Identifying Denial of Service attacks and appropriate mitigation strategies for Small to Medium Sized Enterprises

Contents

List of figures

List of tables

Glossary

Acknowledgements

1. Introduction
1.1 Background to the problem/issue
1.2 Justification for the research
1.3 Aim and objectives
1.4 Scope of the research
1.5 Outline of the dissertation

2 Research definition
2.1 The practical problem/issue
2.2 Existing relevant knowledge
2.2.1 Well known DoS attacks
2.2.2 Communications standards and protocols
2.2.3 DoS mitigation and access control considerations
2.2.4 Summarising the existing body of knowledge
2.3 Research questions

3 Proposed methodology
3.1 Methods and techniques selected
3.2 Justification
3.3 Research procedures
3.3.1 The personal interviews
3.3.2 The online survey
3.3.3 The practical experiments
3.4 Ethical considerations

4 Analysis and interpretation
4.1 Summary of data collected
4.2 Data analysis
4.2.1 The interview phase
4.2.2 The Online survey
4.2.3 DoS experiments using the test network
4.3 Interpretation in relation to the research questions
4.4 Interpretation in relation to the research aim

5 Conclusions
5.1 Conclusions about the research questions
5.1.1 Research question 1
5.1.2 Research question 2
5.1.3 Research question 3
5.1.4 Research question 4
5.2 Conclusions about the research aim
5.3 Further work
5.4 Implications of the research
5.5 Reflection on the experience of the research process

References

Appendices

Abstract

This research report investigated the potential risks from DoS (Denial of Service) attacks faced by SMEs (Small to Medium-sized Enterprises) that have an online presence. From the examination of case studies, reports, global surveys, and discussions with IT professionals this report evaluates which DoS attacks are the most prolific, and which DoS threats organisations need to secure against. From the results of the investigation it can be seen that the potential risk of becoming the target of a DoS attack continues to pose a significant threat to an organisation regardless of the size. It was evident from the results of the initial research that further investigation was required to evaluate which DoS threat were of most concern to SMEs (Small to Medium sized Enterprises). Through practical experimentation in a controlled network laboratory environment, a number of DoS attacks that are of current concern to SMEs were investigated, the main purpose of this investigation was to evaluate appropriate mitigation strategies to secure against the identified DoS attacks. This report concludes by highlighting that SMEs may be susceptible to well-known DoS attacks when deploying network hardware in default configuration, and by identifying the appropriate DoS mitigation options available to network and security administrators associated with SMEs. The conclusion also shows how these DoS mitigation options can be practically applied to the type of network hardware typically deployed in a SME environment.

List of figures

FIGURE 1-1 AVERAGE NUMBER OF DOS ATTACKS. (DOBBINS & MORALES 2010)

FIGURE 1-2 SECURITY CONCERNS. (DOBBINS & MORALES 2010)

FIGURE 2-1: TCP/IP MODEL. (DYE, ET AL 2010)

FIGURE 2-2: SCAN RESULTS, EXTRACTED FROM TABLE 1. CHENOWETH ET AL (2010)

