230 likes | 394 Views
Denial of Service Attacks Against 802.11 Wireless Networks. ECE 478: Final Project. June 7 th , 2004 By: Benjamin Humble Eric Sundholm. Topics:.
E N D
Denial of Service Attacks Against 802.11 Wireless Networks ECE 478: Final Project June 7th, 2004 By: Benjamin Humble Eric Sundholm
Topics: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Traditional Wireless Jamming Definitions Methods Examples Strengths Weaknesses The 802.11b Vulnerability The IEEE 802.11b Standard Clear Channel Assessment (CCA) Algorithm Flaw Uncovered What’s wrong and why? Who’s At Risk? Solutions
Definitions: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Jamming: To interfere with or prevent the clear reception of (broadcast signals) by electronic means1 Passive Jamming: such as putting up buildings made of material that block out cell phone signals2 1www.dictionary.com 2www.stargeek.com
Methods: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 In almost every case, jamming causes a denial of service type attack to either server or client, sender or receiver. In a few isolated cases, the use of jamming equipment can be seen as a man-in-the-middle attack.1 1Anthony G Persaud, Anti-Jamming Receiver Designs and Techniques, www.public.iastate.edu
Past Methods: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Some older analog methods (including radar jamming) are: Simply broadcasting noise into the system so that the original message is lost and unintelligible. This usually requires the noise to be at an equal amplitude level to the jammed signal. In the case of radar jamming it is possible to send back to the detector the same signal that was sent out. This would cause the receiver to believe that no target was found.1 Similarly, instead of a no target situation, more or less targets than really exist can be sent back.1 1www.maclean-nj.com
Modern Methods: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 More modern approaches include jamming of wireless computer communication The easiest form is to continually transmit useless data to the point where the servers become overloaded. This would cause a denial of service attack to all other clients.1 Inputting noise into the system still works, and has a clever advantage with computer systems The inputted noise signal can be of lower amplitude (and therefore power) which can cause DBR (death by retry). This is when the signal to noise ratio becomes severely compromised and the receiver must constantly re-request that the message be sent. This could form an endless loop, hence DBR.1 1www.maclean-nj.com
Modern Methods: (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 In a worst case scenario it is impossible to defend against a radio jamming attack. A clever attacker can simply jam all frequencies so that these listed advanced methods will not work1 Spread spectrum systems Frequency hopping spread spectrum The frequencies used for 802.11b and low bandwidth (< 20 Mbps) 802.11g standard operating ranges are2: Unlicensed 2.4 GHz band Unlicensed 5.2 GHz band 1Anthony G Persaud, Anti-Jamming Receiver Designs and Techniques, www.public.iastate.edu 2www.nwfusion.com
Modern Methods: (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 It can be noted that many of the older methods can be adopted and tweaked to wreak havoc on modern computer systems. The automation of these systems can be their undoing, just like with the death by retry example.
Examples: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Radio operators have to listen for and identify common jamming signals so that they can be filtered out. Some of these common signals include1: Random Noise Random Pulse Stepped Tones Wobbler Random Keyed Modulated Continuous Wave Tone Rotary Pulse Spark Recorded Sounds Gulls Sweep-Through 1www.tpub.com
Strengths: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Locating the Source: Many times, finding the source of the jamming signal must be done physically, and therefore is hard to locate the attacker. Detection: Most people have no idea if a jamming signal is in use. It simply appears as if there is no service. Such is the case with cell phones, or wireless networks.1 Cost: Equipment cost is relatively cheap, when compared to brute force methods of other computer oriented security attacks. 2www.stargeek.com
Weaknesses: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Limited use: Jamming is limited since most attacks can only be used as denial of service attacks Power: In most cases the power needed to overcome and jam a signal is too great to be practical. Exceptions to this, however include: Satellite jamming: Transmitted signal strength degrades as a function of distance squared. Therefore, an attacker that is much closer to the receiver than the satellite does not have to use the same power output to match the original satellite transmission. 802.11 CCA exploitation: To be discussed in later slides Range: Range is usually limited by the power of the attacker’s transmitter
The IEEE 802.11b Standard: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Established in 1997 by the Institute of Electrical and Electronics Engineers (IEEE)1 Quickly became the most commonly used standard for wireless communication Only available connection to a wireless network in 99.9% of all cases2 Remains the most commonly used wireless protocol despite the development of more advanced and more secure standards 1 www.ieee.com 2 maccentral.macworld.com
Clear Channel Assessment (CCA): Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Algorithm used by 802.11 networks to determine if a radio frequency (RF) channel is free for use1 Performed by a Direct Sequence Spread Spectrum (DSSS) physical layer2 Prevents transmission of data by either client or access point (AP) until a channel becomes free 1 www.kb.cert.org 2 www.auscert.org.au
IEEE 802.11b Flaw Uncovered: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Flaw reported May 13th, 2004 by associate professor Mark Looi at Queensland University of Technology’s (QUT) Information Security Research Centre1 Discovered by professor Looi’s graduate students Christian Wullems, Kevin Tham and Jason Smith while investigating mechanisms for protecting wireless devices from hacking US-CERT Vulnerability Note2 VU#106678 1 maccentral.macworld.com 2 www.kb.cert.org
What’s Wrong and Why? Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 A specially crafted RF signal can cause the CCA algorithm to believe there are no free channels This type of signal is sometimes called “jabber” Attack prevents any wireless communication to or from any client or access point within range of the jamming Unlike traditional jamming, exploiting the CCA flaw requires no more power than normal operation for a wireless device Attack can be implemented by a modified $35 network card and laptop or even a wireless enabled PDA1 1 maccentral.macworld.com
What’s Wrong and Why? (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Due to low-power nature of the attack, locating the attacker is nearly impossible (though locating the access point(s) affected is simple) Wireless communication will be disrupted as long as the attack remains underway Capable of shutting down all wireless transmissions within a 1km radius in 5 to 8 seconds1 1 maccentral.macworld.com
Who’s at Risk? Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 All IEEE 802.11, 802.11b, and low bandwidth (< 20 Mbps) 802.11g wireless networks are vulnerable This accounts for 99.9% of all wireless computer networks1 IEEE 802.11a and high bandwidth only ( > 20 Mbps) 802.11g wireless networks do not use the same CCA algorithm and therefore are not vulnerable Flaw is not network implementation specific, it is inherent to the IEEE standard2 1 maccentral.macworld.com 2 www.kb.cert.org
Who’s at Risk? (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Attack operates at the hardware level, therefore WEP, WPA, WLAN security measures have no effect In some countries, wireless networks are used to control infrastructures such as railways, energy transmission and other utilities1 Any network that is not completely physically isolated (middle of the desert, Faraday cage etc…) is vulnerable to this attack 1 maccentral.macworld.com 2 www.kb.cert.org
Solutions: Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 NONE
Solutions: (cont’d) Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 The flaw is inherent to the IEEE 802.11 standard and its use of the Clear Channel Assessment algorithm There are no known solutions for preventing this attack on a vulnerable system The best option for preventing this type of attack is to use a wireless standard that is not vulnerable (i.e. 802.11a or 802.11g) In general, it is impossible to completely protect a wireless network from denial of service attacks based on radio frequency (RF) jamming
Questions? Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004 Questions or Comments? Benjamin Humble (humblebe@engr.orst.edu) Eric Sundholm (sundholm@engr.orst.edu)