802'11 DenialofService Attacks: Real Vulnerabilities

1
802.11 Denial-of-Service AttacksReal
Vulnerabilities Practical Solutions

• Luat Vu
• Alexander Alexandrov

2
802.11 Advantages

• Free spectrum
• Efficient channel coding
• Cheap interface hardware
• Easy to extend a network
• Easy to deploy

3
802.11 Problems

• Attractive targets for potential attacks
• Flexible for an attacker to decide where and when
  to launch and attack.
• Difficult to locate the source of transmissions
• Not easy to detect well-planned attacks
• Vulnerabilities in the 802.11 MAC protocols

4
WEP

• Wired Equivalency Protocol
• Provide data privacy between 802.11 clients and
  access points
• Rely on shared secret keys
• Use challenge-response authentication protocol
• Data packets are encrypted when transferred

5
WEP Vulnerabilities

• Recurring weak keys
• Secret key can be recovered
• Under attack, network resources can be fully
  utilized and an attacker can monitor the traffic
  of other networks
• WEP-protected frames can be modified, new frames
  can be injected, authentication frames can be
  spoofed all without knowing the shared secret key

6
802.11 MAC protocol

• Designed to address problems specific to wireless
  networks
• Have abilities to discover networks, join and
  leave networks, and coordinate access
• Deauthentication/disassociation
• Virtual carrier sense attacks
• Authentication DoS attacks
• Need new protocol to overcome current security
  problems

7
802.11 Frame Types

• Management Frames
• Authentication Frames
• Deauthentication Frames
• Association request Frames
• Association response Frames
• Reassociation request Frames
• Reassociation response Frames
• Disassociation Frames
• Beacon Frames
• Probe Request Frames
• Probe Response Frames

8
802.11 Frame Types

• Data Frames
• Control Frames
• Request to Send (RTS) Frame
• Clear to Send (CTS) Frame
• Acknowledgement (ACK) Frame

9
Deauthentication

• A client must first authenticate itself to the AP
  before further communication
• Clients and AP use messages to explicitly request
  deauthentication from each other
• This message can be spoofed by an attacker
  because it is not authenticated by any key
  material

10
Deauthentication
11
Deauthentication

• An attacker has a great flexibility in attacking
• An attacker can pretend to be AP or the client
• An attacker may elect to deny access to
  individual clients, or even rate-limit their
  access

12
Disassocation

• A client may be authenticated with multiple APs
  at once
• 802.11 standard provides a special association
  message to allow the client and AP to agree which
  AP will forward packets
• 802.11 provides a disassociation message if
  association frames are unauthenticated
• An attacker can exploit this vulnerability to
  launch the deauthentication attack

13
Power Saving

• To conserve energy, clients are allowed to enter
  a sleep state
• The client has to announces its intention to the
  AP before going to a sleep state
• AP will buffer any inbound traffic for the node
• When the client wakes up, it will poll the AP for
  any pending traffic
• By spoofing the polling message on behalf of the
  client, an attacker can cause the AP to discard
  the clients packets while it is asleep

14
Media Access Vulnerabilities

• Short Interframe Space (SIFS)
• Distributed Coordination Function Interframe
  Space (DIFS)
• Before any frame can be sent, the sending radio
  must observe a quiet medium for one of the
  defined window periods
• SIFS window is used for frames as part of
  preexisting frame exchange
• DIFS window is used for nodes wishing to initiate
  a new frame exchange

15
Media Access Vulnerabilities

• To avoid all nodes transmitting immediately after
  the DIFS expires, the time after the DIFS is
  subdivided into slots
• Each time slot is picked randomly and with equal
  probability by a node to start transmitting
• If a collision occurs, a sender uses a random
  exponential backoff algorithm before
  retransmitting

16
Media Access Vulnerabilities
17
Media Access Vulnerabilities

• A SIFS period is 20 microsecond
• An attacker can monopolize the channel by sending
  a short signal before the end of every SIFS
  period
• This attack is highly affective but consider lots
  of efforts.