FIGURE 3-1: TEST NETWORK TOPOLOGY

FIGURE 3-2: ENGAGE PACKET BUILDER

FIGURE 4-1: SURVEY QUESTION 1

FIGURE 4-2: SURVEY QUESTION 2

FIGURE 4-3: SURVEY QUESTION 3

FIGURE 4-4: SURVEY QUESTION 4

FIGURE 4-5: SURVEY QUESTION 5

FIGURE 4-6: SURVEY QUESTION 6

FIGURE 4-7: SURVEY QUESTION 7

FIGURE 4-8: SURVEY QUESTION 8

FIGURE 4-9: SURVEY QUESTION 9

FIGURE 4-10: WIRESHARK PACKET CAPTURE

FIGURE 4-11: CAPTURING TCP SYN PACKETS

FIGURE 4-12: CREATING ICMP BROADCAST PACKETS

FIGURE 4-13: OUTPUT FROM THE CAM TABLE OF THE SWITCH

List of tables

TABLE 2-1: SUMMARISING THE EXISTING BODY OF KNOWLEDGE

TABLE 3-1: RESEARCH QUESTIONS, METHODS AND TECHNIQUES

TABLE 3-2: MINIMUM DEVICE REQUIREMENTS

TABLE 3-3: ACCESS CONTROL LIST 100

TABLE 3-4: TCP ESTABLISHED

TABLE 3-5: NO IP DIRECTED-BROADCAST COMMAND

TABLE 3-6: SWITCHPORT SECURITY

TABLE 4-1: NETWORK HARDWARE

TABLE 4-2: RESEARCH QUESTIONS

TABLE 4-3: INTERVIEW QUESTIONS AND RESULTS

TABLE 4-4: SUMMARY OF THE RESULTS OF THE DIFFERENT DOS ATTACKS WITHOUT & WITH MITIGATION CONFIGURED

TABLE 5-1: DOS THREAT AND MITIGATION OPTIONS

Glossary

illustration not visible in this excerpt

Acknowledgements

For the time and encouragement and dogged approach to guiding me through the research process a very big thank you goes to my mentor and project supervisor Dr Ian Newman. The practical experiments would not have been possible without the kind permission of members of the faculty of Business, Enterprise and IT for the use of the computer networking suite at Cornwall College. The interviews carried out in the preparation of this dissertation were invaluable, so a big thank you goes to those anonymous individuals involved in this endeavour, they know who they are. Most importantly, to my 5 year old son Leon for allowing me to spend way too much of our precious time on this research paper.

1. Introduction

1.1 Background to the problem/issue

Back in 1988 a university undergraduate wrote and compiled 99 lines of code in C which was designed to exploit the vulnerabilities in the UNIX ‘sendmail’ program and the ‘finger’ daemon. Once launched, the programme was designed to locate target machines and send a copy of itself to each of these targets. Unfortunately a bug in the code meant that the programme started to self-replicate on the target machines and resending or ‘worming’ its way to the target machines. Robert Morris had released his code, now known as the Morris worm, on a seemingly unprepared Internet. Many UNIX network machines across the globe soon became overwhelmed by the Morris worm and as such, became inoperable. Financial organisations, academic institutions, government departments and military installations all fell victim to the worm. The only remedy was to take the machines off line and run a disinfection process. The overall effects of this disaster have been estimated to have cost in excess of $15m, and according to Marsan (2008) affected up to 60,000 machines world-wide.

Network security is now very high on the agenda of any organization with an ICT infrastructure. However, for every hour spent securing networks and systems from attacks there are most probably as many hours spent by hackers attempting to find ways to circumvent the security procedures and processes put in place to protect the organisations’ assets. Chan Tin (2010) indicates that ‘some’ newspapers had reported that a number of gambling website owners have been paying blackmailers not to attack and bring down their servers. The logic being that it is far less costly to pay the requested amount than to lose the revenue from the gaming servers.

Network security attacks come in a number of guises, such as the passive attack where getting into and out of a system undetected is desired, or an active attack where the attack outcome may be to cause some form of damage or defacement or modification of data. Active attacks are, according to Stallings (2007) intended to cause disruption, or even a complete loss of access to services or resources. Stallings (2007) identifies four of the categories of active attacks as:

-Masquerade attacks, where the attacker assumes the identity of a valid network or system user and exploits the valid user’s privileges.
-Replay attacks, where the data streams are passively intercepted, manipulated and retransmitted to malicious ends.
-Modification of messages, where a portion of a legitimate message is modified, such as escalating a user’s privilege levels.
-Denial of services (DoS) attacks, which prevents or disrupts the normal operation of systems or services.

Dobbins & Morales (2010) identified DoS attacks as accounting for a high percentage of reported security incidents. A successful DoS attack may involve overloading a web server with false client requests, which could render the server unavailable to legitimate requests for access. Thomas (2009) reported that (DoS) attacks aimed at US Federal websites were ‘on a massive scale’, these attacks could have been the results of well organised hackers taking control of an estimated ‘50000’ computers to create what is referred to as a Botnet, the combined traffic generated by these computers is then used to launch a synchronised attack on the targets. Where multiple nodes, as in the case of a Botnet, are taken control of and used to launch a combined attack on a target, this is referred to as a Distributed Denial of Service attack (DDoS). A recent report by Hamelin (2011) indicated that the number of DDoS attacks had risen sharply in 2010, and that they are now ‘at an all-time high’, the report also suggests that one of the main reasons for the sharp rise in DDoS attacks is that the overall cost of an attack is fairly low, while the publicity given to DDoS attacks means that they maintain a high profile. Although the mechanism of launching DoS and DDoS attacks will differ, the intended outcome of both of these attacks is the disruption of normal business operations. For the remainder of this report DoS and DDoS will be collectively referred to as DoS.

