1 / 28

802.11 Denial-of-Service Attacks

802.11 Denial-of-Service Attacks. Real Vulnerabilities and Practical Solutions Presented by : Aseem Tandon March 23, 2004. Information Source. Based on a research paper by John Bellardo and Stefan Savage of UCal San Diego Paper was presented at Usenix 2003 Security Symposium. Outline.

octavia
Download Presentation

802.11 Denial-of-Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions Presented by : Aseem Tandon March 23, 2004

  2. Information Source • Based on a research paper by John Bellardo and Stefan Savage of UCal San Diego • Paper was presented at Usenix 2003 Security Symposium

  3. Outline • What is 802.11 ? • What is a Denial-of-Service (DoS) Attack? • Vulnerabilities in 802.11 • Practical Perspective and Proposed Solutions • Conclusions • References

  4. What is 802.11 ? • IEEE standard that specifies medium access and physical layer specs for local area wireless connectivity between fixed, portable and moving stations

  5. What is a DoS Attack ? • Denying genuine users a particular service • In our context, preventing transmission of data to/from stations

  6. Vulnerabilities in 802.11

  7. Vulnerabilities in 802.11 • Two kinds of vulnerabilities • Identity vulnerabilities • MAC vulnerabilities

  8. Identity Vulnerabilities • Arise because of implicit trust placed in the source address • No verification of source’s identity • Causes 2 kinds of attacks: • Deauthentication and Disassociation attacks • Power saving mode attack

  9. Deauthentication and Disassociation Attack (1) • Authentication Mechanism • Client sends authentication request to AP • AP sends back response • Client then sends association request • AP responds accordingly • Problem: • Explicit message for deauthentication sent in the clear, without being authenticated by keying material. • This message can be spoofed

  10. Deauthentication and Disassociation Attack (2) • The spoofed deauthentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoS • Client must reauthenticate to resume communication • Attacker should be careful to spoof the deauthentication message only when a successful authentication has taken place • Similar attack can be carried out by spoofing the disassociation message, since that message is also sent in the clear. • From the attackers perspective, disassociation attack is less effective compared to deauthentication attack.

  11. Power Saving Mode Attack (1) • Power Conservation Mechanism • Client enters sleep mode intermittently • AP buffers data during that time • Either client awakens and sends a poll message to AP for pending data, or AP broadcasts a periodic Traffic Indication Map (TIM) message conveying availability of pending data • AP delivers data and clears its buffer • Problem: • Attacker can spoof either the poll message or TIM message, as these are sent unauthenticated

  12. Power Saving Mode Attack (2) • Big problem: • Other management messages can also be spoofed, thereby making these attacks more effective • Solution • Simply, encrypt these messages like the data messages, using WEP.

  13. MAC Vulnerabilities • Arise because of the collision avoidance mechanism of the 802.11 MAC layer • Cause two kinds of attacks: • Time window attack • Virtual carrier sense attack

  14. Time Window attack • 802.11 MAC defines time windows to prioritize access to the channel • Two time windows - Short interframe space (SIFS) for existing frame exchange and Distributed interframe space (DIFS) for new frame exchange with SIFS<DIFS • Every STA has to wait at least SIFS before transmitting • Therefore, the attacker can completely monopolize the channel by sending a signal before the end of every SIFS interval • However, there is a problem with the attack • Resource intensive – Since SIFS is 28 µs (802.11b), the attacker will have to send a signal approx. 37,000 times per second

  15. Virtual Carrier Sense Attack • Carrier Sensing Mechanism • To prevent collisions, station sends a short Request-to-Send (RTS) message • RTS contains a Duration field specifying the time for which the sender requires the channel • Receiver responds with Confirm-to-Send (CTS) if it is ready to receive data • CTS contains the updated Duration field • Other stations within the range set their Network Allocation Vector (NAV) such that they do not transmit for the time specified in the Duration field • Duration field is present in all 802.11 frames, so any frame can be used to carry out this attack

  16. Virtual Carrier Sense Attack • Problem • The attacker can set Duration field to high values (maximum 32767), preventing channel access to others • Assuming attacker sets maximum value, he has to transmit only 30 times per second, therefore, easy for the attacker

  17. Practical Perspective

  18. Practical Perspective • DoS attacks are theoretically possible, but what about actual practice ? • Bad News ! • It is feasible to carry out these attacks with commodity hardware with little tweaking

  19. Deauthentication attack - Empirical Results

  20. Deauthentication attack – Proposed Solutions • Solution 1: Authenticate management frames • But there are two problems with this solution: • Not feasible using software upgrade • A standardised authentication framework requires, can take time • Not feasible to upgrade all STAs across all networks • Solution 2: Defer deauthentication • Manipulate the firmware to delay deauthentication after receiving the message. If AP receives a data message after this, then the deauth request was spoofed • Advantages of solution 2: • Low overhead • Modification only limited to the APs, which is feasible

  21. Solution 2 – Empirical Results

  22. Virtual carrier sense attack – Empirical Results

  23. Virtual carrier sense attack – Proposed Solution • Put a cap on the value of the maximum duration on received frames • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value

  24. Solution to Virtual CS attack – Empirical Results

  25. Virtual carrier sense attack – Proposed Solution • Put a cap on the value of the maximum duration on received frames • If a station receives a frame with duration more than the cap value, truncate the duration to the cap value • Can be further improved by selectively adhering to the specified duration value in: • Data and ACK frames – These frames will have a high duration value only if they are a part of a fragmented packet exchange. Since, fragmentation is almost never used, duration specified in these frames can be ignored • RTS frame – A station that receives an RTS frame will also receive the data frame. 802.11 std specifies the exact times for the subsequent CTS and data frames. So the duration value of RTS is respected till the following data frame is received/not received

  26. Virtual carrier sense attack – Proposed Solution …contd • CTS frame – Either the observed CTS is unsolicited or the observing node is a hidden terminal. If this CTS is addressed to a valid in-range station, the valid station can nullify this by sending a zero duration null function frame. If this CTS is addressed to an out of range station, one foolproof defense is to introduce authenticated CTS frames, containing cryptographically signed copy of the preceding RTS. But there are overhead and feasibility issues with this

  27. Conclusions • 802.11 WLANs suffer from many vulnerabilities threatening the availability of service • Secure and extended authentication mechanisms can help • Changes to the MAC layer protocol also required, maybe track and punish malicious nodes

  28. References • John Bellardo and Stefan Savage, 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, Usenix 2003 Security Symposium • Dazhi Chen, Jing Deng and Pramod K Varshney, Protecting Wireless Networks Against a Denial of Service Attack based on virtual jamming • IEEE Standard for Wireless LAN – Medium Access Control and Physical Layer Specification, P802.11, 1999 • AirDefense White Paper, Wirless LAN Security – What Hackers Know That You Don’t, 2002 • Vikram Gupta, Srikanth Krishnamurthy and Michalis Faloutsos, Denial of service Attacks at the MAC Layer in Wireless Ad Hoc Networks

More Related