Attack on the Physical layer

The physical layer defines the means of transmitting raw bits rather than logical data packets

over a physical link connecting network nodes. The bit stream may be grouped into code words

or symbols and converted to a physical signal that is transmitted over a hardware transmission

medium. The physical layer provides an electrical, mechanical, and procedural interface to the

transmission medium.

The physical layer consists of the basic networking hardware transmission technologies of a

network.

Typically, networking hardware includes gateways, routers, network bridges, switches, hubs, and

repeaters. But it also includes hybrid network devices such as protocol converters, modem,

wireless access points and networking cables.

Types of attack:

1) Direct attack:

Such attack includes:

*attack at network transmission tapping, tapping and jamming signal processing.

*attack at optical amplifier local or remote or cross talk.

*attack at optical transmission fiber cut.

2) Indirect attack:

Certain network elements are more likely to be attacked indirectly, because it is too

complicated to attack them directly, or they are not easily accessible.

Such attack includes:

*Indirect cross talk.

*Unauthorized access through add/drop ports.

3) Pseudo-attacks:

Anomalies which are not intrusions, but may be interpreted as such, due to significant

Changes in the signal quality depending on the physical network design.

Attack can be classified by its resources (passive or active), its means of attack

(transmission/reception, protocol, control system), the target (specific users or network/sub

network), the intended effect (service disruption or tapping), the location of the attack (terminal,

node, link, multiple locations), and the attacker’s willingness to be discovered (covert, subtle,

open).

Optical fibers propagate light of different wavelengths. Light that propagates through the fiber is

kept in its core by total internal reflection, which keeps radiation from the fiber at a negligible

level, thus making the fiber immune to electromagnetic interference. However, the fiber is not

shielded, and an attacker with a physical access to it can easily cut the fiber or bend it slightly, so

that the light can be radiated into or out of the core. Fiber cut, which can be considered as a

component fault, causes denial of service. Light radiating out of the fiber can not only degrade

the quality of service, but it can also deliver the carried information straight into the hands of the

attacker i.e. tapping. Another way of performing tapping is by exploiting fiber nonlinearities.

Under normal operating conditions fibers are fairly linear, but under high input power (e.g. at the

output of an amplifier) or long distances, they exhibit certain nonlinear characteristics which

cause signals on different wavelengths to affect each other. For instance, cross-phase modulation

and Raman effects may cause a signal on one wavelength to amplify or attenuate a signal on

another wavelength. A sophisticated attacker may take advantage of this crosstalk to co

propagate a malicious signal on a fiber and decrease quality of services.

When light is radiated into the fiber, service can be interrupted on a single wavelength by

injecting light on the same wavelength, without breaking or otherwise disrupting the fiber.

This technique is called in-band jamming, and the attack is difficult to localize. If tapping is

combined with jamming, an especially efficient service disruption attack is achieved. This kind

of attack is called correlated jamming. In it, an attacker first taps a signal at one point and then

injects a signal down stream, which has especially harmful effects to signals with relatively low

signal-to-noise ratio.

Optical amplifiers have specific characteristics, which can be exploited to perform physical-layer

attacks. Gains competitions is a common target for attackers. An amplifier has a finite amount

of gain available(a limited pool of upper-state photons) which is divided among the incoming

signals. Thus bus injecting a high power signal with in a amplifier passband, an attacker can

deprive other signal of power while increasing it’s own allowing it to propagate through the

network causing service degradation or even service denial.

Gain competition can be used to create a powerful out of-band jamming attack. In it, the

attacker injects a powerful signal on a wavelength different from those of other, legitimate

signals (Authorized), but still within the pass band of the amplifier. The amplifier, unable to

distinguish between the attack signal and legitimate data signals, will provide gain to each signal

indiscriminately. This means that the stronger, attacking signal will be provided with higher gain

than weaker, legitimate signals, robbing them of power. Thereby, the quality of service level on

the legitimate signals will deteriorate, potentially leading to service denial.

Passive Attack: These attacks are not harmful to the networks; they take place for information-gathering. A

malicious user just listens to the all inbound (moving inward) and outbound (That is going out)

traffic of a wireless network. As we know, traffic contains packets, and each packet contains

juicy information such as packet sequence numbers, MAC address, and much more. The nature

of these attacks is silent, that is why they are hard to detect. Using this attack, a malicious

attacker can make an active attack to the wireless network. Sometimes malicious users use

packet-deciphering tools (Convert code into ordinary language) in order to steal information by

decrypting the data from it. Deciphering packets in WEP is really easy, as WEP’s security is very

low and easily breakable. Sometimes this technique is also called WAR DRIVING. (War

driving is the act of searching for Wi-Fi wireless network by a person in a moving vehicle, using

a portable computer, smartphone or personal digital assistant).

