802'11 Denial of Service Attacks

1
802.11 Denial of Service Attacks

• Bianca McNair
• Duane Fairfax

2
References

• Stallings, William (2002). Wireless
  Communications and Networks. New Jersey
  Prentice-Hall.
• http//csrc.nist.gov/publications/nistpubs/
• http//ramp.ucsd.edu/bellardo/pubs/usenix-sec03-8
  0211dos-html/aio.html

3
Introduction

• What is a wireless LAN (WLAN)?
• IEEE 802.11 based wireless access networks
  experienced widespread deployment
• Economical alternative
• Approximately 5.28 million American households
  equipped with wireless networks
• Popularity of wireless networks makes it an
  attractive target for potential attackers

4
Agenda

• Background
• Architecture
• Media Access Controls (MAC) layer
• Components
• Services
• Functions
• Physical Layer (PHY)
• Versions
• Benefits
• Disadvantages
• Security flaws
• Confidentiality
• Availability

• Vulnerabilities
• Identity
• Media Access Controls (MAC)
• Attack Infrastructure
• Denial of Service Attacks (DoS)
• Deauthentication Attack
• Virtual Carrier-Sense Attack
• Countermeasures
• Conclusion

5
Section I

• IEEE 802.11 Standard Protocol

6
IEEE 802.11 Foundation

• IEEE networking standards
• Adopted 802 in 1990
• Adopted 802.11 in 1997
• ALOHANET
• University of Hawaii researchers created first
  wireless network
• 1-2 Mbps data transmission rate
• 802.11 standard revisions
• 802.11a
• 802.11b
• 802.11g

7
Architecture MAC Layer
8
MAC Layer Components (1)

• STA (Station)
• Consists of a MAC and a PHY
• Referred to as network adaptor, network
  interface card
• BSS (Basic Service Set)
• Basic building block of an IEEE 802.11 LAN.
• A set of STAs that communicate with one another.
• A group of STAs under the direct control of a
  single coordination function.

9
MAC Layer Components (2)

• Independent BSS (IBSS)
• The most basic type of a IEEE 802.11 LAN.
• Each STA can communicate DIRECTLY with any
  others.
• Often used for temporary internetworked
  communications, without the aid of an
  infrastructure.
• Official name of ad-hoc network.

10
MAC Layer Components (3)

• Infrastructure BSS (BSS)
• Communications are through AP STA1 ? AP ? STA2
• AP (Access Point)
• A special STA to forward communications

11
MAC Layer Components (4)

• DS (Distribution System)
• The abstract medium for APs in different BSSs to
  communicate.
• Can be wired, wireless network, or even not a
  network.
• Portal
• Used to integrate with other kind of IEEE 802
  LANs.
• A logical point, at which traffic enter from
  other LANs into 802.11 DS.
• ESS (Extended Service Set)
• A set of infrastructure BSSs to extend mobility
  range.
• APs communicate among themselves to forward
  traffic from one BSS to another, via DS.

12
MAC Layer Services (1)

• Station Services
• Authentication
• Open System Authentication Figure 1
• Shared Key authentication Figure 2
• Deauthentication
• Privacy
• MAC Services Data Unit (MSDU) delivery

13
MAC Layer Services (2)

• Distribution System Services
• Association, Disassociation
• Distribution( route to 802.11)
• Integration( route to 802.x)
• Reassociation( hand-off, roaming)

14
802.11 Portal
15
Architecture Overview
16
MAC Layer Frames

• Management frame
• Station association and disassociation with AP
• Timing and synchronization
• Authentication and deauthentication
• Control frame
• To end contention-free period (CFP)
• Handshaking during the contention period (CP)
• ACK during CP
• Data frame
• Data frame (in both CFP and CP)
• Combined with polling and ACK during CFP

17
MAC Layer Frame Format
18
MAC Layer Functions

• MAC layer covers three functional areas
• Reliable data delivery
• Frame Exchange Protocol
• Access control
• Distributed Coordination Function (DCF)
• Point Coordination Function (PCF)
• Security
• Wired Equivalency Protection (WEP)

19
Reliable Data Delivery

• Frame exchange protocol (2 frames)
• Source station transmits data
• Destination responds with acknowledgment (ACK)
• If source doesnt receive ACK, it retransmits
  frame
• Four frame exchange
• Source issues request to send (RTS)
• Destination responds with clear to send (CTS)
• Source transmits data
• Destination responds with ACK

20
Access Control DCF (1)

• Priority Access to the wireless medium through
  three Inter-Frame Space (IFS) intervals
• Short IFS (SIFS)
• Shortest IFS
• Used for immediate response actions (ACK, CTS,
  Poll Response)
• Point coordination function IFS (PIFS)
• Midlength IFS
• Used by centralized controller in PCF scheme when
  using polls
• Distributed coordination function IFS (DIFS)
• Longest IFS
• Used as minimum delay of asynchronous frames
  contending for access

21
Access Control DCF (2)

• DCFs responsibility
• Support asynchronous data transfer
• Support contention services
• CSMA/CA
• Physical carrier sensing
• Virtual carrier sensing
• By sending medium reservation through RTS and CTS
  frames
• Duration field in these frames
• An NAV (Network Allocation Vector)

22
Access Control DCF (3)
Carrier Sense Multiple Access with Collision
Avoidance (CSMA-CA)
23
Access Control DCF (4)

• Backoff Time Random a SlotTime

Contention Window
24
DCF MAC Frame Exchange (1)
25
DCF MAC Frame Exchange (2)
26
Architecture Physical Layer

