410 likes | 568 Views
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions. John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Presented By Devon Callahan. Outline. Introduction to 802.11and Motivation Related Work
E N D
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Presented By Devon Callahan
Outline • Introduction to 802.11and Motivation • Related Work • Vulnerabilities of 802.11 • Practical Attacks and Defenses • Experimental Results • Conclusions • Final Thoughts
Introduction • 802.11 networks are everywhere • Usually network clients are in a star topology with the Access point • 802.11 b and g are most popular • With such high dependency on 802.11 are there vulnerabilities...
Related Work • Most of the work has focused on the confidentiality • weakness in security of 802.11( WEP and WPA) • What about availability? • Lough identified vulnerabilities of MAC(disassociation, deauthentication, virtual carrier sensing) but did not validate
Related work (cont) • Faria, and Cheriton identified problems posed by Authentication DoS attacks and purpose new authentication framework (not very light weight) • AirJack, Omerta, void11, Radiate all wireless tools from early 2000's • Some general 802.11 DoS attacks based on resource consumption(frame rate control)
Vulnerabilities of 802.11 • Denial of Service the act of denying a computer user of a particular service • Typically flood a client with more traffic than it can handle • 802.11 more vulnerable than 802.3 because of the shared medium 2.4Ghz
Denial of Service on Wireless • The attacker wants to disrupt and deny access to services by legitimate users • Two main types of DoS in 802.11 • RF Attacks or Jamming the wireless spectrum- disruption occurs when signal-to-noise ratio reaches certain level • Protocol based attacking- the higher layers of communication which are easier $$ (Identity and Media-access control)
Identity Vulnerabilities • A result of the trust placed in a speaker’s source address • 802.11 nodes are identified at MAC layer by unique address as wired nodes are. • Frames are not authenticated, meaning an attacker can change his MAC address and spoof other nodes (similar to what is done in ARP spoofing) • Leads to 3 kinds of attacks: • Disassociation attack • Deauthentication attack • Power saving mode attack
Disassociation • A client can authenticate with multiple APs but associate with one in order to allow the correct AP to forward packets • Association frames are unauthenticated • 802.11 provides a disassociation message similar to the deauth message • Vulnerability is spoofed message causing the AP to disassociate the client
Disassociation Attack Authentication Request Authentication Response Association Request Data Data Disassociation Attacker Disassociation Association Response AP
Deauthentication Attack • Authentication Procedure • After selecting an AP for communication, clients must authenticate themselves to the AP with their MAC address • Part of Authentication framework is a message allowing clients to explicitly deauthenticate from the AP • Vulnerability • An attacker can spoof the deauthentication message causing the communication between AP and client to suspend, causing a DoS • Result • Client must re-authenticate to resume communication with AP
Deauthentication Attack Authentication Request Authentication Response Association Request Data Data Deauthentication Attacker Deauthentication Association Response AP
Deauthentication Attack (Cont.) • By repeating attack, client can be kept from transmitting or receiving data indefinitely • Attack can be executed on individual client or all clients • Individual Clients • Attacker spoofs clients address telling AP to deauthenticate them • All Clients • Attacker spoofs AP telling all clients to deauthenticate
Deauthentication or Disassociation? • Deauthentication requires a RTT of 2 in order to resume communication • Disassociation requires a RTT of 1 in order to resume communication • Because it requires less work for the attacker Deauthentication is the more effective attack
Power Saving in 802.11 • Nodes “sleep” to conserve energy • AP will buffer clients packets until requested with a poll message • TIM (traffic indication map) is a periodic packet sent by AP to notify client of buffered data • Relies on sync of packets so client is awake when the TIM is sent
Attacks on Power Saving • Attacker can spoof on behalf of AP the TIM message • Client could think there is no data and go back to sleep • Attacker forge management sync packets • Cause client to fall out of sync with AP • Attacker spoof on behalf of the client • AP sends data while client is sleeping
