1 / 75

Xiuzhen Cheng cheng@gwu

Xiuzhen Cheng cheng@gwu.edu. Csci 388 Wireless and Mobile Security – MAC Layer Misbehavior, DoS. Outline. 802.11 MAC Management 802.11 DoS Attacks: Discussion and More Break (5 minutes) 802.11 MAC Layer Misbehavior Detection and Handling Discussion on DOMINO.

ulla
Download Presentation

Xiuzhen Cheng cheng@gwu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Xiuzhen Chengcheng@gwu.edu Csci388Wireless and Mobile Security – MAC Layer Misbehavior, DoS

  2. Outline • 802.11 MAC Management • 802.11 DoS Attacks: Discussion and More • Break (5 minutes) • 802.11 MAC Layer Misbehavior Detection and Handling • Discussion on DOMINO

  3. Frame Control (2) Duration ID (2) Address 1 (6) Address 2 (6) Address 3 (6) Sequence Control (2) Address 4 (6) Data (0-2312) CRC (4) Protocol version Type Subtype To DS From DS More Frag Retry Power Mgmt More Data WEP Order IEEE 802.11 MAC Packet Structure • Packet Type: Management (00), Control (01), and Data (10) • Subtype: In control – RTS, CTS, ACK, etc • MAC frames can be transmitted between mobile stations, between mobile stations and an AP, and between APs over a DS • Address Interpretation

  4. MAC Synchronization • In infrastructure network: • The AP is responsible for generating beacons which contains a valid time stamp • If the channel is in use,defer beacon transmission until it is free

  5. MAC Synchronization – (cont.) • Adhoc Network: • Every station is responsible for generating its beacon • All stations compete for transmission of the beacon using a standard backoff algorithm • All others adjust their times according to the winning station

  6. Power Management • Power states for a STA: • awake - fully powered • doze – low power, cannot transmit/receive • PM in Infrastructure Networks • when enter doze mode, STAs inform AP • AP buffers frames for STAs in doze mode • AP sends beacons periodically • beacon contains time stamp + Traffic Indication Map (TIM) • STA wakes up to get the beacon(check TIM) • if traffic is pending, stay awake until transmission complete

  7. Power Management – (cont.) • PM in Ad-hoc Networks • ATIM window • traffic for stations in doze mode is announced during ATIM window • all stations are awake during ATIM window • both ATIMs and DATA are acknowledged and use standard backoff algorithm.

  8. What is a DoS Attack ? • Denying genuine users a particular service • In our context, preventing transmission of data to/from stations

  9. Vulnerabilities in 802.11

  10. Vulnerabilities in 802.11 • Two kinds of vulnerabilities • Identity vulnerabilities • MAC vulnerabilities

  11. Identity Vulnerabilities • Arise because of the implicit trust placed in the source address • No verification of source’s identity • Causes 2 kinds of attacks: • Deauthentication and Disassociation attacks • Power saving mode attack

  12. Deauthentication and Disassociation Attack • Authentication Mechanism • Client sends authentication request to AP • AP sends back response • Client then sends association request • AP responds accordingly • Problem: • Explicit message for deauthentication sent in the clear, without being authenticated by keying material. • This message can be spoofed

  13. Deauthentication and Disassociation Attack • The spoofed deauthentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoS • Client must reauthenticate to resume communication • Attacker should be careful to spoof the deauthentication message only when a successful authentication has taken place • Similar attack can be carried out by spoofing the disassociation message, since that message is also sent in the clear. • From the attackers perspective, disassociation attack is less effective compared to deauthentication attack.

  14. Power Saving Mode Attack (1) • Power Conservation Mechanism • Client enters sleep mode intermittently • AP buffers data during that time • Either client awakens and sends a poll message to AP for pending data, or AP broadcasts a periodic Traffic Indication Map (TIM) message conveying availability of pending data • AP delivers data and clears its buffer • Problem: • Attacker can spoof either the poll message or TIM message, as these are sent unauthenticated • For the same reason, attackers can spoof the TSF packet to cause nodes out of synchronization

  15. Power Saving Mode Attack (2) • Big problem: • Other management messages can also be spoofed, thereby making these attacks more effective • Solution • Simply, encrypt these messages like the data messages, using WEP. Works?

