1. Field of the Invention
The present invention relates to communications networks, and more specifically, to denial-of-service (DoS) attacks in wireless networks.
2. Description of the Related Art
Denial-of-service (DoS) attacks continue to present a significant challenge to network operators. Recently, the frequency and magnitude of attacks directed toward Internet resources have been steadily increasing. These attacks include the February 2000 attacks on popular Web sites including www.yahoo.com, www.cnn.com, www.ebay.com, and the recent attacks on the core Internet domain name servers (DNSs).
DoS attacks typically involve blasting a network node (e.g., a server) with a volume of traffic that exceeds the node's handling capacity. This volume of traffic invariably disables the operation of the node for the duration of the attack. A more sophisticated type of DoS attack is known as a distributed DoS (DDoS) attack. In DDoS, an attacker intending to launch a DDoS attack begins by subverting a number of nodes (e.g., via well-known security loopholes), effectively making them slaves to the attacker. These compromised nodes are then used as launch points to inject traffic into the network. By summoning a reasonable number of compromised nodes, an attacker can potentially launch a large-scale, network-wide attack by coordinating the traffic from multiple launch points.
There is no dearth of research related to DoS counter-measures. Indeed, a large variety of solutions have been proposed. The current state-of-the-art in defending against DoS attacks includes (1) stateful firewalls (e.g., the PIX router from Cisco Systems of San Jose, Calif.; Netscreen from Juniper Networks of Sunnyvale, Calif.; Firewall-1 from Checkpoint Systems of Redwood City, Calif.), (2) router modifications to support “pushback” (i.e., attempting to install filters from the target of the attack backwards to the source), (3) “traceback” (i.e., attempting to detect the source of the attack), and (4) intrusion-detection mechanisms that look for anomalies or signatures in arriving traffic. More information on pushback, traceback, and intrusion detection can be found in Ioannidis J. and Bellovin S., “Implementing pushback: Router-based defense against DDoS attacks,” Proceedings of Network and Distributed Systems Security Symposium, February 2002; Symposium, February 2002; Snoeren A., “Hash-based IP Traceback,” Proceedings of ACM SIGCOMM, 2001; and “Snort: Open-source Network Intrusion Detection System”, http://www.snort.org, each incorporated herein by reference in its entirety.
Some of these approaches require significant changes to existing network elements and thus may be costly to deploy, while others require collaboration across Internet service providers (ISPs) and thus may be impractical. Nonetheless, these schemes do reduce the threat of wire-line DoS attacks. For example, a common feature of firewalls that prevents connections from being initiated from outside an enterprise LAN, is fairly successful in mitigating the effects of many DoS flooding attacks.
While many solutions exist for wired networks, few solutions exist for wireless networks. The increasing proliferation of wireless devices such as PDAs and mobile phones, along with enabling technologies such as Bluetooth, wireless fidelity (WiFi), universal mobile telecommunications system (UMTS), and third-generation wireless (3G), present new opportunities for DoS attacks. This is because wireless networks include several vulnerabilities that do not exist in wired networks. These vulnerabilities include limited tolerance for traffic due to constrained wireless link bandwidths, a greater processing overhead associated with wireless links due to their relatively complex nature, and limited power associated with wireless client devices.
Traffic: The scarcity of resources combined with the low capacity of wireless links make a wireless network an easy target for a DoS attack. It takes significantly less traffic to overload a wireless link than it does to overload a wired link.
Processing overhead: A typical 3G or UMTS network has several infrastructure elements that perform a host of functions such as power control, resource allocation, paging, etc. The radio network controller (RNC) and the base stations are involved in these activities for each mobile, and, in fast-handoff systems, the overhead on these devices is tremendous. Such devices in wireless networks are typically engineered to handle a limited load associated with a given number of simultaneously active users. Overload, therefore, is a significant concern for the wireless infrastructure.
Limited power supply: Mobile clients in wireless network are usually powered by batteries whose limited lifetimes make them targets for a class of attacks that simply drain the power by making the mobile perform redundant, power-consuming activities. Power drain can quickly quickly render a mobile device inoperable.
An attacker launching a wireless-specific DoS attack can easily exploit these vulnerabilities. There are two key aspects that can enhance and facilitate such wireless attacks when compared to wireline DoS.
Volume of the attack: In a wireline attack, an attacker has to flood large volumes of data onto a network in order to be successful in overwhelming one or more servers. Since this increases the probability of detection of the source of the attack, it renders wireline DoS attacks less effective. A wireless link is easier to overload with substantially less traffic. This provides a dual advantage to the attacker: (1) ease of launching the attack from the attacker's perspective and (2) difficulty in detecting the source of the attack due to the relatively low volume of traffic.
Target of the Attack: In a wired network, the server is typically the target of a DoS attack. Thus, countermeasures have been able to focus on making the server more robust. However, in a wireless network, the intended target of an attack can be one of a number of different elements within the network, including servers, clients, and infrastructure. In a wireless DoS attack, the attacker has increased flexibility, since both infrastructure and mobiles can be easily attacked. The same attack can target multiple mobiles, either by attacking each mobile individually or by targeting the wireless infrastructure for a more widespread effect. Furthermore, advanced wireless architectures such as Evolution Data Only (EV-DO) networks, with always-on mobiles, have increased susceptibility to power-drain attacks.
In a DoS attack on a wired network, it takes a certain amount of time for a server to be disabled, since servers typically have significant bandwidth and processing capacity. However, in a wireless network, mobiles typically have very limited bandwidth and processing capacity, as well as limited battery lifetimes. Thus, an attack that has reached a mobile, has already succeeded in wasting critical resources on the wireless link, the wireless infrastructure, as well as the battery resource at the mobile.
Accordingly, there exists a need for DoS and DDoS attack counter-measures that are specific to the wireless environment and address its characteristic vulnerabilities.