DoS attacks are mostly thought of in the context of wired networks, such as Internet based attacks where the target is often a web server or an ecommerce website, and Local Area Network (LANs) where the attackers use vulnerabilities found inside the organisations’ network. However, that is not to say that DoS attacks are unique to the wired network infrastructure, since Arockiam & Vani (2010) identified that DoS attacks are ‘one of the major attacks’ launched on wireless networks. They also go on to suggest that the growth in the ‘laptop user community’ has led to the increase in attacks launched at the wireless network infrastructure. The rise in popularity in mobile communications has seen an increase in the use and deployment of 802.11 Wireless Local Area Networks (WLANs). The popularity of WLANs can be attributed to the relatively low cost and ease of deployment. An important consideration when discussing security in the context of wireless networks is that most WLANs are merely extensions to the wired infrastructure, adding flexibility and mobility. Arockiam & Vani (2010) indicated that the vulnerabilities WLANs face are mainly in the form of DoS attacks. From this it would be safe to assume that the network and security administrators should have a sound understanding of threats posed from DoS attacks on both the wired and wireless network infrastructure.

The previous paragraph identified a number of shortcomings associated with the use of

WLANs, which are in most cases extensions to the wired networks. Networked communications, including wired and wireless networks are built on an evolving collection of standards and protocols and each evolution brings new challenges in relation to security. One very important evolution in terms of networked communications is the IP (internet Protocol). One of the major concerns associated with IPv4 was that at some point in the future the 32 bit address space would become exhausted. According to Loshin (2007) the practical upper limit of IPv4 addressed nodes is approximately 250 million, and the general view within the networking community was that the exhaustion of the IPv4 address space was imminent. With this in mind, a proposed replacement for IPv4 was developed. This was given the title IPv6, as IPv5 had been used on a previous project to embed Quality of Service (QoS) into IPv4. The IPv6 protocol contains a number of improvements over IPv4, the most significant improvement being the enhanced address space. IPv6 is a 128 bit address which means that it increases the potential address space of the 32 bit IPv4 addressing scheme by 96 bits. The amount of addressable nodes that can be supported by this scheme is approximately 3.4 x 10³⁸. It is suggested by Teare & Paquet (2007) that the IPv6 addressing space is large enough to assign 5 x 10²⁸ addresses for every person on the planet. Additionally, another significant improvement according to Loshin (2004) is the fact that security capabilities are embedded into IPv6, whereas security with IPv4 is achieved in a bolt-on fashion. The development and deployment of new technologies, such as IPv6 is an inevitable process in the growth of networked communications, and one of the main challenges for the network and security administrator is keeping up to date with new and emerging technologies, and also with any associated security vulnerabilities.

1.2 Justification for the research

For the network and security administrator, understanding and deploying new technologies, such as IPv6 will invariably mean learning the new skills and techniques required to secure network devices. In almost all instances, the organisation’s network routers or firewalls are the first line of defence in securing against DoS attacks. Hilley (2005) indicates that the network hardware and software vendor Cisco Systems are addressing the issue of security threats such as viruses, worms and DoS attacks by working to update potentially vulnerable software. Hilley (2005) discusses the views of Cisco Systems CEO John Chambers in relation to new and emerging security threats. The implication here is that security threats such as DoS attacks targeting LAN based and Internet routers and switches is an issue that needs to be addressed. The IOS (Internetwork Operating System) that runs Cisco’s routers and switches is quite ‘susceptible to DoS attacks’ by the way they handle IP options according to Cisco (2010), however the publication does suggest how this vulnerability should be addressed.

Preparing attacks that could exploit vulnerabilities could be as straightforward as altering a field value in the IPv4 packet headers to create oversized IP packets, or inserting a rogue Dynamic Host Configuration Protocol (DHCP) decline message into a DHCPv6 client server communications process.

