1 / 23

Denial of Service Attacks Against 802.11 Wireless Networks

Denial of Service Attacks Against 802.11 Wireless Networks. ECE 478: Final Project. June 7 th , 2004 By: Benjamin Humble Eric Sundholm. Topics:.

neka
Download Presentation

Denial of Service Attacks Against 802.11 Wireless Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service Attacks Against 802.11 Wireless Networks ECE 478: Final Project June 7th, 2004 By: Benjamin Humble Eric Sundholm

  2. Topics: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Traditional Wireless Jamming Definitions Methods Examples Strengths Weaknesses The 802.11b Vulnerability The IEEE 802.11b Standard Clear Channel Assessment (CCA) Algorithm Flaw Uncovered What’s wrong and why? Who’s At Risk? Solutions

  3. Traditional Wireless Jamming

  4. Definitions: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Jamming: To interfere with or prevent the clear reception of (broadcast signals) by electronic means1 Passive Jamming: such as putting up buildings made of material that block out cell phone signals2 1www.dictionary.com 2www.stargeek.com

  5. Methods: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 In almost every case, jamming causes a denial of service type attack to either server or client, sender or receiver. In a few isolated cases, the use of jamming equipment can be seen as a man-in-the-middle attack.1 1Anthony G Persaud, Anti-Jamming Receiver Designs and Techniques, www.public.iastate.edu

  6. Past Methods: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Some older analog methods (including radar jamming) are: Simply broadcasting noise into the system so that the original message is lost and unintelligible. This usually requires the noise to be at an equal amplitude level to the jammed signal. In the case of radar jamming it is possible to send back to the detector the same signal that was sent out. This would cause the receiver to believe that no target was found.1 Similarly, instead of a no target situation, more or less targets than really exist can be sent back.1 1www.maclean-nj.com

  7. Modern Methods: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 More modern approaches include jamming of wireless computer communication The easiest form is to continually transmit useless data to the point where the servers become overloaded. This would cause a denial of service attack to all other clients.1 Inputting noise into the system still works, and has a clever advantage with computer systems The inputted noise signal can be of lower amplitude (and therefore power) which can cause DBR (death by retry). This is when the signal to noise ratio becomes severely compromised and the receiver must constantly re-request that the message be sent. This could form an endless loop, hence DBR.1 1www.maclean-nj.com

  8. Modern Methods: (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 In a worst case scenario it is impossible to defend against a radio jamming attack. A clever attacker can simply jam all frequencies so that these listed advanced methods will not work1 Spread spectrum systems Frequency hopping spread spectrum The frequencies used for 802.11b and low bandwidth (< 20 Mbps) 802.11g standard operating ranges are2: Unlicensed 2.4 GHz band Unlicensed 5.2 GHz band 1Anthony G Persaud, Anti-Jamming Receiver Designs and Techniques, www.public.iastate.edu 2www.nwfusion.com

  9. Modern Methods: (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 It can be noted that many of the older methods can be adopted and tweaked to wreak havoc on modern computer systems. The automation of these systems can be their undoing, just like with the death by retry example.

  10. Examples: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Radio operators have to listen for and identify common jamming signals so that they can be filtered out. Some of these common signals include1: Random Noise Random Pulse Stepped Tones Wobbler Random Keyed Modulated Continuous Wave Tone Rotary Pulse Spark Recorded Sounds Gulls Sweep-Through 1www.tpub.com

  11. Strengths: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Locating the Source: Many times, finding the source of the jamming signal must be done physically, and therefore is hard to locate the attacker. Detection: Most people have no idea if a jamming signal is in use. It simply appears as if there is no service. Such is the case with cell phones, or wireless networks.1 Cost: Equipment cost is relatively cheap, when compared to brute force methods of other computer oriented security attacks. 2www.stargeek.com