Media Access Vulnerabilities • Avoid collisions at all costs!!! Is the Attitude • CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance • SIFS-time before preexisting frame exchange can occur(ACK)
Media Access Vulnerabilities(cont) • DIFS-time used for nodes initiating new traffic • Nodes will transmit randomly after the DIFS • Attacker can send signal before every SIFS slot to clog the channel • Requires 50,000 pps to shut down channel
More serious is RTS/CTS • In order to avoid a “hidden terminal”
Virtual Carrier Sense • Mechanism needed in preventing collision from two clients not hearing each other (hidden terminal problem) • RTS/CTS • A client wanting to transmit a packet first sends a RTS (Request to Send) • RTS includes source, destination, and duration • A client will respond with a CTS (Clear to Send) packet
NAV Vulnerability 2 2 6 6 6 6 6 0-2312 2 Frm Ctl Duration Addr1 Addr2 Addr3 Seq Ctl Addr4 Data FCS 802.11 General Frame Format • Virtual carrier sense allows a node to reserve the radio channel • Each frame contains a duration value • Indicates # of microseconds channel is reserved • Tracked per-node; Network Allocation Vector (NAV) • Used by RTS/CTS • Nodes only allowed to xmit if NAV reaches 0
Duration=32000 Duration=32000 Simple NAV Attack:Forge packets with large Duration Attacker Access Point and Node 2 can’t xmit (but Node 1 can) Access Point Node 1 Node 2
RTS CTS Duration=32000 Duration=31000 CTS CTS Duration=31000 Duration=31000 Extending NAV Attack w/RTS AP and both nodes barredfrom transmitting Attacker Access Point Node 2 Node 1
Practical Attacks and Defenses • Authors were able to implement these attacks with current software and hardware • IPAQ running Linux with DLINK PCMCIA card • Built app that monitors wireless channels for AP and clients • Once identified by MAC a DNS resolver and dsnif are used to obtain better identifiers(userids)
How to Generate Arbitrary 802.11 Frames? Host Interface to NIC • Key idea: • AUX/Debug Port allows • Raw access to NIC SRAM • Download frame to NIC • Find frame in SRAM • Request transmission • Wait until firmware modifies frame • Rewrite frame via AUX port AUX Port Xmit Q SRAM BAP Xmit process Physical resources Virtualized firmware interface Radio Modem Interface
Simulating the NAV attack • So how bad would the attack be? • Simulated NAV attack using NS2 • 18 Users • 1 Access Point • 1 Attacker • 30 attack frames per second • 32.767 ms duration per attack frame
Practical NAV Defense • Legitimate duration values are relatively small • Determine maximum reasonable NAV values for all frames • Each node enforces this limit • < .5 ms for all frames except ACK and CTS • ~3 ms for ACK and CTS • Reran the simulation after adding defense to the simulator
1.2952 - 1.2940 = 1.2 ms Why the NAV attack doesn’t work • Surprise: many vendors do not implement the 802.11 spec correctly • Duration field not respected by other nodes Excerpt from a NAV Attack Trace
Practical Deauth Defense • Based on the observed behavior that legitimate nodes do not deauthenticate themselves and then send data • Delay honoring Deauthentication request • Small interval (5-10 seconds) • If no other frames received from source then honor request • If source sends other frames then discard request • Requires no protocol changes and is backwards compatible with existing hardware
Defense in Depth Num 4 Num 3 Num 2 Num 5 Num 1 Data Data Attacker Deauthentication Num 4 MAC 00-14-A4-2D-BE-1D Num 1 -35 dBm MAC 00-14-A4-2D-BE-1D Num 2 Num 4 Num 4 Num 3 -18 dBm -35 dBm -36 dBm -34 dBm AP RSS -35 dBm RSS -36 dBm RSS -35 dBm RSS -18 dBm RSS -34 dBm
Identity theft (MAC spoofing) • occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges • Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network.
Man-in-the-middle attacks • attacker entices computers to log into a computer which is set up as a soft AP • hacker connects to a real access point through another wireless card • The hacker can then sniff the traffic
Caffe Latte attack • Way to defeat WEP • By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client • By sending a flood of encrypted ARP requests • Attacker uses the ARP responses to obtain the WEP key in less than 6 minutes
Conclusion • Deauthentication attack is most immediate concern • Denial of Service Attacks in 802.11 are very plausible with existing equipment • Although this research paper was published in 2003 the threat remains for 802.11 networks
THANK YOU! • Questions?