An example of an IPv6 security concern is the recently discovered vulnerability in the DHCPv6 server code, highlighted by Bruneau (2011) which meant that if a server received a DHCP request packet from a host that had previously been declined, and tagged as ‘abandoned’ the server would fail to respond to nodes requesting the service on the network. The vulnerability in the DHCPv6 server code would render a server liable to crash if an attacker were to send a DHCP request message with a source address the same as a previously declined address. Although the server was never under excess traffic load, such as a TCP (Transport Control Protocol) SYN attack, the net result here is a DoS attack. Alerts to this newly discovered DHCPv6 server vulnerability was published online by the SANS institute on the 1st January 2011. By the 28th January 2011 the ISC (Internet Systems Consortium) had prepared and released an update to secure this DHCPv6 DoS vulnerability.

This example does indicate that DoS attacks are posing real threats to network security, and there is a real need for network security administrators to have an understanding of new and emerging vulnerabilities, and the associated mitigation options. Many network security organisations, such as Arbor Networks and Cisco Systems produce reports and white papers that are useful for the network security professional in keeping up to date with the latest attack trends and vulnerabilities. A survey was carried out for Arbor Networks by Dobbins & Morales (2010) with the intention of gathering data on security exploits from a number of online organisations. The report that followed the survey stated that, “all of the respondents indicated that they experienced 1 to 10 DDoS attacks per month during the survey period, while 47% experienced 10 to 500 or more DDoS attacks per month”, see figure 1.1.

illustration not visible in this excerpt

Figure 1-1 Average number of DoS attacks. (Dobbins & Morales 2010)

According to Christenson et al. (2010) DoS and DDoS attacks have the potential to cause the loss of access to systems and resources or services, loss of reputation in the business community and, in the case of organisations in the ecommerce domain, the loss of revenue. Understanding DoS attack vulnerabilities and developing mitigation strategies is of paramount importance in developing and refining the security policies and procedures of every organisation (Christenson el al. 2010). The security requirements may well be unique to each organisation, but almost all will be defined by the use of security policies and procedures. Unfortunately for the network administrators and security professionals, network vulnerabilities are akin to grains of sand on dunes, always present but ever changing. Fowler et al. (2010) commented that of all security incidents reported by organisations, DoS attacks are ‘among the most financially expensive’. Alvarez (2004) stated that ‘Network security threats have been growing exponentially and are a concern to enterprises and governments worldwide’. Figure 1.2 indicates security concerns faced by organisations, from this survey it can be seen that DoS attacks are of primary concern.

illustration not visible in this excerpt

Figure 1-2 Security Concerns. (Dobbins & Morales 2010)

Managing the security of a networked system implies that data integrity, data availability and data confidentially are maintained to a level that is appropriate to the organisation. According to Pooj et al . (2010) working to achieve high levels of protection in modern networks has become ‘an ever increasing concern’, and is an on-going process. DoS attacks on large organisations and even ISPs have been well documented in this paper, however Harris (2011) reported that of the 255 SMEs (Small to Medium Sized Enterprises) surveyed, 63% of respondents had experienced a DoS attack, and that ‘11% had suffered more than six’.

It does appear that DoS attacks are posing serious threats to organisations with an online presence. Gupta (2010) states that ‘DoS attacks are currently amongst the largest and most problematic trends in network security’, and suggests that a better understanding of DoS is required in both SMEs and large enterprises alike. Christenson et al (2010) also discussed the potential impact of DoS attacks on organisations, and identified the importance of understanding DoS attacks, while Stallings (2007) suggests that in order to be more efficient with DoS attack mitigation techniques what is required is a greater understanding of how DoS attacks function.

1.3 Aim and objectives

The aim of this research paper was to investigate a number of known DoS attack mechanisms and propose appropriate mitigation strategies for each. It was intended that the results from the investigation and proposals made in this report will be of use to networking and system security administrators associated with SMEs that have an online presence.

The objectives of the work described in this report were as follows:

1. Identify current DoS security concerns typically faced by organisations.
2. Identify DoS threats faced by network and security administrators of SMEs.
3. Design an appropriate laboratory based testing environment to investigate mitigation strategies for identified DoS security concerns.
4. Carry out experimental work out in order to test available DoS mitigation options.
5. Identify DoS mitigation strategies that may be of use to network and security administrators of SMEs.
6. Evaluate the results from practical experimentation
7. Identify where further work might be needed.

1.4 Scope of the research

This paper has investigated, and practically tested a number of potential DoS threats faced by SMEs. For each of the DoS threats investigated, appropriate mitigation strategies for each threat were implemented and evaluated. The network hardware and software used in the network laboratory experiments is representative of the network devices and accompanying

software used by many SMEs. The testing phase evaluated the effectiveness of these devices in both the default configuration, and, with DoS mitigation configured. The results from these experiments are discussed in the conclusions section.

