802'11 DenialofService Attacks: Real Vulnerabilities and Practical Solutions

1
802.11 Denial-of-Service Attacks Real
Vulnerabilities and Practical Solutions

• John Bellardo and Stefan Savage
• Department of Computer Science and Engineering
• University of California at San Diego
• USENIX Security Symposium 2003
• Presented by David Allen
• October 17, 2005

2
This Paper Describes

• Denial-of-Service (DoS) attacks 802.11's MAC
  protocol.
• Selective or complete disruption of service.
• Attacks use relatively few packets and low power
  consumption.
• Attacks are practical with commodity 802.11
  devices.
• Non-cryptographic countermeasures.

3
Identity Vulnerabilities

• At the 802.11 medium access control (MAC) layer
  nodes are identified with a globally unique 12
  byte address.
• No mechanism for verifying the correctness of the
  identity for control frames.
• Implicit trust in a speaker's source address.

4
Identity Vulnerabilities Deauthentication

• Clients must authenticate with one or more access
  points (AP), then associate with the AP that they
  will route through.
• Clients and AP can request deauthentication from
  each other.
• The attacker can spoof this message to
  interrupting the data flow until authentication
  is reestablished.

Deauthentication
5
Identity Vulnerabilities Disassociation

• Similar to Deauthentication attack.
• Clients and AP can request disassociation from
  each other.
• The attacker can spoof this message to
  interrupting the data flow until association is
  reestablished.
• More attacking messages are required to get same
  effect of deauthentication message

Disassociation
Disassociation
6
Identity Vulnerabilities Power Saving

• Clients can turn off radio to conserve energy.
• Client tells AP that it is entering sleep.
• AP tells client when to wake up for traffic.
• AP will buffer data and send traffic indication
  map (TIM) to client periodically.
• Client wakes up to receive each TIM and then
  retrieve data if available.

Client
Attacker
AP
Entering Sleep
Management Response
Client Sleeps
TIM
Client Wakes
Client Sleeps
TIM
Client Wakes
Client Sleeps
TIM
Client Wakes
Retrieve Data
Client Sleeps
7
Identity Vulnerabilities Power Saving

• Messages are sent in the clear.
• Attacker can spoof management packet and prevent
  synchronization.
• Attacker can spoof client polling and discard
  data.
• Attacker can spoof TIM and convince client there
  is no data.

Client
Attacker
AP
Entering Sleep
Management Response
Client Sleeps
Management Response
Retrieve Data
TIM
Client Wakes
Client Sleeps
TIM
8
Media Access Vulnerabilities

• Hidden terminals prevent perfect collision
  detection.
• Physical and Virtual carrier-sense mechanisms are
  used to control channel access.
• Both of these mechanisms can be exploited.

9
Media Access Vulnerabilities Physical
Carrier-Sense

• Before transmitting frame, node must wait at
  least a small interval of time.
• Attacker can send a message before the end of
  every time interval.
• On 802.11b the minimum time is 20µs and would
  require 50,000 packets per second to disable all
  access.
• Expensive for attacker.

10
Media Access Vulnerabilities Virtual
Carrier-Sense

• Each 802.11 frame carries a maximum number of µs
  to reserve channel.
• Max value is 32767, or about 32ms.
• Attacker can jam all access with only 30
  transmissions a second.

11
Commodity Hardware

• Most 802.11(a,b) NICs implement key MAC functions
  in firmware.
• Firmware limits content of frames to reasonable
  values which would prevent some of these attacks.
• Some NICs allow raw memory access interface for
  debug purposes.
• It is possible to modify frames within these
  NICs SRAM before they are sent.

12
Deauthentication Attack

• Two attacks tested.
• First one against a single client.
• Second against all clients.
• Both were very successful.

13
Deauthentication Defense

• Nodes will queue deauthentication or
  disassociation requests for a few seconds.
• Any new traffic from sender will cancel request.
• Attacks on hardened AP has almost no effect.

14
Virtual Carrier-Sense Attack

• Attempted attack with unexpected results.
• It appears that most 802.11 devices do not
  implement virtual carrier-sense correctly and do
  not wait.
• Reran test on simulator that implements 802.11
  correctly.
• Channel was completely blocked.

15
Virtual Carrier-Sense Defense

• Limits can be placed on duration values accepted
  by nodes.
• Control frames can be limited to small duration
  values.
• Not perfect, but only extending authentication to
  control packets can eliminate the issue.