802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions

1
802.11 Denial-of-Service Attacks Real
Vulnerabilities and Practical Solutions

• John Bellardo and Stefan Savage
• Department of Computer Science and Engineering
• University of California, San Diego
• Presented By Devon Callahan

2
Outline

• Introduction to 802.11and Motivation
• Related Work
• Vulnerabilities of 802.11
• Practical Attacks and Defenses
• Experimental Results
• Conclusions
• Final Thoughts

3
Introduction

• 802.11 networks are everywhere
• Usually network clients are in a star topology
  with the Access point
• 802.11 b and g are most popular
• With such high dependency on 802.11 are there
  vulnerabilities...

4
Related Work

• Most of the work has focused on the
  confidentiality
• weakness in security of 802.11( WEP and WPA)
• What about availability?
• Lough identified vulnerabilities of
  MAC(disassociation, deauthentication, virtual
  carrier sensing) but did not validate

5
Related work (cont)

• Faria, and Cheriton identified problems posed by
  Authentication DoS attacks and purpose new
  authentication framework (not very light weight)
• AirJack, Omerta, void11, Radiate all wireless
  tools from early 2000's
• Some general 802.11 DoS attacks based on resource
  consumption(frame rate control)

6
Vulnerabilities of 802.11

• Denial of Service the act of denying a computer
  user of a particular service
• Typically flood a client with more traffic than
  it can handle
• 802.11 more vulnerable than 802.3 because of the
  shared medium 2.4Ghz

7
Denial of Service on Wireless

• The attacker wants to disrupt and deny access to
  services by legitimate users
• Two main types of DoS in 802.11
• RF Attacks or Jamming the wireless spectrum-
  disruption occurs when signal-to-noise ratio
  reaches certain level
• Protocol based attacking- the higher layers of
  communication which are easier (Identity and
  Media-access control)

8
Identity Vulnerabilities

• A result of the trust placed in a speakers
  source address
• 802.11 nodes are identified at MAC layer by
  unique address as wired nodes are.
• Frames are not authenticated, meaning an attacker
  can change his MAC address and spoof other nodes
  (similar to what is done in ARP spoofing)
• Leads to 3 kinds of attacks
• Disassociation attack
• Deauthentication attack
• Power saving mode attack

9
Disassociation

• A client can authenticate with multiple APs but
  associate with one in order to allow the correct
  AP to forward packets
• Association frames are unauthenticated
• 802.11 provides a disassociation message similar
  to the deauth message
• Vulnerability is spoofed message causing the AP
  to disassociate the client

10
Disassociation Attack
AP
11
Deauthentication Attack

• Authentication Procedure
• After selecting an AP for communication, clients
  must authenticate themselves to the AP with their
  MAC address
• Part of Authentication framework is a message
  allowing clients to explicitly deauthenticate
  from the AP
• Vulnerability
• An attacker can spoof the deauthentication
  message causing the communication between AP and
  client to suspend, causing a DoS
• Result
• Client must re-authenticate to resume
  communication with AP

12
Deauthentication Attack
AP
13
Deauthentication Attack (Cont.)

• By repeating attack, client can be kept from
  transmitting or receiving data indefinitely
• Attack can be executed on individual client or
  all clients
• Individual Clients
• Attacker spoofs clients address telling AP to
  deauthenticate them
• All Clients
• Attacker spoofs AP telling all clients to
  deauthenticate

14
Deauthentication or Disassociation?

• Deauthentication requires a RTT of 2 in order to
  resume communication
• Disassociation requires a RTT of 1 in order to
  resume communication
• Because it requires less work for the attacker
  Deauthentication is the more effective attack

15
Power Saving in 802.11

• Nodes sleep to conserve energy
• AP will buffer clients packets until requested
  with a poll message
• TIM (traffic indication map) is a periodic packet
  sent by AP to notify client of buffered data
• Relies on sync of packets so client is awake when
  the TIM is sent

16
Attacks on Power Saving

• Attacker can spoof on behalf of AP the TIM
  message
• Client could think there is no data and go back
  to sleep
• Attacker forge management sync packets
• Cause client to fall out of sync with AP
• Attacker spoof on behalf of the client
• AP sends data while client is sleeping

17
Media Access Vulnerabilities

• Avoid collisions at all costs!!! Is the Attitude
• CSMA/CA stands for Carrier Sense Multiple Access
  with Collision Avoidance
• SIFS-time before preexisting frame exchange can
  occur(ACK)

18
Media Access Vulnerabilities(cont)

• DIFS-time used for nodes initiating new traffic
• Nodes will transmit randomly after the DIFS
• Attacker can send signal before every SIFS slot
  to clog the channel
• Requires 50,000 pps to shut down channel

