Title: 802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions
1802.11 Denial-of-Service Attacks Real
Vulnerabilities and Practical Solutions
- John Bellardo and Stefan Savage
- Department of Computer Science and Engineering
- University of California, San Diego
- Presented By Devon Callahan
2Outline
- Introduction to 802.11and Motivation
- Related Work
- Vulnerabilities of 802.11
- Practical Attacks and Defenses
- Experimental Results
- Conclusions
- Final Thoughts
3Introduction
- 802.11 networks are everywhere
- Usually network clients are in a star topology
with the Access point - 802.11 b and g are most popular
- With such high dependency on 802.11 are there
vulnerabilities...
4Related Work
- Most of the work has focused on the
confidentiality - weakness in security of 802.11( WEP and WPA)
- What about availability?
- Lough identified vulnerabilities of
MAC(disassociation, deauthentication, virtual
carrier sensing) but did not validate
5Related work (cont)
- Faria, and Cheriton identified problems posed by
Authentication DoS attacks and purpose new
authentication framework (not very light weight) - AirJack, Omerta, void11, Radiate all wireless
tools from early 2000's - Some general 802.11 DoS attacks based on resource
consumption(frame rate control)
6Vulnerabilities of 802.11
- Denial of Service the act of denying a computer
user of a particular service - Typically flood a client with more traffic than
it can handle - 802.11 more vulnerable than 802.3 because of the
shared medium 2.4Ghz
7Denial of Service on Wireless
- The attacker wants to disrupt and deny access to
services by legitimate users - Two main types of DoS in 802.11
- RF Attacks or Jamming the wireless spectrum-
disruption occurs when signal-to-noise ratio
reaches certain level - Protocol based attacking- the higher layers of
communication which are easier (Identity and
Media-access control)
8Identity Vulnerabilities
- A result of the trust placed in a speakers
source address - 802.11 nodes are identified at MAC layer by
unique address as wired nodes are. - Frames are not authenticated, meaning an attacker
can change his MAC address and spoof other nodes
(similar to what is done in ARP spoofing) - Leads to 3 kinds of attacks
- Disassociation attack
- Deauthentication attack
- Power saving mode attack
9Disassociation
- A client can authenticate with multiple APs but
associate with one in order to allow the correct
AP to forward packets - Association frames are unauthenticated
- 802.11 provides a disassociation message similar
to the deauth message - Vulnerability is spoofed message causing the AP
to disassociate the client
10 Disassociation Attack
AP
11Deauthentication Attack
- Authentication Procedure
- After selecting an AP for communication, clients
must authenticate themselves to the AP with their
MAC address - Part of Authentication framework is a message
allowing clients to explicitly deauthenticate
from the AP - Vulnerability
- An attacker can spoof the deauthentication
message causing the communication between AP and
client to suspend, causing a DoS - Result
- Client must re-authenticate to resume
communication with AP
12 Deauthentication Attack
AP
13Deauthentication Attack (Cont.)
- By repeating attack, client can be kept from
transmitting or receiving data indefinitely - Attack can be executed on individual client or
all clients - Individual Clients
- Attacker spoofs clients address telling AP to
deauthenticate them - All Clients
- Attacker spoofs AP telling all clients to
deauthenticate
14Deauthentication or Disassociation?