  12. Weaknesses: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Limited use: Jamming is limited since most attacks can only be used as denial of service attacks Power: In most cases the power needed to overcome and jam a signal is too great to be practical. Exceptions to this, however include: Satellite jamming: Transmitted signal strength degrades as a function of distance squared. Therefore, an attacker that is much closer to the receiver than the satellite does not have to use the same power output to match the original satellite transmission. 802.11 CCA exploitation: To be discussed in later slides Range: Range is usually limited by the power of the attacker’s transmitter

  13. The 802.11 Vulnerability

  14. The IEEE 802.11b Standard: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Established in 1997 by the Institute of Electrical and Electronics Engineers (IEEE)1 Quickly became the most commonly used standard for wireless communication Only available connection to a wireless network in 99.9% of all cases2 Remains the most commonly used wireless protocol despite the development of more advanced and more secure standards 1 www.ieee.com 2 maccentral.macworld.com

  15. Clear Channel Assessment (CCA): Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Algorithm used by 802.11 networks to determine if a radio frequency (RF) channel is free for use1 Performed by a Direct Sequence Spread Spectrum (DSSS) physical layer2 Prevents transmission of data by either client or access point (AP) until a channel becomes free 1 www.kb.cert.org 2 www.auscert.org.au

  16. IEEE 802.11b Flaw Uncovered: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Flaw reported May 13th, 2004 by associate professor Mark Looi at Queensland University of Technology’s (QUT) Information Security Research Centre1 Discovered by professor Looi’s graduate students Christian Wullems, Kevin Tham and Jason Smith while investigating mechanisms for protecting wireless devices from hacking US-CERT Vulnerability Note2 VU#106678 1 maccentral.macworld.com 2 www.kb.cert.org

  17. What’s Wrong and Why? Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 A specially crafted RF signal can cause the CCA algorithm to believe there are no free channels This type of signal is sometimes called “jabber” Attack prevents any wireless communication to or from any client or access point within range of the jamming Unlike traditional jamming, exploiting the CCA flaw requires no more power than normal operation for a wireless device Attack can be implemented by a modified $35 network card and laptop or even a wireless enabled PDA1 1 maccentral.macworld.com

  18. What’s Wrong and Why? (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Due to low-power nature of the attack, locating the attacker is nearly impossible (though locating the access point(s) affected is simple) Wireless communication will be disrupted as long as the attack remains underway Capable of shutting down all wireless transmissions within a 1km radius in 5 to 8 seconds1 1 maccentral.macworld.com

  19. Who’s at Risk? Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 All IEEE 802.11, 802.11b, and low bandwidth (< 20 Mbps) 802.11g wireless networks are vulnerable This accounts for 99.9% of all wireless computer networks1 IEEE 802.11a and high bandwidth only ( > 20 Mbps) 802.11g wireless networks do not use the same CCA algorithm and therefore are not vulnerable Flaw is not network implementation specific, it is inherent to the IEEE standard2 1 maccentral.macworld.com 2 www.kb.cert.org

  20. Who’s at Risk? (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Attack operates at the hardware level, therefore WEP, WPA, WLAN security measures have no effect In some countries, wireless networks are used to control infrastructures such as railways, energy transmission and other utilities1 Any network that is not completely physically isolated (middle of the desert, Faraday cage etc…) is vulnerable to this attack 1 maccentral.macworld.com 2 www.kb.cert.org

  21. Solutions: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 NONE

  22. Solutions: (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 The flaw is inherent to the IEEE 802.11 standard and its use of the Clear Channel Assessment algorithm There are no known solutions for preventing this attack on a vulnerable system The best option for preventing this type of attack is to use a wireless standard that is not vulnerable (i.e. 802.11a or 802.11g) In general, it is impossible to completely protect a wireless network from denial of service attacks based on radio frequency (RF) jamming

  23. Questions? Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Questions or Comments? Benjamin Humble (humblebe@engr.orst.edu) Eric Sundholm (sundholm@engr.orst.edu)

More Related