802 11 denial of service attacks
Skip this Video
Download Presentation
802.11 Denial-of-Service Attacks

Loading in 2 Seconds...

play fullscreen
1 / 28

802.11 Denial-of-Service Attacks - PowerPoint PPT Presentation

  • Uploaded on

802.11 Denial-of-Service Attacks. Real Vulnerabilities and Practical Solutions Presented by : Aseem Tandon March 23, 2004. Information Source. Based on a research paper by John Bellardo and Stefan Savage of UCal San Diego Paper was presented at Usenix 2003 Security Symposium. Outline.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '802.11 Denial-of-Service Attacks' - octavia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
802 11 denial of service attacks

802.11 Denial-of-Service Attacks

Real Vulnerabilities and Practical Solutions

Presented by : Aseem Tandon

March 23, 2004

information source
Information Source
  • Based on a research paper by John Bellardo and Stefan Savage of UCal San Diego
  • Paper was presented at Usenix 2003 Security Symposium
  • What is 802.11 ?
  • What is a Denial-of-Service (DoS) Attack?
  • Vulnerabilities in 802.11
  • Practical Perspective and Proposed Solutions
  • Conclusions
  • References
what is 802 11
What is 802.11 ?
  • IEEE standard that specifies medium access and physical layer specs for local area wireless connectivity between fixed, portable and moving stations
what is a dos attack
What is a DoS Attack ?
  • Denying genuine users a particular service
  • In our context, preventing transmission of data to/from stations
vulnerabilities in 802 117
Vulnerabilities in 802.11
  • Two kinds of vulnerabilities
    • Identity vulnerabilities
    • MAC vulnerabilities
identity vulnerabilities
Identity Vulnerabilities
  • Arise because of implicit trust placed in the source address
  • No verification of source’s identity
  • Causes 2 kinds of attacks:
    • Deauthentication and Disassociation attacks
    • Power saving mode attack
deauthentication and disassociation attack 1
Deauthentication and Disassociation Attack (1)
  • Authentication Mechanism
    • Client sends authentication request to AP
    • AP sends back response
    • Client then sends association request
    • AP responds accordingly
  • Problem:
    • Explicit message for deauthentication sent in the clear, without being authenticated by keying material.
    • This message can be spoofed
deauthentication and disassociation attack 2
Deauthentication and Disassociation Attack (2)
  • The spoofed deauthentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoS
  • Client must reauthenticate to resume communication
  • Attacker should be careful to spoof the deauthentication message only when a successful authentication has taken place
  • Similar attack can be carried out by spoofing the disassociation message, since that message is also sent in the clear.
  • From the attackers perspective, disassociation attack is less effective compared to deauthentication attack.
power saving mode attack 1
Power Saving Mode Attack (1)
  • Power Conservation Mechanism
    • Client enters sleep mode intermittently
    • AP buffers data during that time
    • Either client awakens and sends a poll message to AP for pending data, or AP broadcasts a periodic Traffic Indication Map (TIM) message conveying availability of pending data
    • AP delivers data and clears its buffer
  • Problem:
    • Attacker can spoof either the poll message or TIM message, as these are sent unauthenticated
power saving mode attack 2
Power Saving Mode Attack (2)
  • Big problem:
    • Other management messages can also be spoofed, thereby making these attacks more effective
  • Solution
    • Simply, encrypt these messages like the data messages, using WEP.
mac vulnerabilities
MAC Vulnerabilities
  • Arise because of the collision avoidance mechanism of the 802.11 MAC layer
  • Cause two kinds of attacks:
    • Time window attack
    • Virtual carrier sense attack
time window attack
Time Window attack
  • 802.11 MAC defines time windows to prioritize access to the channel
  • Two time windows - Short interframe space (SIFS) for existing frame exchange and Distributed interframe space (DIFS) for new frame exchange with SIFS
  • Every STA has to wait at least SIFS before transmitting
  • Therefore, the attacker can completely monopolize the channel by sending a signal before the end of every SIFS interval
  • However, there is a problem with the attack
