802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions - PowerPoint PPT Presentation

About This Presentation
Title:

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions

Description:

Usually network clients are in a star topology with the Access point ... BAP. AUX Port. SRAM. Xmit Q. Xmit. process. Virtualized firmware interface. Physical resources ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 41
Provided by: johnbe55
Learn more at: https://www.cse.sc.edu
Category:

less

Transcript and Presenter's Notes

Title: 802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions


1
802.11 Denial-of-Service Attacks Real
Vulnerabilities and Practical Solutions
  • John Bellardo and Stefan Savage
  • Department of Computer Science and Engineering
  • University of California, San Diego
  • Presented By Devon Callahan

2
Outline
  • Introduction to 802.11and Motivation
  • Related Work
  • Vulnerabilities of 802.11
  • Practical Attacks and Defenses
  • Experimental Results
  • Conclusions
  • Final Thoughts

3
Introduction
  • 802.11 networks are everywhere
  • Usually network clients are in a star topology
    with the Access point
  • 802.11 b and g are most popular
  • With such high dependency on 802.11 are there
    vulnerabilities...

4
Related Work
  • Most of the work has focused on the
    confidentiality
  • weakness in security of 802.11( WEP and WPA)
  • What about availability?
  • Lough identified vulnerabilities of
    MAC(disassociation, deauthentication, virtual
    carrier sensing) but did not validate

5
Related work (cont)
  • Faria, and Cheriton identified problems posed by
    Authentication DoS attacks and purpose new
    authentication framework (not very light weight)
  • AirJack, Omerta, void11, Radiate all wireless
    tools from early 2000's
  • Some general 802.11 DoS attacks based on resource
    consumption(frame rate control)

6
Vulnerabilities of 802.11
  • Denial of Service the act of denying a computer
    user of a particular service
  • Typically flood a client with more traffic than
    it can handle
  • 802.11 more vulnerable than 802.3 because of the
    shared medium 2.4Ghz

7
Denial of Service on Wireless
  • The attacker wants to disrupt and deny access to
    services by legitimate users
  • Two main types of DoS in 802.11
  • RF Attacks or Jamming the wireless spectrum-
    disruption occurs when signal-to-noise ratio
    reaches certain level
  • Protocol based attacking- the higher layers of
    communication which are easier (Identity and
    Media-access control)

8
Identity Vulnerabilities
  • A result of the trust placed in a speakers
    source address
  • 802.11 nodes are identified at MAC layer by
    unique address as wired nodes are.
  • Frames are not authenticated, meaning an attacker
    can change his MAC address and spoof other nodes
    (similar to what is done in ARP spoofing)
  • Leads to 3 kinds of attacks
  • Disassociation attack
  • Deauthentication attack
  • Power saving mode attack

9
Disassociation
  • A client can authenticate with multiple APs but
    associate with one in order to allow the correct
    AP to forward packets
  • Association frames are unauthenticated
  • 802.11 provides a disassociation message similar
    to the deauth message
  • Vulnerability is spoofed message causing the AP
    to disassociate the client

10
Disassociation Attack
AP
11
Deauthentication Attack
  • Authentication Procedure
  • After selecting an AP for communication, clients
    must authenticate themselves to the AP with their
    MAC address
  • Part of Authentication framework is a message
    allowing clients to explicitly deauthenticate
    from the AP
  • Vulnerability
  • An attacker can spoof the deauthentication
    message causing the communication between AP and
    client to suspend, causing a DoS
  • Result
  • Client must re-authenticate to resume
    communication with AP

12
Deauthentication Attack
AP
13
Deauthentication Attack (Cont.)
  • By repeating attack, client can be kept from
    transmitting or receiving data indefinitely
  • Attack can be executed on individual client or
    all clients
  • Individual Clients
  • Attacker spoofs clients address telling AP to
    deauthenticate them
  • All Clients
  • Attacker spoofs AP telling all clients to
    deauthenticate

14
Deauthentication or Disassociation?
  • Deauthentication requires a RTT of 2 in order to
    resume communication
  • Disassociation requires a RTT of 1 in order to
    resume communication
  • Because it requires less work for the attacker
    Deauthentication is the more effective attack

15
Power Saving in 802.11
  • Nodes sleep to conserve energy
  • AP will buffer clients packets until requested
    with a poll message
  • TIM (traffic indication map) is a periodic packet
    sent by AP to notify client of buffered data
  • Relies on sync of packets so client is awake when
    the TIM is sent

16
Attacks on Power Saving
  • Attacker can spoof on behalf of AP the TIM
    message
  • Client could think there is no data and go back
    to sleep
  • Attacker forge management sync packets
  • Cause client to fall out of sync with AP
  • Attacker spoof on behalf of the client
  • AP sends data while client is sleeping

17
Media Access Vulnerabilities
  • Avoid collisions at all costs!!! Is the Attitude
  • CSMA/CA stands for Carrier Sense Multiple Access
    with Collision Avoidance
  • SIFS-time before preexisting frame exchange can
    occur(ACK)

