1 / 33

“802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”

“802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”. Natalie Podrazik April 19, 2006 natalie2@umbc.edu. Overview. What is 802.11 802.11 Vulnerabilities Identity MAC Layer Experiment Tools and Modifications Results Conclusions Relevancy to E-Voting Project.

talor
Download Presentation

“802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “802.11 Denial-of-Service Attacks:Real Vulnerabilities and Practical Solutions” Natalie Podrazik April 19, 2006 natalie2@umbc.edu Natalie Podrazik – CS 491V – natalie2@umbc.edu

  2. Overview • What is 802.11 • 802.11 Vulnerabilities • Identity • MAC Layer • Experiment • Tools and Modifications • Results • Conclusions • Relevancy to E-Voting Project Natalie Podrazik – CS 491V – natalie2@umbc.edu

  3. What is 802.11? • IEEE wireless internet standard • 802.11b, 802.11a, 802.11g flavors • Popular • Cheap • Easy to set up, maintain • Operates on 2.4 GHz band Natalie Podrazik – CS 491V – natalie2@umbc.edu

  4. Access Point,Name:AccessPoint00 How does 802.11 work? Authentication Request & Response Association Request & Response Data Payload Acknowledgements Client,Name: ABCDEFGHIJKL Deauthentication Request & Response Natalie Podrazik – CS 491V – natalie2@umbc.edu

  5. Spoofing Stalling Client,Name: MNOPQRSTUVWX Vulnerabilities 1. Identity • Use of MAC frames with sender and receiver 2. MAC Layer • Use of MAC frames to avoid collisions Hi, I’m ABCDEFGHIJKL... Frame To: AccessPoint00From:MNOPQRSTUVWXDuration: 100 s Natalie Podrazik – CS 491V – natalie2@umbc.edu

  6. Access Point,Name:AccessPoint00 Spoof Attack 1:Deauthentication Authentication Request & Response Association Request & Response Deauthentication Request Data Payload x Client,Name: ABCDEFGHIJKL Deauthentication Response Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu

  7. MAC Frame MAC Frame To: AccessPoint00From:ABCDEFGHIJKLMsg: DEAUTH To: ABCDEFGHIJKLFrom:AccessPoint00Msg: DEAUTH Access Point,Name:AccessPoint00 Approaches to Deauthentication • Spoof client or Access Point Client,Name: ABCDEFGHIJKL Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu

  8. Strength of Deauthentication Attack • Client must re-establish connection • Prevention of sending or receiving any data • Possibilities • Forbid or limit access to certain clients • Block entire access point • More work for attacker • Clean attacks – new auths • No escape for client to other AP’s Natalie Podrazik – CS 491V – natalie2@umbc.edu

  9. Access Point,Name:AccessPoint00 Spoof Attack 2:Disassociation Authentication Request & Response Association Request & Response Disassociation Request Data Payload x Client,Name: ABCDEFGHIJKL Deauthentication Response Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu

  10. Evaluation of Disassociation Attack • Similar to deauthentication • Less efficient • Deauthentication forces the client do to more work: re-establish authentication + association • Disassociation only forces client to reestablish association, not authentication. Natalie Podrazik – CS 491V – natalie2@umbc.edu

  11. Access Point,Name:AccessPoint00 0 1 2 3 4 5 6 7 Spoof Attack #3: While you were sleeping... • Power-saving techniques allow clients to go to sleep Ok, I’ll take your messages. I’m going to sleep zzzzz I’m awake. Any messages? 0 1 2 3 4 5 6 7 Client,Name: ABCDEFGHIJKL Natalie Podrazik – CS 491V – natalie2@umbc.edu

  12. x Access Point,Name:AccessPoint00 0 1 2 3 4 5 6 7 Spoofing the Polling Message Nope. zzzzz I’m awake. Any messages? I’m ABCDEFGHIJK, and I’m awake. 0 1 2 3 4 5 6 7 Client,Name: ABCDEFGHIJKL Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu

  13. Access Point,Name:AccessPoint00 TIM No pendingmessages forABCDEFGHIJKL TIM Packets • Traffic Indication Map • Spoof broadcast of TIM zzzzz 0 1 2 3 4 5 6 7 Client,Name: ABCDEFGHIJKL Natalie Podrazik – CS 491V – natalie2@umbc.edu

  14. Timing • Waking up timing relies on: • Period of TIM packets • Timestamp broadcast from access point • Both are sent in the clear • Attack: • Get client out of sync • Wake up at the wrong times Natalie Podrazik – CS 491V – natalie2@umbc.edu

  15. MAC Frame To: AccessPoint00 From: ABCDEFGHIJKLWindow: DIFS MAC Vulnerabilities • Access to MAC divided into windows • Short InterFrame Space (SIFS) • For already connected exchanges • Distributed Coordination Function InterFrame Space (DIFS) • To initiate new frames • Sender specifies which window • No immediate ACK = collision • Random exponential backoff algorithm Natalie Podrazik – CS 491V – natalie2@umbc.edu

