280 likes | 608 Views
802.11 Denial-of-Service Attacks. Real Vulnerabilities and Practical Solutions Presented by : Aseem Tandon March 23, 2004. Information Source. Based on a research paper by John Bellardo and Stefan Savage of UCal San Diego Paper was presented at Usenix 2003 Security Symposium. Outline.
E N D
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions Presented by : Aseem Tandon March 23, 2004
Information Source • Based on a research paper by John Bellardo and Stefan Savage of UCal San Diego • Paper was presented at Usenix 2003 Security Symposium
Outline • What is 802.11 ? • What is a Denial-of-Service (DoS) Attack? • Vulnerabilities in 802.11 • Practical Perspective and Proposed Solutions • Conclusions • References
What is 802.11 ? • IEEE standard that specifies medium access and physical layer specs for local area wireless connectivity between fixed, portable and moving stations
What is a DoS Attack ? • Denying genuine users a particular service • In our context, preventing transmission of data to/from stations
Vulnerabilities in 802.11 • Two kinds of vulnerabilities • Identity vulnerabilities • MAC vulnerabilities
Identity Vulnerabilities • Arise because of implicit trust placed in the source address • No verification of source’s identity • Causes 2 kinds of attacks: • Deauthentication and Disassociation attacks • Power saving mode attack
Deauthentication and Disassociation Attack (1) • Authentication Mechanism • Client sends authentication request to AP • AP sends back response • Client then sends association request • AP responds accordingly • Problem: • Explicit message for deauthentication sent in the clear, without being authenticated by keying material. • This message can be spoofed
Deauthentication and Disassociation Attack (2) • The spoofed deauthentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoS • Client must reauthenticate to resume communication • Attacker should be careful to spoof the deauthentication message only when a successful authentication has taken place • Similar attack can be carried out by spoofing the disassociation message, since that message is also sent in the clear. • From the attackers perspective, disassociation attack is less effective compared to deauthentication attack.
Power Saving Mode Attack (1) • Power Conservation Mechanism • Client enters sleep mode intermittently • AP buffers data during that time • Either client awakens and sends a poll message to AP for pending data, or AP broadcasts a periodic Traffic Indication Map (TIM) message conveying availability of pending data • AP delivers data and clears its buffer • Problem: • Attacker can spoof either the poll message or TIM message, as these are sent unauthenticated
Power Saving Mode Attack (2) • Big problem: • Other management messages can also be spoofed, thereby making these attacks more effective • Solution • Simply, encrypt these messages like the data messages, using WEP.
MAC Vulnerabilities • Arise because of the collision avoidance mechanism of the 802.11 MAC layer • Cause two kinds of attacks: • Time window attack • Virtual carrier sense attack
Time Window attack • 802.11 MAC defines time windows to prioritize access to the channel • Two time windows - Short interframe space (SIFS) for existing frame exchange and Distributed interframe space (DIFS) for new frame exchange with SIFS<DIFS • Every STA has to wait at least SIFS before transmitting • Therefore, the attacker can completely monopolize the channel by sending a signal before the end of every SIFS interval • However, there is a problem with the attack • Resource intensive – Since SIFS is 28 µs (802.11b), the attacker will have to send a signal approx. 37,000 times per second
Virtual Carrier Sense Attack • Carrier Sensing Mechanism • To prevent collisions, station sends a short Request-to-Send (RTS) message • RTS contains a Duration field specifying the time for which the sender requires the channel • Receiver responds with Confirm-to-Send (CTS) if it is ready to receive data • CTS contains the updated Duration field • Other stations within the range set their Network Allocation Vector (NAV) such that they do not transmit for the time specified in the Duration field • Duration field is present in all 802.11 frames, so any frame can be used to carry out this attack
Virtual Carrier Sense Attack • Problem • The attacker can set Duration field to high values (maximum 32767), preventing channel access to others • Assuming attacker sets maximum value, he has to transmit only 30 times per second, therefore, easy for the attacker
Practical Perspective • DoS attacks are theoretically possible, but what about actual practice ? • Bad News ! • It is feasible to carry out these attacks with commodity hardware with little tweaking
Deauthentication attack – Proposed Solutions • Solution 1: Authenticate management frames • But there are two problems with this solution: • Not feasible using software upgrade • A standardised authentication framework requires, can take time • Not feasible to upgrade all STAs across all networks • Solution 2: Defer deauthentication • Manipulate the firmware to delay deauthentication after receiving the message. If AP receives a data message after this, then the deauth request was spoofed • Advantages of solution 2: • Low overhead • Modification only limited to the APs, which is feasible
Virtual carrier sense attack – Proposed Solution • Put a cap on the value of the maximum duration on received frames • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value
Virtual carrier sense attack – Proposed Solution • Put a cap on the value of the maximum duration on received frames • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value • Can be further improved by selectively adhering to the specified duration value in: • Data and ACK frames – These frames will have a high duration value only if they are a part of a fragmented packet exchange. Since, fragmentation is almost never used, duration specified in these frames can be ignored • RTS frame – A station that receives an RTS frame will also receive the data frame. 802.11 std specifies the exact times for the subsequent CTS and data frames. So the duration value of RTS is respected till the following data frame is received/not received
Virtual carrier sense attack – Proposed Solution …contd • CTS frame – Either the observed CTS is unsolicited or the observing node is a hidden terminal. If this CTS is addressed to a valid in-range station, the valid station can nullify this by sending a zero duration null function frame. If this CTS is addressed to an out of range station, one foolproof defense is to introduce authenticated CTS frames, containing cryptographically signed copy of the preceding RTS. But there are overhead and feasibility issues with this
Conclusions • 802.11 WLANs suffer from many vulnerabilities threatening the availability of service • Secure and extended authentication mechanisms can help • Changes to the MAC layer protocol also required, maybe track and punish malicious nodes
References • John Bellardo and Stefan Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, Usenix 2003 Security Symposium • Dazhi Chen, Jing Deng and Pramod K Varshney, Protecting Wireless Networks Against a Denial of Service Attack based on virtual jamming • IEEE Standard for Wireless LAN – Medium Access Control and Physical Layer Specification, P802.11, 1999 • AirDefense White Paper, Wirless LAN Security – What Hackers Know That You Don’t, 2002 • Vikram Gupta, Srikanth Krishnamurthy and Michalis Faloutsos, Denial of service Attacks at the MAC Layer in Wireless Ad Hoc Networks