May 8th, 2006, 09:37 AM
Weakness Ad hoc Wireless networks
Recently i started a project on developing an IDS for wireless ad hoc networks. And found that ad hoc networks will be the hackers' playground in the near future. I just wanna show some interesting attack scenario in these popular network systems. In this network system, every node act as an router.
If u wanna have some intro abt ad hoc systems chk this site Introduction to Ad hoc networks).
Ad hoc networks use two kind of routing protocols - proactive and reactive. (eg. AODV, OLSR, etc)
This attack scenario uses OLSR : chk this website OLSR
Imagine a host wanting to be able to serve clients in an OLSR(routing protocol) with a fake web-page when clients request an often used web-server. The attacker needs to consider the following:
1. Become accepted as a router in the MANET routing domain.
2. Get Internet destined traffic routed to the local node.
3. Intercept traffic destined for the address for which to serve the fake web-page.
4. Reply to all requests for the address for which to serve the fake web-page.
The first step is easily accomplished if no security mechanisms are used on the lower layers. An example of such a mechanism would be the WEP protocol. Due to this protocols many weaknesses, the attacker could break this security-layer by using tools freely available. When the attacker is able to communicate with the nodes in the MANET on the IP layer, she can participate in the OLSR routing by starting her own OLSR daemon.
Step 2 requires some more effort if all Internet traffic is to be routed to the attackers host. This could probably be accomplished to a high degree by emitting HELLO and TC messages declaring all nodes heard of in the MANET as symmetric neighbors, while emitting HNA messages declaring Internet connectivity. Another approach could be to try to bring all other Internet gateways down by DoS attacks. But by emitting HNA messages, the rouge node will get all Internet traffic from at least a subset of the MANET routed to itself. If the attackers node actually has Internet access, it is probable that no MANET nodes would be alarmed since commonly used services, such as DNS, should work normally.
The third step can be accomplished by many more or less sophisticated techniques, but the most trivial approach is for the attacker to assign the address of the destination it wishes to intercept to itself. The attacker still uses another address for OLSR routing, but as hosts can be configured with multiple IP addresses this poses no problem. Now all traffic to a given Internet address will be routed to the rouge node, and upon reception the node will not forward the traffic, but pass it up the network stack.
To accomplish step 4 the rouge node only has to run the service(s) that should be faked. In our example this will be a HTTP server running at TCP port 80.
The two latter steps could be done in a much more sophisticated manner. As an example one could use IP filtering technology to only intercept traffic destined for a certain TCP port and forward all other traffic to the actual Internet host. Another way could be to intercept all DNS traffic and resolve host names of interest to the nodes IP.
Inspite of all these weakness, i see lot of commercial applications such as bluetooth( lilttle variation from ad hoc) being implemented.
Only a fool learns from his mistakes. A Wise man learns from others\' mistakes.