• Physical Layer
• Direct Sequence Spread Spectrum (DSSS)
• Frequency Hopping Spread Spectrum (FHSS)
• Orthogonal Frequency Division Multiplexing (OFDM)
• Infrared (IR)

27
Access Control
2.4 GHz OFDM Up to 54 Mbps
802.11 g
28
802.11 Current Versions (1)

• 802.11a
• Developed in 1999
• Work in the 5GHz band supporting 54Mbps
• PHY OFDM
• 802.11b
• Developed in 1999
• Operates in 2.4-2.48 GHZ band supporting 11Mbps
• PHY DSSS
• 802.11g
• Still in draft
• Operates in 2.4 GHZ band and supports 54Mbps
• Backwards compatible with 802.11b

29
802.11 Current Versions (2)

• Advantages
• User mobility
• Rapid Installation
• Flexibility
• Scalability
• Disadvantages
• User Authentication
• Denial of Service (DoS) Attacks

30
IEEE 802.1X

• Advantages
• User based identification
• Extensible authentication protocol (EAP) support
• Allow additional authentication methods
• Password authentication

31
SECTION II

• Vulnerabilities and Practical Solutions

32
802.11 Security Issues

• WEP
• Runs on RSA RC4 algorithm
• Ensures no eavesdropping
• Authenticate client and not users
• 802.1x standard
• User based identification
• Extensible authentication protocol (EAP) support
• Allow additional authentication methods
• Password authentication

33
Vulnerabilities

• Vulnerabilities result from additional
  functionality
• Identity
• Deauthentication
• Disassociation
• Power Saving
• MAC
• Channel monopolization
• Network Allocation Vector (NAV)

34
Vulnerabilities Identity (1)

• Deauthentication messages from client/AP are not
  authenticated
• Attacker can spoof the message
• AP/client will exit authenticated state
• Persistent exploitation can deny services
  indefinitely

35
Vulnerabilities Identity Fig. 1
36
Vulnerabilities Identity (2)

• Association message determine the AP that will be
  used by client
• Disassociation messages are similar to
  deauthentication
• The disassociation attack is less efficient than
  deauthentication attack

37
Vulnerabilities Identity (3)

• Power conservation functions present
  vulnerabilities
• Clients are allowed to enter a sleep state
• Client polls AP occasionally
• Rely on time synchronization
• Adversary options
• Can spoof polling message on behalf of client
• Can spoof the traffic identification map (TIM)
• Cause client to enter an indefinite sleep period

38
Vulnerabilities MAC

• Physical and virtual carrier sense can be
  exploited
• Attacker can monopolize channel through SIFS
• Attacker can assert a large duration field
• Advantages of using RTS frame
• Propagate attack through other nodes
• Anonymity

39
Attack Infrastructure

• Software implementation attacks
• Firmware limits use of NICs by attacker
• Overcome NIC limitations by reconfiguring
  hardware
• Choice Microsystems example

40
Attack Infrastructure Fig. 1
41
Deauthentication Attack (1)

• Demonstration Application Swat
• Consist of iPAQ H3600 Pocket PC
• Running Familiar Linux
• DLink DWL-650 PCMCIA
• Monitors wireless channels for AP and clients
• Identify potential targets by MAC addresses
• Issue spoofed deauthentication after association
  response

42
Deauthentication Attack (2)

• Testbed
• 802.11 network with 7 computers (1-attacker,
  1-access point, 1-monitoring station,
  4-legitimate clients
• Conditions
• Large ftp transfer through AP
• Transfer exceeded testing period
• Mounted two network attacks

43
Deauthentication Attack Fig. 1
44
Deauthentication Attack (3)

• Countermeasure
• Delaying effects of deauthentication and
  disassociation requests
• Advantage
• Implemented with simple firmware modification
• Drawbacks
• Vulnerable while roaming between APs

45
Deauthentication Attack Fig. 2
46
Access Point Roaming (1)

• Intelligent APs
• Explicit means of coordination for handoff avoid
  disassociation timeout
• Use proprietary protocols between homogeneous
  devices

47
Access Point Roaming (2)

• Dumb APs
• No explicit means of coordination
• Rely on layer 2 for coordinating handoff

48
Virtual Carrier-Sense Attack (1)

• Exploits NAV Vulnerability
• Packet streams with large duration values
• Exploiting RTS/CTS feature
• Much harder to defend than the deauthentication
  attack

49
Virtual Carrier-Sense Attack Fig. 1
50
Virtual Carrier-Sense Attacks (2)

• Testbed 1 AP, 18 static client nodes, 1 static
  attacker node
• Conditions FTP used to generate long- lived
  network traffic modified ns 802.11 MAC Layer
  implementation to allow arbitrary duration values

51
Virtual Carrier-Sense AttacksFig. 1
52
Virtual Carrier-Sense Attacks (3)

• Countermeasures
• Limit placed on duration value accepted by nodes
  (ie. large durations truncated to maximum value)
• Further improvement would require abandonment of
  802.11 MAC functionality (ie. Frame types
  duration values)

53
Virtual Carrier-Sense Attacks Fig. 2
54
Conclusion

• 802.11 MAC Layer Vulnerabilities can be exploited
  to deny service to legitimate users
• Low overhead procedures (short-term)
• Per-packet authentication (long-term)

55
???? Questions ????
56
MAC Layer Services Fig. 1
57
MAC Layer Services Fig. 2