- Deauthentication requires a RTT of 2 in order to
resume communication - Disassociation requires a RTT of 1 in order to
resume communication - Because it requires less work for the attacker
Deauthentication is the more effective attack
15Power Saving in 802.11
- Nodes sleep to conserve energy
- AP will buffer clients packets until requested
with a poll message - TIM (traffic indication map) is a periodic packet
sent by AP to notify client of buffered data - Relies on sync of packets so client is awake when
the TIM is sent
16Attacks on Power Saving
- Attacker can spoof on behalf of AP the TIM
message - Client could think there is no data and go back
to sleep - Attacker forge management sync packets
- Cause client to fall out of sync with AP
- Attacker spoof on behalf of the client
- AP sends data while client is sleeping
17Media Access Vulnerabilities
- Avoid collisions at all costs!!! Is the Attitude
- CSMA/CA stands for Carrier Sense Multiple Access
with Collision Avoidance - SIFS-time before preexisting frame exchange can
occur(ACK)
18Media Access Vulnerabilities(cont)
- DIFS-time used for nodes initiating new traffic
- Nodes will transmit randomly after the DIFS
- Attacker can send signal before every SIFS slot
to clog the channel - Requires 50,000 pps to shut down channel
19More serious is RTS/CTS
- In order to avoid a hidden terminal
20Virtual Carrier Sense
- Mechanism needed in preventing collision from two
clients not hearing each other (hidden terminal
problem) - RTS/CTS
- A client wanting to transmit a packet first sends
a RTS (Request to Send) - RTS includes source, destination, and duration
- A client will respond with a CTS (Clear to Send)
packet
21NAV Vulnerability
2
6
6
6
6
6
0-2312
2
2
Frm Ctl
Duration
Addr1
Addr2
Addr3
Seq Ctl
Addr4
Data
FCS
802.11 General Frame Format
- Virtual carrier sense allows a node to reserve
the radio channel - Each frame contains a duration value
- Indicates of microseconds channel is reserved
- Tracked per-node Network Allocation Vector (NAV)
- Used by RTS/CTS
- Nodes only allowed to xmit if NAV reaches 0
22Simple NAV AttackForge packets with large
Duration
Attacker
Access Point and Node 2 cant xmit (but Node 1
can)
Access Point
Node 1
Node 2
23Extending NAV Attack w/RTS
Attacker
AP and both nodes barredfrom transmitting
Access Point
Node 2
Node 1
24Practical Attacks and Defenses
- Authors were able to implement these attacks with
current software and hardware - IPAQ running Linux with DLINK PCMCIA card
- Built app that monitors wireless channels for AP
and clients - Once identified by MAC a DNS resolver and dsnif
are used to obtain better identifiers(userids)
25How to Generate Arbitrary 802.11 Frames?
Host Interface to NIC
- Key idea
- AUX/Debug Port allows
- Raw access to NIC SRAM
- Download frame to NIC
- Find frame in SRAM
- Request transmission
- Wait until firmware modifies frame
- Rewrite frame via AUX port
AUX Port
Xmit Q
BAP
SRAM
Xmit process
Physical resources
Virtualized firmware interface
Radio Modem Interface
26Simulating the NAV attack
- So how bad would the attack be?
- Simulated NAV attack using NS2
- 18 Users
- 1 Access Point
- 1 Attacker
- 30 attack frames per second
- 32.767 ms duration per attack frame
27NAV Attack Simulation
28Practical NAV Defense
- Legitimate duration values are relatively small
- Determine maximum reasonable NAV values for all
frames - Each node enforces this limit
- lt .5 ms for all frames except ACK and CTS
- 3 ms for ACK and CTS
- Reran the simulation after adding defense to the
simulator
29Simulated NAV Defense
30Why the NAV attack doesnt work
- Surprise many vendors do not implement the
802.11 spec correctly - Duration field not respected by other nodes
Time (s) Source Destination Duration (ms) Type
1.294020 e7001501 32.767 802.11 CTS
1.295192 93eae70f 93eaabdf 0.258 TCP Data
1.296540 93eae70f 0 802.11 Ack
1.297869 93eaabdf 93eae70f 0.258 TCP Data
Excerpt from a NAV Attack Trace
31Deauth Attack Results
32Practical Deauth Defense
- Based on the observed behavior that legitimate
nodes do not deauthenticate themselves and then
send data - Delay honoring Deauthentication request
- Small interval (5-10 seconds)
- If no other frames received from source then
honor request - If source sends other frames then discard request
- Requires no protocol changes and is backwards
compatible with existing hardware
33Deauthentication Defense Results
34More Robust Defense
35 Defense in Depth
MAC 00-14-A4-2D-BE-1D
MAC 00-14-A4-2D-BE-1D
AP
RSS -35 dBm
RSS -36 dBm
RSS -35 dBm
RSS -18 dBm
RSS -34 dBm
36Identity theft (MAC spoofing)
- occurs when a cracker is able to listen in on
network traffic and identify the MAC address of a
computer with network privileges - Most wireless systems allow some kind of MAC
filtering to only allow authorized computers with
specific MAC IDs to gain access and utilize the
network.
37Man-in-the-middle attacks
- attacker entices computers to log into a computer
which is set up as a soft AP - hacker connects to a real access point through
another wireless card - The hacker can then sniff the traffic
38Caffe Latte attack
- Way to defeat WEP
- By using a process that targets the Windows
wireless stack, it is possible to obtain the WEP
key from a remote client - By sending a flood of encrypted ARP requests
- Attacker uses the ARP responses to obtain the WEP
key in less than 6 minutes
39Conclusion
- Deauthentication attack is most immediate concern
- Denial of Service Attacks in 802.11 are very
plausible with existing equipment - Although this research paper was published in
2003 the threat remains for 802.11 networks
40THANK YOU!