  16. MAC Vulnerabilities • Arise because of the collision avoidance mechanism of the 802.11 MAC layer • Carrier sense is down in two layers • Cause two kinds of attacks: • Time window attack • Virtual carrier sense attack

  17. Time Window attack • 802.11 MAC defines time windows to prioritize access to the channel • Two time windows - Short interframe space (SIFS) for existing frame exchange and Distributed interframe space (DIFS) for new frame exchange with SIFS<DIFS • Every STA has to wait at least SIFS before transmitting • Therefore, the attacker can completely monopolize the channel by sending a signal before the end of every SIFS interval • However, there is a problem with the attack • Resource intensive – Since SIFS is 28 µs (802.11b), the attacker will have to send a signal approx. 37,000 times per second

  18. Virtual Carrier Sense Attack • Carrier Sensing Mechanism • To prevent collisions, station sends a short Request-to-Send (RTS) message • RTS contains a Duration field specifying the time for which the sender requires the channel • Receiver responds with Confirm-to-Send (CTS) if it is ready to receive data • CTS contains the updated Duration field • Other stations within the range set their Network Allocation Vector (NAV) such that they do not transmit for the time specified in the Duration field • Duration field is present in all 802.11 frames, so any frame can be used to carry out this attack

  19. Virtual Carrier Sense Attack • Problems • The attacker can set Duration field to high values (maximum 32767), preventing channel access to others • Assuming attacker sets maximum value, he has to transmit only 30 times per second, therefore, easy for the attacker • Attack RTS is more efficient since it will always be replied by a well-behaved receiver!

  20. Practical Perspective

  21. Practical Perspective • DoS attacks are theoretically possible, but what about actual practice ? • Bad News ! • It is feasible to carry out these attacks with commodity hardware with little tweaking • Management frames necessary to exploit the identity attacks can be generated. • Exploit the AUX port for carrier sense attacks.

  22. Deauthentication attack - Empirical Results

  23. Deauthentication attack – Proposed Solutions • Solution 1: Authenticate management frames • But there are two problems with this solution: • Not feasible using software upgrade • A standardized authentication framework requires, can take time • Not feasible to upgrade all STAs across all networks • Solution 2: Defer deauthentication • Manipulate the firmware to delay deauthentication after receiving the message. If AP receives a data message after this, then the deauth request was spoofed • Advantages of solution 2: • Low overhead • Modification only limited to the APs, which is feasible • More Potential Attacks introduced?

  24. Solution 2 – Empirical Results

  25. Virtual carrier sense attack – Empirical Results

  26. Virtual carrier sense attack – Proposed Solution • Put a cap on the value of the maximum duration on received frames • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value

  27. Solution to Virtual CS attack – Empirical Results

  28. Virtual carrier sense attack – Proposed Solution • Put a cap on the value of the maximum duration on received frames • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value • Can be further improved by selectively adhering to the specified duration value in: • Data and ACK frames – These frames will have a high duration value only if they are a part of a fragmented packet exchange. Since, fragmentation is almost never used, duration specified in these frames can be ignored • RTS frame – A station that receives an RTS frame will also receive the data frame. 802.11 std specifies the exact times for the subsequent CTS and data frames. So the duration value of RTS is respected till the following data frame is received/not received • CTS frame – Either the observed CTS is unsolicited or the observing node is a hidden terminal. If this CTS is addressed to a valid in-range station, the valid station can nullify this by sending a zero duration null function frame. If this CTS is addressed to an out of range station, one foolproof defense is to introduce authenticated CTS frames, containing cryptographically signed copy of the preceding RTS. But there are overhead and feasibility issues with this

  29. Conclusions • 802.11 WLANs suffer from many vulnerabilities threatening the availability of service • Secure and extended authentication mechanisms can help • Changes to the MAC layer protocol also required, may track and punish malicious nodes

  30. Take a Break • Will study the detection and handling MAC layer misbehavior by P. Kyasanur and N.H. Vaidya. • P. Kyasanur and N.H. Vaidya, Detection and Handling of MAC Layer Misbehavior in wireless Networks, In Dependable Systems and Networks, June 2003. • Will Discuss the detection of Greedy Behavior in 802.11 hotspots after the break • M. Raya, J. P. Hubaux,, and I. Aad DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots, Proceedings of the Second International Conference on Mobile Systems, Applications, and Services, Boston, June 2004

  31. Paper 1 • P. Kyasanur and N.H. Vaidya, Detection and Handling of MAC Layer Misbehavior in wireless Networks, In Dependable Systems and Networks, June 2003.

