1 / 35

802.11 DoS Attacks: Vulnerabilities and Solutions

This article discusses the vulnerabilities in 802.11 wireless networks, particularly related to denial-of-service (DoS) attacks, and provides practical solutions to mitigate these vulnerabilities.

brianstephens
Download Presentation

802.11 DoS Attacks: Vulnerabilities and Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.11 Denial-of-Service Attacks:Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov

  2. 802.11 Advantages • Free spectrum • Efficient channel coding • Cheap interface hardware • Easy to extend a network • Easy to deploy

  3. 802.11 Problems • Attractive targets for potential attacks • Flexible for an attacker to decide where and when to launch and attack. • Difficult to locate the source of transmissions • Not easy to detect well-planned attacks • Vulnerabilities in the 802.11 MAC protocols

  4. WEP • Wired Equivalency Protocol • Provide data privacy between 802.11 clients and access points • Rely on shared secret keys • Use challenge-response authentication protocol • Data packets are encrypted when transferred

  5. WEP Vulnerabilities • Recurring weak keys • Secret key can be recovered • Under attack, network resources can be fully utilized and an attacker can monitor the traffic of other networks • WEP-protected frames can be modified, new frames can be injected, authentication frames can be spoofed all without knowing the shared secret key

  6. 802.11 MAC protocol • Designed to address problems specific to wireless networks • Have abilities to discover networks, join and leave networks, and coordinate access • Deauthentication/disassociation • Virtual carrier sense attacks • Authentication DoS attacks • Need new protocol to overcome current security problems

  7. 802.11 Frame Types • Management Frames • Authentication Frames • Deauthentication Frames • Association request Frames • Association response Frames • Reassociation request Frames • Reassociation response Frames • Disassociation Frames • Beacon Frames • Probe Request Frames • Probe Response Frames

  8. 802.11 Frame Types • Data Frames • Control Frames • Request to Send (RTS) Frame • Clear to Send (CTS) Frame • Acknowledgement (ACK) Frame

  9. Deauthentication • A client must first authenticate itself to the AP before further communication • Clients and AP use messages to explicitly request deauthentication from each other • This message can be spoofed by an attacker because it is not authenticated by any key material

  10. Deauthentication

  11. Deauthentication • An attacker has a great flexibility in attacking • An attacker can pretend to be AP or the client • An attacker may elect to deny access to individual clients, or even rate-limit their access

  12. Disassocation • A client may be authenticated with multiple APs at once • 802.11 standard provides a special association message to allow the client and AP to agree which AP will forward packets • 802.11 provides a disassociation message if association frames are unauthenticated • An attacker can exploit this vulnerability to launch the deauthentication attack

  13. Power Saving • To conserve energy, clients are allowed to enter a sleep state • The client has to announces its intention to the AP before going to a sleep state • AP will buffer any inbound traffic for the node • When the client wakes up, it will poll the AP for any pending traffic • By spoofing the polling message on behalf of the client, an attacker can cause the AP to discard the client’s packets while it is asleep

  14. Media Access Vulnerabilities • Short Interframe Space (SIFS) • Distributed Coordination Function Interframe Space (DIFS) • Before any frame can be sent, the sending radio must observe a quiet medium for one of the defined window periods • SIFS window is used for frames as part of preexisting frame exchange • DIFS window is used for nodes wishing to initiate a new frame exchange

  15. Media Access Vulnerabilities • To avoid all nodes transmitting immediately after the DIFS expires, the time after the DIFS is subdivided into slots • Each time slot is picked randomly and with equal probability by a node to start transmitting • If a collision occurs, a sender uses a random exponential backoff algorithm before retransmitting

  16. Media Access Vulnerabilities

  17. Media Access Vulnerabilities • A SIFS period is 20 microsecond • An attacker can monopolize the channel by sending a short signal before the end of every SIFS period • This attack is highly affective but consider lots of efforts.

  18. Media Access Vulnerabilities • Duration field – another serious vulnerability. • Duration field is used to indicate the number of microseconds that the channel is reserved. • Is used to implemented Network Allocation Vector (NAV) • NAV is used in RTS/CLS handsake

  19. 802.11 Attack Infrastructure • It seems all 802.11 NIC are inherently able to generate arbitrary frames • In practice devices implement key MAC functions in firmware to moderate access • Could use undocumented modes of operation such as HostAP and HostBSS • Choice Microsystems AUX Port used for debugging

  20. 802.11 Attack Infrastructure

  21. 802.11 Deauthentication Attack • Deauthentication Attack Implementation • 1 attacker, 1 access point, 1 monitoring station, 4 legitimate clients

  22. Deauthentication Attack Solution • All 4 clients gave up connecting • Could be solved by authentication-expensive • Practical solution – queue the requests for 5-10 seconds – if no subsequent traffic – drop the connection – simply modify firmware • Solves the problem however introduces a new one

  23. Problems with this solution.. • When a mobile client roams, which AP to receive packets destined the client ? • An adversary can keep a connection open to the old AP by continuously sending packets • Intelligent and dumb infrastructures • Easy to solve for intelligent, more problematic for dumb infrastructures

  24. 802.11 Virtual Carrier-sense attack • Virtual carrier-sense attack • Current 802.11 devices do not follow properly the specification

  25. NS-2 Attack Simulation • Assuming this bug will be fixed, simulate the attack in ns-2 • 18 static client nodes, 1 static attacker node sending arbitrary duration values 30 times a second • Channel is completely blocked – much harder to defend compared to deauthentication attack

  26. Simulation Results • Solution – low and high caps on CTS duration time

  27. Still not perfect… • By increasing the attacker’s frequency to 90 packets per second, the network could still be shut down

  28. Virtual Carrier-sense attack solution • Solution – abandon portions of the standard 802.11 MAC functionality • Four key frames that contain duration values – ACK, data, RTS, CTS • Stop fragmentation – no need for ACK and data duration values. • RTS-CTS-data valid sequence • Lone CTS – unsolicited or observing node is a hidden terminal – solution each node independently ignores lone CTS packets

  29. Still suboptimal… • Still not perfect – at threshold 30%, the attacker can still lower the available bandwidth by 1/3. • Best solution – explicit authentication to 802.11 control packets. • Requires fresh cryptographically signed copy of the originating RTS • Significant alteration to 802.11 standards, benefit/cost ratio not clear

  30. Related Work – Launching and Detecting Jamming Attacks in 802.11 • Jamming – emitting radio frequencies that do not follow 802.11 MAC protocol • Measured by PSR and PDR • Four attacking models – constant, deceptive, random, reactive jammer

  31. Effectiveness of Jamming Attacks

  32. Basic Statistics for Detecting Jamming • Signal Strength • Can be either Basic Average or Signal Strength Spectral Discrimination – unreliable

  33. Basic Statistics for Detecting Jamming • Carrier Sensing Time • However have to differentiate between congestion and jamming • With PDR of 75% 60 ms determined to be optimal threshold for 99% confidence • Still detect only constant and deceptive jammers • Packet Delivery Ratio – effective for all jammers, still cannot differentiate between jamming and other network dynamics like sending running out of battery power

  34. Conclusions • Wireless networks popular due to convenience however confidentiality and availability critical • Arbitrary 802.11 frames can be easily sent using commodity hardware • Deauthentication attacks effective, virtual carrier-sense attacks will be. • Simple stop-gap solutions can be applied with low overhead on existing hardware.

  35. Thank you ! • Any questions ?

More Related