Active Attack:

As the attacker does a passive attack in order to get information about the wireless network, now

she/he will do an active attack. Mostly, active attacks are IP spoofing & Denial of Service attack.

IP Spoofing: In this attack scenario, the attacker accesses the unauthorized wireless network. IP

spoofing is the creation of Internet Protocol (IP) packets with a source IP address, with the

purpose of concealing the identity of the sender or impersonating another computing system. Not

only that, but also she/he does packet crafting in order to impersonate the authorization of that

server or network.

Denial of Service Attack: Here the attacker makes an attack on a particular target by flooding

(Become filled to overflowing) the packets to the server. In most cases, SYN packets are used

because they have those capabilities of generating the flood storm.

The attack involves having a client repeatedly send SYN (synchronization) packets to every port

on a server, using fake IP addresses. When an attack begins, the server sees the equivalent of

multiple attempts to establish communications. The server responds to each attempt with a

SYN/ACK (synchronization acknowledged) packet from each open port, and with a RST (reset)

packet from each closed port.

MITM Attack: The (man-in-the-middle attack) is a form of active eavesdropping (is secretly

listening to the private conversation of others without their consent) in which the attacker makes

independent connections with the victims and relays messages between them, making them

believe that they are talking directly to each other over a private connection, when in fact the

entire conversation is controlled by the attacker.

Here the attacker accesses the information of the AP of any active SSID. Here dummy APs are

created. The attacker listens the communication between to end points. (The SSID is a

unique identifier that wireless network devices use to establish and maintain wireless

connectivity).

Let’s suppose a client is having a TCP (Transmission Control Protocol) connection with any

server, then the attacker will be the man in the middle and she/he splits that TCP connection into

two separate connections, whose common node will be an attacker himself/herself. So the first

connection is from client to an attacker, and the second connection will be from the attacker to

the server. So each and every request and response will be taking place between client and server

via an attacker. So an attacker can steal information passing in the air between them.

Wireless Signal Jamming Attack: In this attack scenario, wireless radio signals are used. An

attacker may have a stronger antenna for a signal generator. First, the attacker identifies the

signal patterns around him or the target AP. Then she/he creates the same frequency pattern radio

signals and starts transmitting in the air in order to create a signal tornado of a wireless network.

As a result, the target AP gets jammed. On top of that, the legitimate user node also gets jammed

by signals. It disables the AP connection between a legitimate user of wireless network and the

network itself. There can be mainly three reasons for jamming the wireless network:

1. Fun – Prevent the legitimate user from receiving any kind of data from the Internet.

2. Spy – Delay in packet deployment to the legitimate user can give more time to an

attacker for deciphering the packet in order to steal the information.

3. Attack – Attacker may spoof the packets and send it to the victim in order to take control

over the user’s machine or network.

This is a type of DOS attack on the wireless networks. This attack takes place when any fake or

rough RF frequencies are making trouble with the legitimate wireless network operation. In some

cases, those are false positives, such as a cordless telephone that uses the identical frequency to

the wireless network. So in that case, you might see some

results in your wireless monitoring software or mechanism, but it is actually not a jamming of

signal. It is not a very common attack, as it requires a ton of capable hardware.

Pre-Shared Key Guessing: As we all know, a pre-shared key is used by the node in order to

encrypt the data communication. Generally administrators of those Wi-Fi networks don’t change

the default key in place. Professional hackers always try to find the manufacturer of wireless

access points in order to get the default ID and password.

Frame injection attack: To perform this kind of attack, an attacker must have a deep

understanding and knowledge of the protocol. Any professional hacker will perform this method

in order to perform an injection attack on wireless networks. Firstly, she/he will perform passive

information gathering of that network. Then the attacker creates wireless protocol frames in

order to send it to the targeted network. There are basically two ways of doing so. One can either

create a false packet or insert it into that network. The other way is to sniff the network traffic.

Once these packets are sent to the server, the response from that wireless network is captured,

intercepted and modified by an attacker to perform a man-in-the-middle attack. This is hard to

detect, as it happens at layer two.

Denial of sleep attack: Sometimes wireless networks don’t use radio transmission. So in order

to reduce consumption, it regulates the communication of that particular node. A malicious user

can take advantage of this mechanism. An attacker may drain the power supply of the sensor

device in order to make node’s life very short, or attack the MAC layer to reduce the sleep period

of it. If a number of drained nodes go high, the whole network can be disrupted. Only the MAC

protocol has an ability to create longer sleep duration. Without that, you cannot extend the

lifetime of your wireless network.

