make it clear that they no longer want to bear the burden of the risks corporate customers are willing to take.

2.2.13 Fair Is fair

IT managers may be told to spend more on wireless network security prerequisites, but there's still room for negotiation. This is an emerging trend, not a government regulation. So it's entirely fair for IT managers to

L 51

bark back, particularly if the ISP doesn't deliver the level of wireless network security it requires from customers.

If customers are required to protect the wireless network, it begs the question: What level of wireless network security does the ISP itself offer corporate customers? And, if ISPs are demanding customers walk into the relationship with higher levels of wireless network security, corporate customers should demand the same of the ISPs.

The ISPs must ensure that its wireless network security mechanisms will work, or be responsible for damages, so ask about the ISP's wirelessnetwork monitoring tools and alert mechanisms. Once companies open up the conversation to include both sides, it becomes more of a negotiation, less of an ultimatum.

Before you give an ISP access to your entire wireless network for inspection, you need to determine if the ISP will actually manage every aspect of the network. The ISP does not need access to the portions of your wireless network it doesn't manage. It may prove to be more trouble for ISPs to deliver wireless network security if parts of a potential customer's network are unknown to them. But, that's the ISP's problem. In the end, it's the ISP's responsibility to monitor your outgoing traffic, so the ISP already has access to what it needs to know to protect itself The ISP should have monitoring tools robust enough to give it intelligent reporting, traffic analysis, and alerts to red flags.

The best way to protect the company is to handle these issues in the service level agreement (SLA). The ISPs have the leverage to force customers to implement wireless network security and information warfare countermeasures, but customers have a certain leverage. The ISP market is more competitive than ever.

According to Gartner Group, there are now tens of thousands of full-service ISPs, up from less than 1,000 since 1999. The competition means it's in the ISP's interest to offer corporate customers as much value-add as possible. But, there's one caveat: The idea is to get the ISP to concede some points—for example, help with making the company's wireless network compatible with the ISP's and/or onsite tech support.

The reality is that even if ISPs can dictate wireless network security policies, it will be eager to offer value-added services. If you do the negotiating in the context of drafting an SLA agreement, it shows the ISP you're a serious customer and gives them an opportunity to offer you fee-based services over the long term.

52 Chapter 1

2.2.14 Gateways And Gatekeepers

A good SLA won't get your out of paying more for ASP and ISP services. In fact, it can end up costing more. But, it will at least get you the most bang for the buck. The truth is that ISPs will dictate how much wireless network security customers will have, because they can. They are the conduits to the wireless networks.

IT managers should understand that pushing back at the ISPs will only do so much. This is a trend that's here to stay. The ISPs started the trend, but it won't end with them. Business partners and regulators will step in and give the wireless network security push even more teeth, including standards such as best practices and default security requirements.

Ultimately, the ISPs will protect themselves from outgoing traffic by shutting Web sites down that have been commandeered for DoS and other attacks. The ISPs that survive will start offering wireless network security services. It's only during this interim period that the onus will be on companies to pick up the slack. Whether the time period is six months or six years is hardly important. Companies that want to do business with top-tier providers had better get serious about wireless network security and information warfare countermeasures.

There's a lot more to come on information warfare (IW) in Part VI: "Information Warfare Countermeasures: The Wireless Network Security Solution" (Chapters 22 to 28). Stay tuned!

3. SUMMARY AND CONCLUSIONS

Robust wireless network security solutions are required, as 802.11 networks proliferate and mature. The basic 802.11 wireless network security solutions that are available out of the box (SSID, MAC address filtering, and WEP), are suitable for small, tightly managed wireless networks with low-to-medium security requirements. For wireless networks with high security requirements, the weaknesses in WEP encryption require a more robust solution. In addition, the manual task of maintaining MAC addresses and WEP keys becomes overwhelming as the number of wireless network clients increase. For larger wireless networks, or for networks with high security requirements, a VPN solution based on currently available technology provides a very scalable solution for 802.11 wireless networks. VPN for wireless is also a logical extension of the remote access VPN capability found in most large businesses today. Here now, is 802.IX, a standards-based solution for port-level authentication for any wired or wireless Ethernet client system [3].

7. 53

In addition, although distributed denial-of-service attacks have been recognized as a serious problem, there isn't any other attempt to introduce formal classification into the DDoS attack mechanisms. The reason might lay in the use of fairly simple attack tools that have dominated most DDoS incidents. Those tools performed full-force flooding attacks, using several types of packets. As defense mechanisms are deployed to counter these simple attacks, it is expected to be faced with more complex strategies.

This chapter presented a classification of denial-of-service attacks according to the type of the target (firewall, Web server, router), a resource that the attack consumes (wireless network bandwidth, TCP/IP stack) and the exploited vulnerability (bug or overload). This classification focuses more on the actual attack phase, but is not limited to the complete attack mechanism in order to highlight features that are specific to distributed attacks.