1.5 Outline of the dissertation

Chapter 1 of this research identifies the nature of DoS threats, and discusses the associated technologies. From this background discussion a justification is made as to the rational for preparing this research paper. From these discussions the aim and objectives of this paper are identified.

Chapter 2 identifies a number of well-known DoS threats, and goes on to investigate some work that has been carried out in the area. This chapter concludes by setting out a number of research questions.

Chapter 3 discusses the methods, techniques and research procedures used in the collection of data required to answer the research questions. This chapter also discusses the ethical considerations made when designing the data collection procedures.

Chapter 4 includes a summary of the date gathered, this data is analysed and interpreted in relation to the research questions.

Chapter 5 draws conclusions about the research questions and of the research aim, and identifies where further work is required. The chapter concludes with a brief discussion on the implications of the research, along with the author reflection on the research process.

2 Research definition

2.1 The practical problem/issue

Network and computer related security are very much ‘hot topics’ which is clearly evident in the array of reports, books, journals, papers, online publications and web forums dedicated to the subject. Cha & Won (2011) discuss the importance of protecting a businesses’ ‘brand image value’ and securing against malicious attacks that can have a negative effect on the businesses’ corporate identity. Organisations that promote their businesses online, or have an online identity are potentially open to attacks from individuals or hacker groups intent on disruption or loss of face to an organisation. Mackenzie (2011) reported that in July 2011 the ‘Hactivist’ group calling themselves LulzSec were responsible for an attack launched on the website of the Sun newspaper, owned by Media International. The incident involved a redirection DoS attack, by which legitimate users attempting to access the Sun’s website were redirected to a spoofed webpage, which in turn ran a bogus news story. The intention here was to cause embarrassment to News International, and have a negative effect on the brand image of The Sun newspaper. Mackenzie (2011) also reports that LulzSec had claimed responsibility for similar attacks on organisations such as Fox, Sony and the broadcasting company PBS.

For the network administrator responsible for security, having a sound understanding of security threats both past and present is an absolute necessity. However, there are many factors that impede the understanding of DoS attacks and mitigation strategies, which in turn could lead to extended attack recovery times. Dobbins & Morales (2010) suggest that ‘Nontechnical factors, driven by a lack of understanding and commitment, continue to represent the most significant obstacles to reducing mitigation times’. They also go on to state that the shortage of a shared knowledge base and the lack of technical knowledge, and ‘poorly defined operational responsibilities and policies’ have a large part to play in delayed attack recovery times.

Understanding what constitutes a particular threat, such as the manipulation of IPv4 header fields allows the security administrator to better plan, and put into practice the mitigation strategies to defend against known attacks. Planning and maintaining a stringent NAC (Network Admission Control) policy can be a complex undertaking due to the broad coverage of the technologies involved, as discussed by Cha & Won (2011). It is clear that security relating to attacks on networks and systems is an issue that is given a high priority by network hardware and software vendors, as well as by the network and systems administrators, and as Hamelin (2011) identified, DoS attacks are showing the steadiest increase of all known attack occurrences, which implies that DoS vulnerabilities and associated mitigation strategies need to be identified, discussed and publicised.

2.2 Existing relevant knowledge

The previous section identified the need for network and security administrators to have an understanding of DoS threats, which in turn requires an understanding of the associated technologies and protocols, the following section discusses a number of these important technologies and protocols. DoS attacks come in many forms and, as discussed here can be launched against both wired and wireless network infrastructures. What follows is a list of some well-known DoS attacks along with a brief description of each. Stallings (2007) identified and discussed the following well known DoS threats that organisations need to protect themselves from.

2.2.1 Well known DoS attacks

LAND Attack: A Local Area Network Denial attack occurs when the attacker sends a data packet with a spoofed (altered) source and destination IP address. The source address in the packet contains the target’s own IP address, this forces the target to repeatedly reply to packets containing its own address which, in turn renders the target machine incapable of processing further data packets.

