1 / 22

DoS Attacks On Wireless Voice Over IP Systems

DoS Attacks On Wireless Voice Over IP Systems. By Brendon Wesley Supervisor- Noria Foukia. Abstract. As converged wireless networks become increasingly widespread, there is an assumption that such systems now have strong confidentiality and reliability.

emmly
Download Presentation

DoS Attacks On Wireless Voice Over IP Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoS Attacks On Wireless Voice Over IP Systems By Brendon Wesley Supervisor- Noria Foukia

  2. Abstract • As converged wireless networks become increasingly widespread, there is an assumption that such systems now have strong confidentiality and reliability. • While the flaws in WiFi confidentiality mechanisms namely ‘WEP’ have been highly documented, the concern of reliability has gone reasonably unnoticed. • The reliability flaws in WiFi are still evident in the majority of today's WiFi devices. • IEEE standard resolving this weakness will not be released until 2008. • This paper Outlines various DoS attacks used on 802.11 networks and demonstrates a proof of concept implementation as to how effective they are against a VoIP call.

  3. Quality of Service (QoS) • Quality of service (QoS) is a general term that is used to describe a number of metrics that themselves describe a specific measure of performance in a network or service. The QoS of a system is determined by four main factors: • Latency – 150ms one way delay • Jitter – time varying wireless channel • Packet loss – 3% maximum for VoIP • Bandwidth – Depends on security, codec's etc. N.B - Paper Address other QoS considerations in the 802.11 specification. (MAC layer of 802.11)

  4. Denial of service attacks • A denial of service attack ( DoS) is used to overload the victims resources to an extent that it can no longer provide a service to authentic clients. • wVoIP is extremely vulnerable to DoS attacks because access to the transmission medium is open to anybody with 802.11 hardware. • Because real-time traffic such as VoIP and video conferencing media is intolerable of even small delays it is relatively easy to disrupt the service long enough to make it unacceptable for the users.

  5. 802.11 management frames • 802.11a/b/g management frames are used to initiate, manage or discontinue communication between two clients ( in ad-hoc mode) or between client's and Access Points (infrastructure mode). • They are not confidential! and not authenticated! • Security mechanisms such as WEP, WPA and WPA2 currently provide security services only for data frames, leaving management frames in a readable and forgeable state. This is a major flaw!

  6. State of Connection • As specified by the Medium Access Control (MAC) and Physical Layer (PHY) Specifications in IEEE802.11. A client within a 802.11 infrastructure network may be in 1 of 3 states at a time. 1-Unauthenticated and Unassociated. 2-Authenticated and unassociated. 3-Authenticated and associated.

  7. Types of 802.11 management frames Authentication Frame • Authentication provides a way for stations to identify themselves to an AP. It is then the AP’s job to decide if authentication will be granted to the client or not. • Open system or shared key.

  8. Authentication Attack. • During the authentication process there are a number of packets that need to be exchanged between a client and the AP. A buffer is used to temporarily hold this information while authentication is taking place. Because the size of the buffer limits the number of authentication requests that the AP can process at any one time, it is possible to flood authentication frames to the AP with a pool of random MAC source addresses.

  9. Deauthentication Frame • If a client or AP wishes to exit the authenticated state, either party may transmit a deauthentication frame. This causes the device(s) to exit the authenticated-associated state and terminate all further communications. This frame is rather a notification of the clients or access points intention opposed to a request

  10. De authentication attack A de authentication frame will also disassociate the station. This is because a client cannot be associated without being authenticated as specified by one of the three rules above. This message can be used by an attacker masquerading as either the client or AP and send one of these frames by spoofing the Source Address of the device. The client or AP will immediately discontinue communication with the other.

  11. Association request Frame • After a client has successfully authenticated with one or more access points, it needs to associate with it in order to utilize its services. An association frame is sent to the AP specifying parameters such as supported data rates and more importantly the SSID of the AP. Disassociation frame • A disassociation frame is used by a client or AP to effectively stop communication. This frees up the resources used to maintain the communication. It gives the client the capacity to migrate to a neighboring AP in the same BSS with minimal delay.

  12. Disassociation flooding attack • The disassociation attack operates on a very similar principle to the deauthentication attack. In this case a disassociation frame is sent to the AP or client by an attacker (by spoofing the client and AP MAC addresses). This will make an AP believe that the client has sent a disassociation frame and wishes to disassociate. Client will attempt to maintain communication so will re-associate. The attacker will continuously send disassociation frames to the AP to keep it in the disassociated state.

  13. My Implementation • Access Point: D-Link Airplus Xtreme G wireless router. • Client 1: Compaq Laptop (windows XP) with Enterasys 802.11g wireless network adapter. • Client 2: Compaq Laptop (Windows XP) with Linksys 802.11g USB wireless network adapter • Attacker: Insite PC (Linux Kernel 2.6.16 Fedora Core 5) • Sniffer: HP Laptop (Windows XP) running Ethereal and airodump-ng

  14. Aireplay-ng

  15. Ethereal Packet Capture

  16. DoS attack

  17. Protection For sensitive 802.11 management frames • 802.11w (task group w) is an IEEE standard that is due for release in April 2008 to provide a degree of protection for 802.11 management frames. • Extend the functionality of 802.11i (WPA2) to provide encryption and integrity not only for data frames but some types of management frames as well.

  18. 802.11 Management Frame

  19. Recommendations • Utilise a timer when a station sends a deauthentication frame to the access point. Within a certain time period if the station sends data frames to the AP then it will not deauthenticate the station and assume an attack has occurred. • Week form of protection which is not practical to implement. Hard to modify firmware of devices! • Contacted RoamAD (converged voice/data networks) how their commercial WiFi networks were protected. Very surprised to find that not many companies do much outside of the 802.11 spec. • as lack of interoperability between systems and platforms, incompatible hardware, difficult upgrades of software and hardware. • Wait until 802.11w!

  20. What else is in the report? • Security in VoIP • Frequency jamming • WiMax Management frames • WiFi VoIP networks in new Zealand . A threat to 3G?? • What do commercial wLAN providers do to mitigate the affects of DoS attacks on VoIP in NZ? • Bottleneck at crypto engine (IPsec)

  21. Acknowledgments • Noria Foukia (Supervisor) • Cameron Kerr (Linux Guru) • Da Deng (Acting H.O.D)

More Related