    • Resource intensive – Since SIFS is 28 µs (802.11b), the attacker will have to send a signal approx. 37,000 times per second
virtual carrier sense attack
Virtual Carrier Sense Attack
  • Carrier Sensing Mechanism
    • To prevent collisions, station sends a short Request-to-Send (RTS) message
    • RTS contains a Duration field specifying the time for which the sender requires the channel
    • Receiver responds with Confirm-to-Send (CTS) if it is ready to receive data
    • CTS contains the updated Duration field
    • Other stations within the range set their Network Allocation Vector (NAV) such that they do not transmit for the time specified in the Duration field
    • Duration field is present in all 802.11 frames, so any frame can be used to carry out this attack
virtual carrier sense attack16
Virtual Carrier Sense Attack
  • Problem
    • The attacker can set Duration field to high values (maximum 32767), preventing channel access to others
    • Assuming attacker sets maximum value, he has to transmit only 30 times per second, therefore, easy for the attacker
practical perspective18
Practical Perspective
  • DoS attacks are theoretically possible, but what about actual practice ?
  • Bad News !
  • It is feasible to carry out these attacks with commodity hardware with little tweaking
deauthentication attack proposed solutions
Deauthentication attack – Proposed Solutions
  • Solution 1: Authenticate management frames
  • But there are two problems with this solution:
    • Not feasible using software upgrade
    • A standardised authentication framework requires, can take time
    • Not feasible to upgrade all STAs across all networks
  • Solution 2: Defer deauthentication
    • Manipulate the firmware to delay deauthentication after receiving the message. If AP receives a data message after this, then the deauth request was spoofed
  • Advantages of solution 2:
    • Low overhead
    • Modification only limited to the APs, which is feasible
virtual carrier sense attack proposed solution
Virtual carrier sense attack – Proposed Solution
  • Put a cap on the value of the maximum duration on received frames
  • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value
virtual carrier sense attack proposed solution25
Virtual carrier sense attack – Proposed Solution
  • Put a cap on the value of the maximum duration on received frames
  • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value
  • Can be further improved by selectively adhering to the specified duration value in:
    • Data and ACK frames – These frames will have a high duration value only if they are a part of a fragmented packet exchange. Since, fragmentation is almost never used, duration specified in these frames can be ignored
    • RTS frame – A station that receives an RTS frame will also receive the data frame. 802.11 std specifies the exact times for the subsequent CTS and data frames. So the duration value of RTS is respected till the following data frame is received/not received
virtual carrier sense attack proposed solution contd
Virtual carrier sense attack – Proposed Solution …contd
  • CTS frame – Either the observed CTS is unsolicited or the observing node is a hidden terminal. If this CTS is addressed to a valid in-range station, the valid station can nullify this by sending a zero duration null function frame.

If this CTS is addressed to an out of range station, one foolproof defense is to introduce authenticated CTS frames, containing cryptographically signed copy of the preceding RTS. But there are overhead and feasibility issues with this

  • 802.11 WLANs suffer from many vulnerabilities threatening the availability of service
  • Secure and extended authentication mechanisms can help
  • Changes to the MAC layer protocol also required, maybe track and punish malicious nodes
  • John Bellardo and Stefan Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, Usenix 2003 Security Symposium
  • Dazhi Chen, Jing Deng and Pramod K Varshney, Protecting Wireless Networks Against a Denial of Service Attack based on virtual jamming
  • IEEE Standard for Wireless LAN – Medium Access Control and Physical Layer Specification, P802.11, 1999
  • AirDefense White Paper, Wirless LAN Security – What Hackers Know That You Don’t, 2002
  • Vikram Gupta, Srikanth Krishnamurthy and Michalis Faloutsos, Denial of service Attacks at the MAC Layer in Wireless Ad Hoc Networks