Smurf Attack: An attacker sends out multiple IP packets to a large number of nodes, the IP packet contains a spoofed source IP address. All of the nodes that receive the IP packet will respond to the spoofed IP address, which is the legitimate IP address of the target node. This type of DDoS attack allows a single attacker to get a large number of nodes to send reply packets to the target node. This excessive amount of simultaneous traffic can cause the target node to crash.

TCP SYN Attack: This attack exploits the three way handshake that TCP (Transmission Control Protocol) uses to form a client to server connection. The attacker sends a TCP SYN packet to the server, which forms the first stage of the three way handshake. The server then responds with a TCP ACK packet, this forms the second part of the handshake process. The third stage of the connection setup is completed when the client responds to the server with its own TCP ACK packet; however, the attacker never sends the ACK packet which causes the server to reserve resources waiting for the connection to complete. Chau (2004) suggests that Smurf and TCP SYN attacks ‘account for the vast majority of the flooding DoS attacks reported to the network hardware vendor Cisco systems’.

2.2.2 Communications standards and protocols

Networked communications are built on protocols and open standards, and it is the adoption of open standards that has facilitated the growth of modern networks and the internet. TCP/IP (Transmission Control Protocol & Internet Protocol) are, without doubt the two most important protocols used in networked communications. Developed in the 1970s by a team of computer scientists at DARPA (Department of Defence Research Project Agency), led by Vinton Cerf and Robert Khan, TCP/IP was to become the foundations of networked communications. For this early work on TCP/IP both Cerf and Khan are considered ‘the fathers of the Internet’ (Goldsmith & Wu 2006). By the early 1980s many academic institutions and research centres were beginning to network between each other. The openness of these two protocols meant that organisations could quickly adapt their existing networks, and begin communicating with other organisations through their inter-networks.

TCP/IP are both standards based protocols that run independently of the underlying network media. The TCP/IP model shown in figure 2.1 is used as a guide to understanding where the various network protocols, such as TCP and IP reside, although each layer functions independently of each other, each layer calls upon the lower layer to move data between end points on a network. So far it has been seen that there are a number of potential threats from DoS attacks which involve some form of manipulation of either the IP packet header or the TCP fields, such as in a spoofed source address field. It has been discussed previously that WLANs are also susceptible to DoS attacks, however attacks aimed at WLANs are mostly targeting vulnerabilities associated with the network access layer of the TCP/IP model. Watkins & Wallace (2009) discuss how the openness of TCP and IP allows hackers to manipulate these protocols to create DoS attacks.

illustration not visible in this excerpt

Figure 2-1: TCP/IP Model. (Dye, et al 2010)

The shortcomings of the TCP/IP protocols have been identified in many publications over recent years, Nazario (2008) investigated the evolution of DoS and DDoS attacks and discussed a number of mitigation strategies. The paper discusses many well-known DoS attacks such as TCP SYN flooding and ICMP (Internet Control Message Protocol) spoofing and highlights the mitigation strategies that have been developed to counter these attacks. The article also looks at the evolution of worldwide DoS attacks and suggests a number of motivations for launching such attacks. Although potential mitigation strategies are indicated and discussed conceptually, what is not discussed is the practical application of DoS mitigation strategies.

Loshin (2004) identified the current limitations of the IPv4 standard, and gives a detailed account of the deployment and design requirements of IPv4 and IPv6. Loshin’s paper identifies the benefits of IPv6 and discusses how the protocol can be deployed in a number of network environments, in particular, mobile networking. Loshin identifies the growth in popularity of IPv6, and the ‘shortcoming’ of IPv4, and makes the observation that ‘slowly but surely’ IPv6 will become the key network layer protocol used by ISPs (Internet service providers), and Internet telecommunication organisations. As discussed previously IPv6 was developed to solve the problem of IP address depletion and at the same time build in security to the IP protocol. Adoption of IPv6 so far according to Odom (2010) is mainly in the domain of the Internet Service Provider’s networks.

Greenhalgh et al (2005) make a number of observations on the DoS problem in an IP routed domain under the control of ISPs. The report discusses the options available to mitigate DoS attacks between the service provider’s border routers. The report also explores the options of using single or dual ISPs and the benefits, and cost trade-off for each option. Greenhalgh explains that the idea of an organisation using dual connections to ISPs is to build in redundancy, and reduce down time incurred during a DoS attack, an important consideration with high availability networks and systems. Stallings (2007) also discusses both IPv4 and IPv6 in relation to network security, and goes on to state that migration from IPv4 to IPv6 is expected, ‘but the process could take years, if not decades’.