The Computer Emergency Response Team (CERT) Coordination Center is currently undertaking the initiative to devise a comprehensive classification of computer incidents as part of the design of common incident data format and exchange procedures. Unfortunately, their results are not yet available. Thus, as of this writing, there are no attempts to formally classify DDoS defense systems, although similar works exist in the field of intrusion detection systems.

Nevertheless, distributed denial of service attacks are a complex and serious problem, and consequently, numerous approaches have been proposed to counter them. The multitude of current attack and defense mechanisms obscures the global view of the DDoS problem. This chapter is a first attempt to cut through the obscurity and achieve a clear view of the problem and its solutions. The classifications described here are intended to help the wireless network community think about the threats they face and the IW measures they can use to counter those threats.

One positive benefit fi*om the development of DDoS classifications is to foster easier cooperation among researchers on DDoS defense mechanisms. Attackers cooperate to exchange attack code and information about vulnerable machines, and to organize their agents into coordinated wireless networks to achieve immense power and survivability. The Internet community must be equally cooperative among itself to counter this threat. Good classifications for DDoS attack and defense mechanisms will facilitate communications and offer the community a common language to discuss their solutions. They will also clarify how different mechanisms are likely to work in concert, and identify areas of remaining weakness that require additional mechanisms. Similarly, the research community needs to develop common metrics and benchmarks to evaluate the efficacy of DDoS defense

54 Chapter 1

mechanisms, and these classifications can be helpful in shaping these tasks, as well.

The preceding classifications are not necessarily complete and all-encompassing. You should not be deceived by the simplicity of the current attacks; for the attackers this simplicity arises more fi*om convenience than necessity. As defense mechanisms are deployed to counter simple attacks, you are likely to see more complex attack scenarios. Many more attack possibilities exist and must be addressed before you can completely handle the DDoS threat, and some of them are likely to be outside the current boundaries of the classifications presented here. Thus, these classifications are likely to require expansion and refinement as new threats and defense mechanisms are discovered [2].

The DDoS attack classification and DDoS defense classification outlined in this chapter are useful to the extent that they clarify your thinking and guide you to more effective solutions to the problem of distributed denial-of-service. The ultimate value of the wireless network security technology described in this chapter will thus be in the degree of discussion for the rest of this book.

4. REFERENCES

[I] John R. Vacca, i-mode Crash Course. McGraw-Hill Professional Book Group, 2001. [2] Jelena Mirkovic, Janice Martin and Peter Reiher, "Ataxonomy of DDoS Attacks and

DDoS Defense Mechanisms," Technical Report #020018, Computer Science Department, University of California, Los Angeles, 2002.

[3] "802.11 Wireless Security in Business," Dell Computer Corporation, One Dell Way, Round Rock, Texas 78682, United States, (©Copyright 2002, Dell Computer Corporation. All rights reserved), September, 2001.

[4] Kurt Ringleben, "Intrusion Detection Systems Grow Up," SearchNetworking.com, TechTarget, 117 Kendrick Street, Needham, MA 02494, (©Copyright 2002, TechTarget. All rights reserved).

[5] John R. Vacca, Net Privacy: A Guide to Developing and Implementins an Ironclad ebusiness Privacy Plan. McGraw-Hill, 2001.

[6] John R. Vacca, The Essential Guide To Storase Area Networks. Prentice Hall, 2002. [7] John R. Vacca, Public Key Infrastructure: Building Trusted Applications and Web

Servicess. Auerbach Publications, 2004. [8] John R. Vacca, Firewalls : Jumpstart for Network and Systems Administrators, Digital

Press, 2004. [9] John R. Vacca, Identity Theft. Prentice Hall, 2002. [10] Nancy Gohring, "Motion Sickness," eWeek, Copyright © 2002-2005 Ziff Davis

Publishing Holdings Inc. All Rights Reserved. Ziff Davis Media Inc., Corporate Headquarters, 28 East 28th Street, New York, NY 10016, October29, 2001.

[II] Dennis Fisher and Carmen Nobel, "New Attack Intercepts Wireless Net Messages," eWeek, Copyright © 2002-2005 Ziff Davis Publishing Holdings Inc. All Rights Reserved.

7. 55

Ziff Davis Media Inc., Corporate Headquarters, 28 East 28th Street, New York, NY 10016, March 11,2002.

[12] Kieth Waldorf, "Flood Protection-Guard Your Networks From Denial of Service Attacks," Captus Networks Corp., Copyright © 2005 Captus Networks Corp. All Rights Reserved. Captus Networks Corp., 1680 Tide Court Suite B, Woodland, California 95776, 2005.

[13] Ephraim Schwartz and Brian Fonseca, "Wireless Carriers Exploit Firewall Bypass," InfoWorld Media Group., Copyright © 2005 InfoWorld Media Group. All Rights Reserved. LifoWorld Media Group 501 Second Street San Francisco, CA 94107 U.S.A, January 25, 2002.