  16. MAC Attack #1: Waiting to Transmit • Every transmitting node has to wait at least 1 SIFS interval • Attack: send short message before end of each SIFS interval • Unlikely: SIFS period = 20 s, many packets per second to send 1 SIFS interval (20 s) Backoff Natalie Podrazik – CS 491V – natalie2@umbc.edu

  17. MAC Frame To: AccessPoint00From:MNOPQRSTUVWXDuration: 32767 s MAC Attack #2: Duration • Every 802.11 frame has a duration field • How many s the channel will be reserved • Used to setup Network Allocation Vector (NAV) • Nodes can only transmit when NAV == 0 Natalie Podrazik – CS 491V – natalie2@umbc.edu

  18. Duration Attacks • Possible to use almost any frame to control NAV • ACK • RTS (Request To Send) / CTS (Clear To Send) • Attacker uses little resources • Transmit ~30 times / second to jam channel • Little power used • Use of a directional antennae Natalie Podrazik – CS 491V – natalie2@umbc.edu

  19. Experiment • Challenge: • Modifying MAC frames to spoof sender address • Generating any old control frames • Solution: • Tweak “Buffer Access Path” firmware and Aux-Port • Intervenes between NIC’s passing of packets to hardware • Attacks via OTS hardware Natalie Podrazik – CS 491V – natalie2@umbc.edu

  20. Attacker • iPAQ H3600 with Dlink DWL-650 card • Linux • Weighs 375 g (~12oz) • Easily fits in a coat pocket • Listening application • Clients identified by MAC addresses • DNS-resolver used Natalie Podrazik – CS 491V – natalie2@umbc.edu

  21. Experiments Attacker Monitoring Station Client(Windows XP) Client(MacOS X) Access Point(Linux HostAP) Client(Linux Thinkpad) Client(Linux iPaq) Natalie Podrazik – CS 491V – natalie2@umbc.edu

  22. Attack #1: Deauth Against One Attacker Monitoring Station Client(MacOS X) Access Point(Linux HostAP) Client(Linux Thinkpad) Client(Linux iPaq) Natalie Podrazik – CS 491V – natalie2@umbc.edu

  23. Single Client Attack • Transfer immediately halted • Attack lasted for < 10 sec • Rate of transfer wasn’t up to par for more than a minute Recovery Natalie Podrazik – CS 491V – natalie2@umbc.edu

  24. Attack #2: Deauth Against All Attacker Monitoring Station Client(MacOS X) Access Point(Linux HostAP) Client(Linux Thinkpad) Client(Linux iPaq) Natalie Podrazik – CS 491V – natalie2@umbc.edu

  25. Attack Against All Clients • Windows XP can still send a little bit • Packets not from that session – underlying UDP packets from another XP service Natalie Podrazik – CS 491V – natalie2@umbc.edu

  26. Attacker Monitoring Station Access Point MAC Attack • Plays by timing rules but sets large durations • Sends packets out 30 times per second • Ignores all duration values from any other node 18 client nodes in this experiment Natalie Podrazik – CS 491V – natalie2@umbc.edu

  27. Results of MAC Attack • Channel is completely blocked for the duration of the attack • Similar results with ACK and RTS/CTS frames Natalie Podrazik – CS 491V – natalie2@umbc.edu

  28. Defenses to MAC Attack • Cap on duration values • Sending 90 packets per second brought network down Natalie Podrazik – CS 491V – natalie2@umbc.edu

  29. Overall Recommendations • Authentication of 802.11 control packets • Limiting the size of ACK frames • Individual nodes’ duration threshold • Situational Awareness Natalie Podrazik – CS 491V – natalie2@umbc.edu

  30. New and Relevant • Modifying frames at data link layer through OTS hardware • Strength of attacks • Ease of attack • Scale of attack • Resources needed • Capabilities of modern cell phones Natalie Podrazik – CS 491V – natalie2@umbc.edu

  31. Mobile Devices 8215Smartphone iPAQ H6315Pocket PC LinkSysWIP300 F1000G T-Mobile M/DA Verizon XV6700 Natalie Podrazik – CS 491V – natalie2@umbc.edu

  32. AVS WINvote Natalie Podrazik – CS 491V – natalie2@umbc.edu

  33. Works Cited • “Access Point". Wikipedia. Last updated: 13 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Access_Point • Bellardo, John, and Stefan Savage. "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August 2003. • Friedl, Steve. "Network Guru's Guide to 802.11b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: http://mvp.unixwiz.net/techtips/wireless-guide.html • "HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: http://pocketpccentral.net/ipaq6300.htm • "Media Access Control". Wikipedia. Last updated: 12 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Media_Access_Control • "Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: http://www.brighthand.com \ • "UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: http://www.utstar.com/Solutions/Handsets/WiFi/ • "Wi-Fi". Wikipedia. Last updated: 18 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Wi-Fi Natalie Podrazik – CS 491V – natalie2@umbc.edu

More Related