400 likes | 509 Views
Explore the vulnerabilities of 802.11 networks and practical solutions against Denial of Service attacks for enhanced security. Learn about RF attacks, protocol-based attacks, and identity vulnerabilities impacting wireless communication.
E N D
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Presented By Devon Callahan
Outline • Introduction to 802.11and Motivation • Related Work • Vulnerabilities of 802.11 • Practical Attacks and Defenses • Experimental Results • Conclusions • Final Thoughts
Introduction • 802.11 networks are everywhere • Usually network clients are in a star topology with the Access point • 802.11 b and g are most popular • With such high dependency on 802.11 are there vulnerabilities...
Related Work • Most of the work has focused on the confidentiality • weakness in security of 802.11( WEP and WPA) • What about availability? • Lough identified vulnerabilities of MAC(disassociation, deauthentication, virtual carrier sensing) but did not validate
Related work (cont) • Faria, and Cheriton identified problems posed by Authentication DoS attacks and purpose new authentication framework (not very light weight) • AirJack, Omerta, void11, Radiate all wireless tools from early 2000's • Some general 802.11 DoS attacks based on resource consumption(frame rate control)
Vulnerabilities of 802.11 • Denial of Service the act of denying a computer user of a particular service • Typically flood a client with more traffic than it can handle • 802.11 more vulnerable than 802.3 because of the shared medium 2.4Ghz
Denial of Service on Wireless • The attacker wants to disrupt and deny access to services by legitimate users • Two main types of DoS in 802.11 • RF Attacks or Jamming the wireless spectrum- disruption occurs when signal-to-noise ratio reaches certain level • Protocol based attacking- the higher layers of communication which are easier $$ (Identity and Media-access control)
Identity Vulnerabilities • A result of the trust placed in a speaker’s source address • 802.11 nodes are identified at MAC layer by unique address as wired nodes are. • Frames are not authenticated, meaning an attacker can change his MAC address and spoof other nodes (similar to what is done in ARP spoofing) • Leads to 3 kinds of attacks: • Disassociation attack • Deauthentication attack • Power saving mode attack
Disassociation • A client can authenticate with multiple APs but associate with one in order to allow the correct AP to forward packets • Association frames are unauthenticated • 802.11 provides a disassociation message similar to the deauth message • Vulnerability is spoofed message causing the AP to disassociate the client
Disassociation Attack Authentication Request Authentication Response Association Request Data Data Disassociation Attacker Disassociation Association Response AP
Deauthentication Attack • Authentication Procedure • After selecting an AP for communication, clients must authenticate themselves to the AP with their MAC address • Part of Authentication framework is a message allowing clients to explicitly deauthenticate from the AP • Vulnerability • An attacker can spoof the deauthentication message causing the communication between AP and client to suspend, causing a DoS • Result • Client must re-authenticate to resume communication with AP
Deauthentication Attack Authentication Request Authentication Response Association Request Data Data Deauthentication Attacker Deauthentication Association Response AP
Deauthentication Attack (Cont.) • By repeating attack, client can be kept from transmitting or receiving data indefinitely • Attack can be executed on individual client or all clients • Individual Clients • Attacker spoofs clients address telling AP to deauthenticate them • All Clients • Attacker spoofs AP telling all clients to deauthenticate
Deauthentication or Disassociation? • Deauthentication requires a RTT of 2 in order to resume communication • Disassociation requires a RTT of 1 in order to resume communication • Because it requires less work for the attacker Deauthentication is the more effective attack
Power Saving in 802.11 • Nodes “sleep” to conserve energy • AP will buffer clients packets until requested with a poll message • TIM (traffic indication map) is a periodic packet sent by AP to notify client of buffered data • Relies on sync of packets so client is awake when the TIM is sent
Attacks on Power Saving • Attacker can spoof on behalf of AP the TIM message • Client could think there is no data and go back to sleep • Attacker forge management sync packets • Cause client to fall out of sync with AP • Attacker spoof on behalf of the client • AP sends data while client is sleeping
