1. Attack on the Physical layer
The physical layer defines the means of transmitting raw bits rather than logical data packets
over a physical link connecting network nodes. The bit stream may be grouped into code words
or symbols and converted to a physical signal that is transmitted over a hardware transmission
medium. The physical layer provides an electrical, mechanical, and procedural interface to the
transmission medium.
The physical layer consists of the basic networking hardware transmission technologies of a
network.
Typically, networking hardware includes gateways, routers, network bridges, switches, hubs, and
repeaters. But it also includes hybrid network devices such as protocol converters, modem,
wireless access points and networking cables.
Types of attack:
1) Direct attack:
Such attack includes:
*attack at network transmission tapping, tapping and jamming signal processing.
*attack at optical amplifier local or remote or cross talk.
*attack at optical transmission fiber cut.
2) Indirect attack:
Certain network elements are more likely to be attacked indirectly, because it is too
complicated to attack them directly, or they are not easily accessible.
Such attack includes:
*Indirect cross talk.
*Unauthorized access through add/drop ports.
3) Pseudo-attacks:
Anomalies which are not intrusions, but may be interpreted as such, due to significant
Changes in the signal quality depending on the physical network design.
Attack can be classified by its resources (passive or active), its means of attack
(transmission/reception, protocol, control system), the target (specific users or network/sub
network), the intended effect (service disruption or tapping), the location of the attack (terminal,
node, link, multiple locations), and the attacker’s willingness to be discovered (covert, subtle,
open).
Optical fibers propagate light of different wavelengths. Light that propagates through the fiber is
kept in its core by total internal reflection, which keeps radiation from the fiber at a negligible
level, thus making the fiber immune to electromagnetic interference. However, the fiber is not
shielded, and an attacker with a physical access to it can easily cut the fiber or bend it slightly, so
that the light can be radiated into or out of the core. Fiber cut, which can be considered as a
component fault, causes denial of service. Light radiating out of the fiber can not only degrade
the quality of service, but it can also deliver the carried information straight into the hands of the
attacker i.e. tapping. Another way of performing tapping is by exploiting fiber nonlinearities.
2. Under normal operating conditions fibers are fairly linear, but under high input power (e.g. at the
output of an amplifier) or long distances, they exhibit certain nonlinear characteristics which
cause signals on different wavelengths to affect each other. For instance, cross-phase modulation
and Raman effects may cause a signal on one wavelength to amplify or attenuate a signal on
another wavelength. A sophisticated attacker may take advantage of this crosstalk to co
propagate a malicious signal on a fiber and decrease quality of services.
When light is radiated into the fiber, service can be interrupted on a single wavelength by
injecting light on the same wavelength, without breaking or otherwise disrupting the fiber.
This technique is called in-band jamming, and the attack is difficult to localize. If tapping is
combined with jamming, an especially efficient service disruption attack is achieved. This kind
of attack is called correlated jamming. In it, an attacker first taps a signal at one point and then
injects a signal down stream, which has especially harmful effects to signals with relatively low
signal-to-noise ratio.
Optical amplifiers have specific characteristics, which can be exploited to perform physical-layer
attacks. Gains competitions is a common target for attackers. An amplifier has a finite amount
of gain available(a limited pool of upper-state photons) which is divided among the incoming
signals. Thus bus injecting a high power signal with in a amplifier passband, an attacker can
deprive other signal of power while increasing it’s own allowing it to propagate through the
network causing service degradation or even service denial.
Gain competition can be used to create a powerful out of-band jamming attack. In it, the
attacker injects a powerful signal on a wavelength different from those of other, legitimate
signals (Authorized), but still within the pass band of the amplifier. The amplifier, unable to
distinguish between the attack signal and legitimate data signals, will provide gain to each signal
indiscriminately. This means that the stronger, attacking signal will be provided with higher gain
than weaker, legitimate signals, robbing them of power. Thereby, the quality of service level on
the legitimate signals will deteriorate, potentially leading to service denial.
Passive Attack:
These attacks are not harmful to the networks; they take place for information-gathering. A
malicious user just listens to the all inbound (moving inward) and outbound (That is going out)
traffic of a wireless network. As we know, traffic contains packets, and each packet contains
juicy information such as packet sequence numbers, MAC address, and much more. The nature
of these attacks is silent, that is why they are hard to detect. Using this attack, a malicious
attacker can make an active attack to the wireless network. Sometimes malicious users use
packet-deciphering tools (Convert code into ordinary language) in order to steal information by
decrypting the data from it. Deciphering packets in WEP is really easy, as WEP’s security is very
low and easily breakable. Sometimes this technique is also called WAR DRIVING. (War
driving is the act of searching for Wi-Fi wireless network by a person in a moving vehicle, using
a portable computer, smartphone or personal digital assistant).