As well as identifying a number of security vulnerabilities associated with IP, Stallings (2007) carried out an in-depth analysis and discussion of many network security threats, such as hacking and malicious software (Malware). The later sections in the publication investigate a number of mitigation strategies ranging from firewall solutions and intrusion detection devices through to the requirements for securing routers. Stallings (2007) also suggests that through a combination of best practice and a sound understanding of potential threats, network routers can be ‘hardened’ to make them more secure, and less susceptible to passing through undesirable traffic. For the network or security administrator it is important to not only have a sound understanding of potential threats relating to DoS attacks, but also know how to practically deploy working solutions, Stallings (2007).

So far this report has focused primarily on DoS vulnerabilities associated with the wired network infrastructure; however it has been identified in section 1.1 that WLANs are also vulnerable to DoS attacks. Arockiam & Vani (2010) investigated the potential threats to 802.11 wireless networks and discussed a number of appropriate countermeasures. The paper focused on a number of DoS attacks launched on the wireless APs, and identifies the countermeasures used to mitigate the attack. The paper discussed the potential threats faced by network administrators when opening up a network for wireless access. Chenoweth et al (2010) also discussed a number of security concerns within wireless networks that focused on how the end user accesses the network. Through data collection carried out on a live campus wireless network, the paper discussed how malicious code, referred to as ‘Malware’, has been introduced to a wireless network by unsuspecting end users. The data was gathered by scanning host machines that joined a campus wireless network over a 41 day period. It can be seen in figure 2.2 that 9% of scanned devices had no firewall activated. The scan also indicated the number of open and exploitable ports on the user devices. The paper identifies a number of instances of Malware running on end user machines, generally laptops, and discusses the potential threats posed to the network. Chenoweth et al (2010) concluded that from the data gathered there were a possible 300 attack vectors which could have a serious impact on the network and end users accessing the wireless network. In terms of network and system security, the attack vector relates to the path or mechanism used for carrying out a malicious activity. What is apparent here is that WLANs are a useful extension to the wired network, offering flexibility and mobility to the end user by way of personal devices, such as smart phones, PDAs or laptop computers. However, there are inherent risks involved when allowing mobile devices to access the wireless network, especially when the devices do not come under the administrative control of the network or security administrators.

illustration not visible in this excerpt

Figure 2-2: Scan Results, extracted from table 1. Chenoweth et al (2010)

Debela (2010) identifies a number of WLAN DoS vulnerabilities that have been discovered in recent years. The mechanisms for these attacks reside at the network access layer of the TCP/IP model, seen in Figure 2.1. These attacks involve the unprotected management and control frames used to communicate between the AP and the user device. The purpose of the DoS attacks that are aimed at wireless APs is to disable or slow down the normal operation of the AP, and thus remove the capacity for the end user to access the wireless network. Debela (2010) through research and practical analysis makes a number of suggestions on mitigation strategies for DoS attacks in wireless and mixed media networks. Chan-Tin (2010) also discusses the results of test data gathered from experimental DoS attacks. Chan-Tin observes and reports on the traffic load generated during a DoS attack; however the report does not clearly address mitigation strategies nor is there any differentiation between Ipv6 and Ipv4 network environments.

2.2.3 DoS mitigation and access control considerations

As well as understanding the security requirements needed to mitigate DoS attacks aimed at both wired and wireless networks, security and network administrators should be aware of the consequences of deploying stringent NAC systems and firewall policies. Fowler et al (2010) investigates a number of DoS attacks and mitigation strategies. The main observations made in this report are primarily in the areas of quality of service, both as an impact of DoS attacks, and as a possible consequence of layered security implementations intended to reduce the risk of successful DOS attacks. Fowler et al. (2010) suggest that many DoS countermeasures

inadvertently introduce high levels of latency to the transmission path, which in turn would have a profound impact on the overall quality of service (QoS) of the network, particularly in the case of time sensitive traffic required for video and voice applications.

The need for understanding and deploying NAC systems and firewall policies to protect networks and services is discussed by Cha & Won (2011). Their paper identifies current security threats that many organisations face, and indicates that the numbers of DoS attacks are on the increase. The main objective of the report by Cha & Won (2011) is to identify the numerous NAC technologies available to network administrators which can be used to protect networks and systems.

[...]