19
More serious is RTS/CTS

• In order to avoid a hidden terminal

20
Virtual Carrier Sense

• Mechanism needed in preventing collision from two
  clients not hearing each other (hidden terminal
  problem)
• RTS/CTS
• A client wanting to transmit a packet first sends
  a RTS (Request to Send)
• RTS includes source, destination, and duration
• A client will respond with a CTS (Clear to Send)
  packet

21
NAV Vulnerability
2
6
6
6
6
6
0-2312
2
2
Frm Ctl
Duration
Addr1
Addr2
Addr3
Seq Ctl
Addr4
Data
FCS
802.11 General Frame Format

• Virtual carrier sense allows a node to reserve
  the radio channel
• Each frame contains a duration value
• Indicates of microseconds channel is reserved
• Tracked per-node Network Allocation Vector (NAV)
• Used by RTS/CTS
• Nodes only allowed to xmit if NAV reaches 0

22
Simple NAV AttackForge packets with large
Duration
Attacker
Access Point and Node 2 cant xmit (but Node 1
can)
Access Point
Node 1
Node 2
23
Extending NAV Attack w/RTS
Attacker
AP and both nodes barredfrom transmitting
Access Point
Node 2
Node 1
24
Practical Attacks and Defenses

• Authors were able to implement these attacks with
  current software and hardware
• IPAQ running Linux with DLINK PCMCIA card
• Built app that monitors wireless channels for AP
  and clients
• Once identified by MAC a DNS resolver and dsnif
  are used to obtain better identifiers(userids)

25
How to Generate Arbitrary 802.11 Frames?
Host Interface to NIC

• Key idea
• AUX/Debug Port allows
• Raw access to NIC SRAM
• Download frame to NIC
• Find frame in SRAM
• Request transmission
• Wait until firmware modifies frame
• Rewrite frame via AUX port

AUX Port
Xmit Q
BAP
SRAM
Xmit process
Physical resources
Virtualized firmware interface
Radio Modem Interface
26
Simulating the NAV attack

• So how bad would the attack be?
• Simulated NAV attack using NS2
• 18 Users
• 1 Access Point
• 1 Attacker
• 30 attack frames per second
• 32.767 ms duration per attack frame

27
NAV Attack Simulation
28
Practical NAV Defense

• Legitimate duration values are relatively small
• Determine maximum reasonable NAV values for all
  frames
• Each node enforces this limit
• lt .5 ms for all frames except ACK and CTS
• 3 ms for ACK and CTS
• Reran the simulation after adding defense to the
  simulator

29
Simulated NAV Defense
30
Why the NAV attack doesnt work

• Surprise many vendors do not implement the
  802.11 spec correctly
• Duration field not respected by other nodes

Time (s) Source Destination Duration (ms) Type
1.294020 e7001501 32.767 802.11 CTS
1.295192 93eae70f 93eaabdf 0.258 TCP Data
1.296540 93eae70f 0 802.11 Ack
1.297869 93eaabdf 93eae70f 0.258 TCP Data
Excerpt from a NAV Attack Trace
31
Deauth Attack Results
32
Practical Deauth Defense

• Based on the observed behavior that legitimate
  nodes do not deauthenticate themselves and then
  send data
• Delay honoring Deauthentication request
• Small interval (5-10 seconds)
• If no other frames received from source then
  honor request
• If source sends other frames then discard request
• Requires no protocol changes and is backwards
  compatible with existing hardware

33
Deauthentication Defense Results
34
More Robust Defense
35
Defense in Depth
MAC 00-14-A4-2D-BE-1D
MAC 00-14-A4-2D-BE-1D
AP
RSS -35 dBm
RSS -36 dBm
RSS -35 dBm
RSS -18 dBm
RSS -34 dBm
36
Identity theft (MAC spoofing)

• occurs when a cracker is able to listen in on
  network traffic and identify the MAC address of a
  computer with network privileges
• Most wireless systems allow some kind of MAC
  filtering to only allow authorized computers with
  specific MAC IDs to gain access and utilize the
  network.

37
Man-in-the-middle attacks

• attacker entices computers to log into a computer
  which is set up as a soft AP
• hacker connects to a real access point through
  another wireless card
• The hacker can then sniff the traffic

38
Caffe Latte attack

• Way to defeat WEP
• By using a process that targets the Windows
  wireless stack, it is possible to obtain the WEP
  key from a remote client
• By sending a flood of encrypted ARP requests
• Attacker uses the ARP responses to obtain the WEP
  key in less than 6 minutes

39
Conclusion

• Deauthentication attack is most immediate concern
• Denial of Service Attacks in 802.11 are very
  plausible with existing equipment
• Although this research paper was published in
  2003 the threat remains for 802.11 networks

40
THANK YOU!

• Questions?