Active Attack:
As the attacker does a passive attack in order to get information about the wireless network, now
she/he will do an active attack. Mostly, active attacks are IP spoofing & Denial of Service attack.
3. IP Spoofing: In this attack scenario, the attacker accesses the unauthorized wireless network. IP
spoofing is the creation of Internet Protocol (IP) packets with a source IP address, with the
purpose of concealing the identity of the sender or impersonating another computing system. Not
only that, but also she/he does packet crafting in order to impersonate the authorization of that
server or network.
Denial of Service Attack: Here the attacker makes an attack on a particular target by flooding
(Become filled to overflowing) the packets to the server. In most cases, SYN packets are used
because they have those capabilities of generating the flood storm.
The attack involves having a client repeatedly send SYN (synchronization) packets to every port
on a server, using fake IP addresses. When an attack begins, the server sees the equivalent of
multiple attempts to establish communications. The server responds to each attempt with a
SYN/ACK (synchronization acknowledged) packet from each open port, and with a RST (reset)
packet from each closed port.
MITM Attack: The (man-in-the-middle attack) is a form of active eavesdropping (is secretly
listening to the private conversation of others without their consent) in which the attacker makes
independent connections with the victims and relays messages between them, making them
believe that they are talking directly to each other over a private connection, when in fact the
entire conversation is controlled by the attacker.
Here the attacker accesses the information of the AP of any active SSID. Here dummy APs are
created. The attacker listens the communication between to end points. (The SSID is a
unique identifier that wireless network devices use to establish and maintain wireless
connectivity).
Let’s suppose a client is having a TCP (Transmission Control Protocol) connection with any
server, then the attacker will be the man in the middle and she/he splits that TCP connection into
two separate connections, whose common node will be an attacker himself/herself. So the first
connection is from client to an attacker, and the second connection will be from the attacker to
the server. So each and every request and response will be taking place between client and server
via an attacker. So an attacker can steal information passing in the air between them.
4. Wireless Signal Jamming Attack: In this attack scenario, wireless radio signals are used. An
attacker may have a stronger antenna for a signal generator. First, the attacker identifies the
signal patterns around him or the target AP. Then she/he creates the same frequency pattern radio
signals and starts transmitting in the air in order to create a signal tornado of a wireless network.
As a result, the target AP gets jammed. On top of that, the legitimate user node also gets jammed
by signals. It disables the AP connection between a legitimate user of wireless network and the
network itself. There can be mainly three reasons for jamming the wireless network:
1. Fun – Prevent the legitimate user from receiving any kind of data from the Internet.
2. Spy – Delay in packet deployment to the legitimate user can give more time to an
attacker for deciphering the packet in order to steal the information.
3. Attack – Attacker may spoof the packets and send it to the victim in order to take control
over the user’s machine or network.
This is a type of DOS attack on the wireless networks. This attack takes place when any fake or
rough RF frequencies are making trouble with the legitimate wireless network operation. In some
cases, those are false positives, such as a cordless telephone that uses the identical frequency to
the wireless network. So in that case, you might see some
results in your wireless monitoring software or mechanism, but it is actually not a jamming of
signal. It is not a very common attack, as it requires a ton of capable hardware.
Pre-Shared Key Guessing: As we all know, a pre-shared key is used by the node in order to
encrypt the data communication. Generally administrators of those Wi-Fi networks don’t change
the default key in place. Professional hackers always try to find the manufacturer of wireless
access points in order to get the default ID and password.
Frame injection attack: To perform this kind of attack, an attacker must have a deep
understanding and knowledge of the protocol. Any professional hacker will perform this method
in order to perform an injection attack on wireless networks. Firstly, she/he will perform passive
information gathering of that network. Then the attacker creates wireless protocol frames in
order to send it to the targeted network. There are basically two ways of doing so. One can either
create a false packet or insert it into that network. The other way is to sniff the network traffic.
Once these packets are sent to the server, the response from that wireless network is captured,
intercepted and modified by an attacker to perform a man-in-the-middle attack. This is hard to
detect, as it happens at layer two.
Denial of sleep attack: Sometimes wireless networks don’t use radio transmission. So in order
to reduce consumption, it regulates the communication of that particular node. A malicious user
can take advantage of this mechanism. An attacker may drain the power supply of the sensor
device in order to make node’s life very short, or attack the MAC layer to reduce the sleep period
of it. If a number of drained nodes go high, the whole network can be disrupted. Only the MAC
protocol has an ability to create longer sleep duration. Without that, you cannot extend the
lifetime of your wireless network.
