Thursday, September 24, 2015

Layer 1 network attacks

Discuss/describe one or more LAN based attacks (also known as layer 2 attacks or lower layer attacks) which are not covered in the Module 3, or share any additional thoughts you may have on LAN based attacks covered in Module 3.

Discuss the security measures or methods used to prevent or mitigate the LAN based attacks you presented in Question A.

Layer 1 of the OSI network model is the physical layer. (Ruh, 2009) All three legs of the security triad can be attacked at layer 1: confidentiality, integrity, and availability.

  • Confidentiality: Ethernet - The first Wi-Fi encryption was called Wired Equivalent Privacy, which is fairly appropriate since WEP is almost trivially broken. (Wójtowicz & Belka, 2014) Wired Ethernet is entirely unprotected at Layer 1 and traffic can be recorded if an attacker can get a hook into the wires. Today an attacker doesn't need to be able to strip and splice your network cables if they have the access to replace the cable that they want to attack with two cables. For just $10 and the cost of two lengths of CAT5 cabling the attacker can place a commercially available Throwing Star LAN Tap. (HakShop, 2015) That small device, sold for penetration testers, copies all traffic crossing it onto two listening ports.
  • Integrity: Wi-Fi - To provide the best user experience with the least configuration, Wi-Fi establishes a connection to an SSID network by connecting to the strongest signal it can find for an access point advertising that SSID. If a stronger connection becomes available then a client system will switch to communicating with that access point. In legitimate networks this occurs for load balancing and supporting mobile clients, but it can also happen if a rogue access point begins advertising the victim network. Once the rogue access point is the client's route to the network then all traffic crossing it is available for manipulation. For $100 an enterprising attacker can buy a preconfigured miniature computer that will automatically listen for SSIDs in use and able to be hijacked and start advertising them. It can then be used to launch various attacks on the traffic such as man in the middle attacking secure connections or returning maliciously manipulated DNS answers. This product is the Wi-Fi Pineapple. (HAK5 2015)
  • Availability:
    • Ethernet - Given only physical access to an Ethernet network, an attacker is able to trivially launch a destructive denial of service attack. Ethernet networks require electrical pulses to be sent along metal wires inside of the cable, so severing the cable with something like a pair of Diagonal Pliers will terminate the connection. It is as simple as placing the cable inside the pliers and squeezing, though it is recommended that the attacker "place the wire to be cut as near as possible to the joint. This increases the leverage and considerably reduces the manual effort when cutting.".(KNIPEX-Werk, 2014) These kind of attacks were lauched on backbone fiber in California earlier this year. (Kravets, 2015)
    • Wi-Fi - Since Wi-Fi is carried on radio signals it is vulnerable to jamming by "by emitting radio frequency waves that prevent the targeted device from establishing or maintaining a connection" (Pittman, 2011, p.2) In the United States this is illegal and falls under the jurisdiction of the FCC, but attackers rarely avoid attacks based on the legality of the technique.

Security measures that protect against these attacks

Ethernet: Since Ethernet attacks relay on access to the Layer 1 medium, the cables, this means the best defense is to prevent such access. Keeping infrastructure nodes such as switches and routers in locked, access controlled spaces stops tools like the Throwing Star from being deployed to critical lines without having to modify cables. Actual backbone cables, such as connections from the network to the Internet, should be entirely protected by secured cable runs, being buried, or inside walls. Cable integrity should be checked periodically to mitigate any attacks that had been launched successfully.

Wi-Fi: Being wireless and transmitted over radio waves, the distances involved end up being a combination of transmitter strength, antenna quality, weather, other traffic on and near the frequency, and objects in the way. With so many variables involved, the best courses of defense is a combination of monitoring for rogue access points and keeping your wireless network inside of your facility, while keeping foreign signals out.

  • Electromagnetic signals can be stopped through global shielding, where the entire facility is protected in the perimeter walls, floor, and ceiling. (Herndon, 1990) Wireless networks inside the shielding will be unable to be sniffed from outside, and rogue access points will not be able to be connected to from inside.
  • Wardriving, traveling around scanning for wireless networks, can be used to periodically check for rogue access points broadcasting your SSID. (Etter, 2002) Additionally wireless intrusion prevention systems can be deployed to automate such monitoring. (Zhang et. al., 2010)


Etter, A. (2002). A Guide to Wardriving and detecting wardrivers. SANS Institute, Retrieved 23 September 2015 from https://www.sans.org/reading-room/whitepapers/wireless/guide-wardriving-detecting-wardrivers-174

HAK5. (2015) WiFi Pineapple. Retrieved 23 September 2015 from https://www.wifipineapple.com

HakShop. (2015). THROWING STAR LAN TAP. Retrieved 23 September 2015 from https://hakshop.myshopify.com/products/throwing-star-lan-tap

Herndon, R. L. (1990, December 31). ELECTROMAGNETIC PULSE (EMP) AND TEMPEST PROTECTION FOR FACILITIES. U.S. Army Corps of Engineers

Kravets, D. (2015, Jul 1) California fiber optic cable vandalism continues unabated. Ars Technica. Retrieved 23 September 2015 from http://arstechnica.com/tech-policy/2015/07/california-fiber-optic-cable-vandalism-continues-unabated/

KNIPEX-Werk. (2014). The Diagonal Cutters. Retrieved 23 September 2015 from http://www.knipex.com/en/pliers-abc/some-know-how-about-pliers/the-diagonal-cutters/

Pittman, K. (2011) GPS, Wi-Fi, and Cell Phone Jammers. FCC, Retrieved 23 September 2015 from https://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf

Ruh, Larry (2009). Open Systems Interconnection Reference Model Retrieved 27 January 2012 from: http://polaris.umuc.edu/de/csi/OSI_model_2009/OSI_Model_2009.html

Wójtowicz, S., & Belka, R. (2014, November). Analysis of selected methods for the recovery of encrypted WEP key. In Symposium on Photonics Applications in Astronomy, Communications, Industry and High-Energy Physics Experiments (pp. 92902Z-92902Z). International Society for Optics and Photonics.

Zhang, Y., Chen, G., Weng, W., & Wang, Z. (2010, June). An overview of wireless intrusion prevention systems. In Communication Systems, Networks and Applications (ICCSNA), 2010 Second International Conference on (Vol. 1, pp. 147-150). IEEE.

No comments:

Post a Comment