18
Media Access Vulnerabilities(cont)
  • DIFS-time used for nodes initiating new traffic
  • Nodes will transmit randomly after the DIFS
  • Attacker can send signal before every SIFS slot
    to clog the channel
  • Requires 50,000 pps to shut down channel

19
More serious is RTS/CTS
  • In order to avoid a hidden terminal

20
Virtual Carrier Sense
  • Mechanism needed in preventing collision from two
    clients not hearing each other (hidden terminal
    problem)
  • RTS/CTS
  • A client wanting to transmit a packet first sends
    a RTS (Request to Send)
  • RTS includes source, destination, and duration
  • A client will respond with a CTS (Clear to Send)
    packet

21
NAV Vulnerability
2
6
6
6
6
6
0-2312
2
2
Frm Ctl
Duration
Addr1
Addr2
Addr3
Seq Ctl
Addr4
Data
FCS
802.11 General Frame Format
  • Virtual carrier sense allows a node to reserve
    the radio channel
  • Each frame contains a duration value
  • Indicates of microseconds channel is reserved
  • Tracked per-node Network Allocation Vector (NAV)
  • Used by RTS/CTS
  • Nodes only allowed to xmit if NAV reaches 0

22
Simple NAV AttackForge packets with large
Duration
Attacker
Access Point and Node 2 cant xmit (but Node 1
can)
Access Point
Node 1
Node 2
23
Extending NAV Attack w/RTS
Attacker
AP and both nodes barredfrom transmitting
Access Point
Node 2
Node 1
24
Practical Attacks and Defenses
  • Authors were able to implement these attacks with
    current software and hardware
  • IPAQ running Linux with DLINK PCMCIA card
  • Built app that monitors wireless channels for AP
    and clients
  • Once identified by MAC a DNS resolver and dsnif
    are used to obtain better identifiers(userids)

25
How to Generate Arbitrary 802.11 Frames?
Host Interface to NIC
  • Key idea
  • AUX/Debug Port allows
  • Raw access to NIC SRAM
  • Download frame to NIC
  • Find frame in SRAM
  • Request transmission
  • Wait until firmware modifies frame
  • Rewrite frame via AUX port

AUX Port
Xmit Q
BAP
SRAM
Xmit process
Physical resources
Virtualized firmware interface
Radio Modem Interface
26
Simulating the NAV attack
  • So how bad would the attack be?
  • Simulated NAV attack using NS2
  • 18 Users
  • 1 Access Point
  • 1 Attacker
  • 30 attack frames per second
  • 32.767 ms duration per attack frame

27
NAV Attack Simulation
28
Practical NAV Defense
  • Legitimate duration values are relatively small
  • Determine maximum reasonable NAV values for all
    frames
  • Each node enforces this limit
  • lt .5 ms for all frames except ACK and CTS
  • 3 ms for ACK and CTS
  • Reran the simulation after adding defense to the
    simulator

29
Simulated NAV Defense
30
Why the NAV attack doesnt work
  • Surprise many vendors do not implement the
    802.11 spec correctly
  • Duration field not respected by other nodes

Time (s) Source Destination Duration (ms) Type
1.294020 e7001501 32.767 802.11 CTS
1.295192 93eae70f 93eaabdf 0.258 TCP Data
1.296540 93eae70f 0 802.11 Ack
1.297869 93eaabdf 93eae70f 0.258 TCP Data
Excerpt from a NAV Attack Trace
31
Deauth Attack Results
32
Practical Deauth Defense
  • Based on the observed behavior that legitimate
    nodes do not deauthenticate themselves and then
    send data
  • Delay honoring Deauthentication request
  • Small interval (5-10 seconds)
  • If no other frames received from source then
    honor request
  • If source sends other frames then discard request
  • Requires no protocol changes and is backwards
    compatible with existing hardware

33
Deauthentication Defense Results
34
More Robust Defense
35
Defense in Depth
MAC 00-14-A4-2D-BE-1D
MAC 00-14-A4-2D-BE-1D
AP
RSS -35 dBm
RSS -36 dBm
RSS -35 dBm
RSS -18 dBm
RSS -34 dBm
36
Identity theft (MAC spoofing)
  • occurs when a cracker is able to listen in on
    network traffic and identify the MAC address of a
    computer with network privileges
  • Most wireless systems allow some kind of MAC
    filtering to only allow authorized computers with
    specific MAC IDs to gain access and utilize the
    network.

37
Man-in-the-middle attacks
  • attacker entices computers to log into a computer
    which is set up as a soft AP
  • hacker connects to a real access point through
    another wireless card
  • The hacker can then sniff the traffic

38
Caffe Latte attack
  • Way to defeat WEP
  • By using a process that targets the Windows
    wireless stack, it is possible to obtain the WEP
    key from a remote client
  • By sending a flood of encrypted ARP requests
  • Attacker uses the ARP responses to obtain the WEP
    key in less than 6 minutes

39
Conclusion
  • Deauthentication attack is most immediate concern
  • Denial of Service Attacks in 802.11 are very
    plausible with existing equipment
  • Although this research paper was published in
    2003 the threat remains for 802.11 networks

40
THANK YOU!
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com