5. Collision attack:In this type of attack, the attacker tries to spoil the packets to be transmitted to
the receiver. So when the attacker is successful, the resulting packet’s checksum will not be
expected at the receiver’s end. As a result of that, the whole packet will be discarded at the
receiver’s node. Now retransmission of that packet will consume high energy of that particular
sensor node. A second approach to collision attack can be defined as this: Sometimes, messages
get transmitted on the node via same frequency, and it can also generate collision. An illustration
of this same frequency problem can be understand in the figure below.
De-Synchronization Attack: In this attack, the attacker tries to modify the control flags and
sometimes the sequence numbers in order to forge the packets, or messages. As a result, the
attacker limits the legitimate user from exchanging the messages between the server and client. It
will continuously request retransmission of those messages. This attack causes an infinite cycle
of retransmission. It acquires a lot of energy. We can also say that the attacker disturbs the
established connection between two end points.
Flooding Attack: There are plenty of DoS attacks which reduce the network lifetime in different
ways. One of the common methods is Denial of Service attack. An attacker sends a huge amount
of packets in order to stop the network from communicating with different nodes. The main aim
of this attack is to exhaust the resources on the victim’s machine.
Reply Attack: In this process, transmission data is repeated maliciously. An attacker intercepts
the data in order to retransmit it further. It’s a part of masquerade attack (In system security
masquerade attack is a type of attack in which one system assumes the identity of another) this
6. can be carried away by substitution of an IP packet. A stream cipher attack can be taken place
into that.
An attacker repeats copies of the packets to the victim in order to exhaust the energy or power
supply. This kind of attack has ability to crash applications which are designed poorly.
Selective Forwarding Attack: It may also refer as ‘gray hole attack’. In this form of attack, an
attacker may stop the node to pass packets through by forwarding or dropping those messages. In
one form of selective forwarding attack, a node selectively rejects the packets by dropping them
from coming into that network from an individual node or a group of individual nodes.
The above figure illustrates this attack. Here you can see that a malicious node is selectively
dropping packets from a certain node or group of nodes. It may do that or forward it to
somewhere else which will create no trustable routing information due to forwarding packets to
any wrong path within the network.
Unauthorized Routing Update Attack: In the routing process, many components take place
such as hosts, base station, access points, nodes, routing protocols, etc. A malicious user may try
7. to update all this information in order to update the routing table. It may be possible that due to
this attack, some of the nodes get isolated from the base station. Also, a network partition may
occur due to this attack. Packets may be dropped after the TTL expires. Packets can be
forwarded to any unauthorized user. All of these incidents are the impact of this attack.
Wormhole Attack: In this type of attack, an attacker copies the whole packet or message by
tunneling them to another network from the originator. Then the attacker transmits them to the
destination node. When the attacker transmits the copied messages or packets to the destination
node, she/he transmits it speedily in such a way that copied packets reach the destination node
before the original packets (from the legitimate user) reach it. To do that, the attacker uses a
wormhole tunnel. Wormhole nodes are fully invisible.
Sink Hole Attack: This is a special kind of selective forwarding attack which draws attention on
the compromised node. A compromised node attracts all maximum possible traffic of the
network. Then it places malicious node to the closest base station and it enables the selective
forwarding attack. It is a very complex attack. Detection of a sinkhole attack is very hard and it
affects the higher layer applications. The below figure illustrates the architecture of a sinkhole
attack.
8. Impersonate Attack & Sybil Attack: This attack is very common and well known. The attacker
may obtain the legitimate person’s IP address or MAC address in order to steal his/her identity
and make it his/her own. Then the attacker may attack another victim and can do plenty of things
with that new stolen identity of the legitimate user. A Sybil attack is an advanced version of an
impersonate attack in which a malicious user (attacker) may steal multiple identities. In technical
terms, a malicious node represents itself to the other fellow nodes by acquiring multiple
identities within it self. Impacts will be the same as in an impersonate attack.
Traffic Analysis Attack: Here an attacker gains the information of the network traffic as well as
the behavior of the nodes. Traffic analysis can be done via checking the message length, pattern
of message, and duration in which it stayed within the session. Then the attacker might correlate
all this inbound and outbound traffic to any single custom router, which might violate the privacy
of the members due to being linked with those messages. Sometimes an attacker might able to
link two nodes with an unrelated connection within the network.
USB Port: With one on almost every device in your plant, USB ports are the easiest way to
introduce viruses into or remove secrets from a system.
Plugs: Network systems can be shut down if someone unplugs a cable or plugs it into the wrong
location. Mostly attackers do this to shut down the other security systems.
Cables: The easiest way to get information is cables tampering. Attacker can easily do inside the
organization or outside the organization.
Research by: Muhammad Ahad.
Department BSIT
Submitted to: Sir Shafan.