18
Media Access Vulnerabilities

• Duration field another serious vulnerability.
• Duration field is used to indicate the number of
  microseconds that the channel is reserved.
• Is used to implemented Network Allocation Vector
  (NAV)
• NAV is used in RTS/CLS handsake

19
802.11 Attack Infrastructure

• It seems all 802.11 NIC are inherently able to
  generate arbitrary frames
• In practice devices implement key MAC functions
  in firmware to moderate access
• Could use undocumented modes of operation such as
  HostAP and HostBSS
• Choice Microsystems AUX Port used for debugging

20
802.11 Attack Infrastructure
21
802.11 Deauthentication Attack

• Deauthentication Attack Implementation
• 1 attacker, 1 access point, 1 monitoring station,
  4 legitimate clients

22
Deauthentication Attack Solution

• All 4 clients gave up connecting
• Could be solved by authentication-expensive
• Practical solution queue the requests for 5-10
  seconds if no subsequent traffic drop the
  connection simply modify firmware
• Solves the problem however introduces a new one

23
Problems with this solution..

• When a mobile client roams, which AP to receive
  packets destined the client ?
• An adversary can keep a connection open to the
  old AP by continuously sending packets
• Intelligent and dumb infrastructures
• Easy to solve for intelligent, more problematic
  for dumb infrastructures

24
802.11 Virtual Carrier-sense attack

• Virtual carrier-sense attack
• Current 802.11 devices do not follow properly the
  specification

25
NS-2 Attack Simulation

• Assuming this bug will be fixed, simulate the
  attack in ns-2
• 18 static client nodes, 1 static attacker node
  sending arbitrary duration values 30 times a
  second
• Channel is completely blocked much harder to
  defend compared to deauthentication attack

26
Simulation Results

• Solution low and high caps on CTS duration time

27
Still not perfect

• By increasing the attackers frequency to 90
  packets per second, the network could still be
  shut down

28
Virtual Carrier-sense attack solution

• Solution abandon portions of the standard
  802.11 MAC functionality
• Four key frames that contain duration values
  ACK, data, RTS, CTS
• Stop fragmentation no need for ACK and data
  duration values.
• RTS-CTS-data valid sequence
• Lone CTS unsolicited or observing node is a
  hidden terminal solution each node
  independently ignores lone CTS packets

29
Still suboptimal

• Still not perfect at threshold 30, the
  attacker can still lower the available bandwidth
  by 1/3.
• Best solution explicit authentication to 802.11
  control packets.
• Requires fresh cryptographically signed copy of
  the originating RTS
• Significant alteration to 802.11 standards,
  benefit/cost ratio not clear

30
Related Work Launching and Detecting Jamming
Attacks in 802.11

• Jamming emitting radio frequencies that do not
  follow 802.11 MAC protocol
• Measured by PSR and PDR
• Four attacking models constant, deceptive,
  random, reactive jammer

31
Effectiveness of Jamming Attacks
32
Basic Statistics for Detecting Jamming

• Signal Strength
• Can be either Basic Average or Signal Strength
  Spectral Discrimination unreliable

33
Basic Statistics for Detecting Jamming

• Carrier Sensing Time
• However have to differentiate between congestion
  and jamming
• With PDR of 75 60 ms determined to be optimal
  threshold for 99 confidence
• Still detect only constant and deceptive jammers
• Packet Delivery Ratio effective for all
  jammers, still cannot differentiate between
  jamming and other network dynamics like sending
  running out of battery power

34
Conclusions

• Wireless networks popular due to convenience
  however confidentiality and availability critical
• Arbitrary 802.11 frames can be easily sent using
  commodity hardware
• Deauthentication attacks effective, virtual
  carrier-sense attacks will be.
• Simple stop-gap solutions can be applied with low
  overhead on existing hardware.

35
Thank you !

• Any questions ?