Media Access Vulnerabilities • Avoid collisions at all costs!!! Is the Attitude • CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance • SIFS-time before preexisting frame exchange can occur(ACK)
Media Access Vulnerabilities(cont) • DIFS-time used for nodes initiating new traffic • Nodes will transmit randomly after the DIFS • Attacker can send signal before every SIFS slot to clog the channel • Requires 50,000 pps to shut down channel
More serious is RTS/CTS • In order to avoid a “hidden terminal”
Virtual Carrier Sense • Mechanism needed in preventing collision from two clients not hearing each other (hidden terminal problem) • RTS/CTS • A client wanting to transmit a packet first sends a RTS (Request to Send) • RTS includes source, destination, and duration • A client will respond with a CTS (Clear to Send) packet
NAV Vulnerability 2 2 6 6 6 6 6 0-2312 2 Frm Ctl Duration Addr1 Addr2 Addr3 Seq Ctl Addr4 Data FCS 802.11 General Frame Format • Virtual carrier sense allows a node to reserve the radio channel • Each frame contains a duration value • Indicates # of microseconds channel is reserved • Tracked per-node; Network Allocation Vector (NAV) • Used by RTS/CTS • Nodes only allowed to xmit if NAV reaches 0
Duration=32000 Duration=32000 Simple NAV Attack:Forge packets with large Duration Attacker Access Point and Node 2 can’t xmit (but Node 1 can) Access Point Node 1 Node 2
RTS CTS Duration=32000 Duration=31000 CTS CTS Duration=31000 Duration=31000 Extending NAV Attack w/RTS AP and both nodes barredfrom transmitting Attacker Access Point Node 2 Node 1
Practical Attacks and Defenses • Authors were able to implement these attacks with current software and hardware • IPAQ running Linux with DLINK PCMCIA card • Built app that monitors wireless channels for AP and clients • Once identified by MAC a DNS resolver and dsnif are used to obtain better identifiers(userids)
How to Generate Arbitrary 802.11 Frames? Host Interface to NIC • Key idea: • AUX/Debug Port allows • Raw access to NIC SRAM • Download frame to NIC • Find frame in SRAM • Request transmission • Wait until firmware modifies frame • Rewrite frame via AUX port AUX Port Xmit Q SRAM BAP Xmit process Physical resources Virtualized firmware interface Radio Modem Interface
Simulating the NAV attack • So how bad would the attack be? • Simulated NAV attack using NS2 • 18 Users • 1 Access Point • 1 Attacker • 30 attack frames per second • 32.767 ms duration per attack frame
Practical NAV Defense • Legitimate duration values are relatively small • Determine maximum reasonable NAV values for all frames • Each node enforces this limit • < .5 ms for all frames except ACK and CTS • ~3 ms for ACK and CTS • Reran the simulation after adding defense to the simulator
1.2952 - 1.2940 = 1.2 ms Why the NAV attack doesn’t work • Surprise: many vendors do not implement the 802.11 spec correctly • Duration field not respected by other nodes Excerpt from a NAV Attack Trace
Practical Deauth Defense • Based on the observed behavior that legitimate nodes do not deauthenticate themselves and then send data • Delay honoring Deauthentication request • Small interval (5-10 seconds) • If no other frames received from source then honor request • If source sends other frames then discard request • Requires no protocol changes and is backwards compatible with existing hardware
Defense in Depth Num 4 Num 3 Num 2 Num 5 Num 1 Data Data Attacker Deauthentication Num 4 MAC 00-14-A4-2D-BE-1D Num 1 -35 dBm MAC 00-14-A4-2D-BE-1D Num 2 Num 4 Num 4 Num 3 -18 dBm -35 dBm -36 dBm -34 dBm AP RSS -35 dBm RSS -36 dBm RSS -35 dBm RSS -18 dBm RSS -34 dBm
Identity theft (MAC spoofing) • occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges • Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network.
Man-in-the-middle attacks • attacker entices computers to log into a computer which is set up as a soft AP • hacker connects to a real access point through another wireless card • The hacker can then sniff the traffic
Caffe Latte attack • Way to defeat WEP • By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client • By sending a flood of encrypted ARP requests • Attacker uses the ARP responses to obtain the WEP key in less than 6 minutes
Conclusion • Deauthentication attack is most immediate concern • Denial of Service Attacks in 802.11 are very plausible with existing equipment • Although this research paper was published in 2003 the threat remains for 802.11 networks
THANK YOU! • Questions?