Collision attack:In this type of attack, the attacker tries to spoil the packets to be transmitted to

the receiver. So when the attacker is successful, the resulting packet’s checksum will not be

expected at the receiver’s end. As a result of that, the whole packet will be discarded at the

receiver’s node. Now retransmission of that packet will consume high energy of that particular

sensor node. A second approach to collision attack can be defined as this: Sometimes, messages

get transmitted on the node via same frequency, and it can also generate collision. An illustration

of this same frequency problem can be understand in the figure below.

De-Synchronization Attack: In this attack, the attacker tries to modify the control flags and

sometimes the sequence numbers in order to forge the packets, or messages. As a result, the

attacker limits the legitimate user from exchanging the messages between the server and client. It

will continuously request retransmission of those messages. This attack causes an infinite cycle

of retransmission. It acquires a lot of energy. We can also say that the attacker disturbs the

established connection between two end points.

Flooding Attack: There are plenty of DoS attacks which reduce the network lifetime in different

ways. One of the common methods is Denial of Service attack. An attacker sends a huge amount

of packets in order to stop the network from communicating with different nodes. The main aim

of this attack is to exhaust the resources on the victim’s machine.

Reply Attack: In this process, transmission data is repeated maliciously. An attacker intercepts

the data in order to retransmit it further. It’s a part of masquerade attack (In system security

masquerade attack is a type of attack in which one system assumes the identity of another) this

can be carried away by substitution of an IP packet. A stream cipher attack can be taken place

into that.

An attacker repeats copies of the packets to the victim in order to exhaust the energy or power

supply. This kind of attack has ability to crash applications which are designed poorly.

Selective Forwarding Attack: It may also refer as ‘gray hole attack’. In this form of attack, an

attacker may stop the node to pass packets through by forwarding or dropping those messages. In

one form of selective forwarding attack, a node selectively rejects the packets by dropping them

from coming into that network from an individual node or a group of individual nodes.

The above figure illustrates this attack. Here you can see that a malicious node is selectively

dropping packets from a certain node or group of nodes. It may do that or forward it to

somewhere else which will create no trustable routing information due to forwarding packets to

any wrong path within the network.

Unauthorized Routing Update Attack: In the routing process, many components take place

such as hosts, base station, access points, nodes, routing protocols, etc. A malicious user may try

to update all this information in order to update the routing table. It may be possible that due to

this attack, some of the nodes get isolated from the base station. Also, a network partition may

occur due to this attack. Packets may be dropped after the TTL expires. Packets can be

forwarded to any unauthorized user. All of these incidents are the impact of this attack.

Wormhole Attack: In this type of attack, an attacker copies the whole packet or message by

tunneling them to another network from the originator. Then the attacker transmits them to the

destination node. When the attacker transmits the copied messages or packets to the destination

node, she/he transmits it speedily in such a way that copied packets reach the destination node

before the original packets (from the legitimate user) reach it. To do that, the attacker uses a

wormhole tunnel. Wormhole nodes are fully invisible.

Sink Hole Attack: This is a special kind of selective forwarding attack which draws attention on

the compromised node. A compromised node attracts all maximum possible traffic of the

network. Then it places malicious node to the closest base station and it enables the selective

forwarding attack. It is a very complex attack. Detection of a sinkhole attack is very hard and it

affects the higher layer applications. The below figure illustrates the architecture of a sinkhole

attack.

Impersonate Attack & Sybil Attack: This attack is very common and well known. The attacker

may obtain the legitimate person’s IP address or MAC address in order to steal his/her identity

and make it his/her own. Then the attacker may attack another victim and can do plenty of things

with that new stolen identity of the legitimate user. A Sybil attack is an advanced version of an

impersonate attack in which a malicious user (attacker) may steal multiple identities. In technical

terms, a malicious node represents itself to the other fellow nodes by acquiring multiple

identities within it self. Impacts will be the same as in an impersonate attack.

Traffic Analysis Attack: Here an attacker gains the information of the network traffic as well as

the behavior of the nodes. Traffic analysis can be done via checking the message length, pattern

of message, and duration in which it stayed within the session. Then the attacker might correlate

all this inbound and outbound traffic to any single custom router, which might violate the privacy

of the members due to being linked with those messages. Sometimes an attacker might able to

link two nodes with an unrelated connection within the network.

USB Port: With one on almost every device in your plant, USB ports are the easiest way to

introduce viruses into or remove secrets from a system.

Plugs: Network systems can be shut down if someone unplugs a cable or plugs it into the wrong

location. Mostly attackers do this to shut down the other security systems.

Cables: The easiest way to get information is cables tampering. Attacker can easily do inside the

organization or outside the organization.

Research by: Muhammad Ahad.

Department BSIT

Submitted to: Sir Shafan.