  32. D Access Point C Wireless channel A B Infrastructure-based Network Ad hoc Network Problem Definition Nodes may violate Medium Access Control rules

  33. IEEE 802.11 overview • Distributed Coordination Function (DCF) - Mandatory • Widely used for channel access • DCF is a Carrier Sense Multiple Access/ Collision Avoidance (CSMA/CA) protocol

  34. CSMA/CA • Carrier sense • Don’t transmit when channel is busy • Collision avoidance • Defer transmission for random time after channel goes idle

  35. B1=20 B1=15 B1=0 S1 Transmit wait CW=31 S2 wait Transmit B2=25 B2=10 B2=10 Backoff Example • Choose backoff value B in range [0,CW] • CW is the Contention Window • Count down backoff by 1 every idle slot

  36. RTS CTS B=10 Sender S ACK CTS RTS DATA Receiver R Data Transmission • Reserve channel with RTS/CTS exchange A S R B

  37. Possible Misbehavior • Backoff selected from different distribution • Select a small constant backoff always B1 = 1 B1 = 1 Misbehaving node Transmit Transmit Well-behaved node wait wait B2 = 20 B2 = 19

  38. Goals of proposed scheme • Diagnose node misbehavior • Catch misbehaving nodes • Discourage misbehavior with MAC layer scheme • Punish misbehaving nodes

  39. Related work at other layers • Many proposals for securing network layer • Designing protocols resilient to misbehavior • [Savage99, Nisan99, Buttyan01] • Explicitly detect and penalize misbehavior • [Marti00, Zhang00, Buchegger02, Hu02]

  40. Related work at MAC Layer • Game-theoretic solutions proposed for selfish misbehavior at MAC layer • [Konorski01, MacKenzie01, Konorski02] • Game-theoretic approach + Protocols resilient to misbehavior - Assumptions not always valid - Performance may not be good

  41. Solution Approaches • Misbehaving node can gain more bandwidth Use payment schemes, charging per packet • Misbehaving node can achieve lower delay • Send burst of packets ignoring MAC rules • Average delay is less with same cost Payment based schemes not sufficient

  42. Access Point Wireless channel A Proposed Approach • Receivers detect sender misbehavior • Assume receivers are well-behaved (can be relaxed) • Receiver does not know exact backoff value chosen by sender • Wireless Channel introduces uncertainties

  43. Use long-term statistics • Observe backoffs chosen by sender over multiple packets • Backoff values not from expected distribution  Misbehavior Selecting right observation interval difficult

  44. Alternate Approach • Receiver provides backoff values to sender • Send in current transmission backoff value for next transmission • Receiver can then accurately observe sender behavior Uncertainty of sender’s backoff eliminated

  45. B Sender S CTS ACK(B) DATA RTS RTS Receiver R Modifications to 802.11 • 1. R provides backoff B to S in ACK and/or in DATA • B selected from [0,CWmin] 2. S uses B for backoff

  46. Protocol steps • Detect deviations: Receiver observes one transmission from the sender • Penalize deviations: Penalty is added, if the sender appears to have deviated • Diagnose misbehavior: Based on last W observations, diagnose misbehavior

  47. Backoff Sender S ACK(B) RTS Receiver R Bobsr Detecting deviations • Receiver counts number of idle slots Bobsr Condition for detecting deviations: Bobsr <  B 0 <  <= 1

  48. Actual backoff < B Sender S ACK(B) CTS ACK(B+P) DATA RTS Receiver R Bobsr Penalizing Misbehavior • When Bobsr < B, penalty P added • P proportional to  B– Bobsr • Total backoff assigned = B + P

  49. Penalty Scheme issues • With penalty, sender has to misbehave more for the same throughput gain • Misbehaving sender has two options • Ignore assigned penalty Easier to detect • Follow assigned penalty  No throughput gain

  50. Diagnosing Misbehavior • Total deviation for last W packets used • Deviation per packet is B – Bobsr • If total deviation > THRESH then sender is designated as misbehaving • Higher layers/ administrator can be informed of misbehavior

More Related