330 likes | 474 Views
“802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”. Natalie Podrazik April 19, 2006 natalie2@umbc.edu. Overview. What is 802.11 802.11 Vulnerabilities Identity MAC Layer Experiment Tools and Modifications Results Conclusions Relevancy to E-Voting Project.
E N D
“802.11 Denial-of-Service Attacks:Real Vulnerabilities and Practical Solutions” Natalie Podrazik April 19, 2006 natalie2@umbc.edu Natalie Podrazik – CS 491V – natalie2@umbc.edu
Overview • What is 802.11 • 802.11 Vulnerabilities • Identity • MAC Layer • Experiment • Tools and Modifications • Results • Conclusions • Relevancy to E-Voting Project Natalie Podrazik – CS 491V – natalie2@umbc.edu
What is 802.11? • IEEE wireless internet standard • 802.11b, 802.11a, 802.11g flavors • Popular • Cheap • Easy to set up, maintain • Operates on 2.4 GHz band Natalie Podrazik – CS 491V – natalie2@umbc.edu
Access Point,Name:AccessPoint00 How does 802.11 work? Authentication Request & Response Association Request & Response Data Payload Acknowledgements Client,Name: ABCDEFGHIJKL Deauthentication Request & Response Natalie Podrazik – CS 491V – natalie2@umbc.edu
Spoofing Stalling Client,Name: MNOPQRSTUVWX Vulnerabilities 1. Identity • Use of MAC frames with sender and receiver 2. MAC Layer • Use of MAC frames to avoid collisions Hi, I’m ABCDEFGHIJKL... Frame To: AccessPoint00From:MNOPQRSTUVWXDuration: 100 s Natalie Podrazik – CS 491V – natalie2@umbc.edu
Access Point,Name:AccessPoint00 Spoof Attack 1:Deauthentication Authentication Request & Response Association Request & Response Deauthentication Request Data Payload x Client,Name: ABCDEFGHIJKL Deauthentication Response Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu
MAC Frame MAC Frame To: AccessPoint00From:ABCDEFGHIJKLMsg: DEAUTH To: ABCDEFGHIJKLFrom:AccessPoint00Msg: DEAUTH Access Point,Name:AccessPoint00 Approaches to Deauthentication • Spoof client or Access Point Client,Name: ABCDEFGHIJKL Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu
Strength of Deauthentication Attack • Client must re-establish connection • Prevention of sending or receiving any data • Possibilities • Forbid or limit access to certain clients • Block entire access point • More work for attacker • Clean attacks – new auths • No escape for client to other AP’s Natalie Podrazik – CS 491V – natalie2@umbc.edu
Access Point,Name:AccessPoint00 Spoof Attack 2:Disassociation Authentication Request & Response Association Request & Response Disassociation Request Data Payload x Client,Name: ABCDEFGHIJKL Deauthentication Response Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu
Evaluation of Disassociation Attack • Similar to deauthentication • Less efficient • Deauthentication forces the client do to more work: re-establish authentication + association • Disassociation only forces client to reestablish association, not authentication. Natalie Podrazik – CS 491V – natalie2@umbc.edu
Access Point,Name:AccessPoint00 0 1 2 3 4 5 6 7 Spoof Attack #3: While you were sleeping... • Power-saving techniques allow clients to go to sleep Ok, I’ll take your messages. I’m going to sleep zzzzz I’m awake. Any messages? 0 1 2 3 4 5 6 7 Client,Name: ABCDEFGHIJKL Natalie Podrazik – CS 491V – natalie2@umbc.edu
x Access Point,Name:AccessPoint00 0 1 2 3 4 5 6 7 Spoofing the Polling Message Nope. zzzzz I’m awake. Any messages? I’m ABCDEFGHIJK, and I’m awake. 0 1 2 3 4 5 6 7 Client,Name: ABCDEFGHIJKL Attacker,Name: MNOPQRSTUVWX Natalie Podrazik – CS 491V – natalie2@umbc.edu
Access Point,Name:AccessPoint00 TIM No pendingmessages forABCDEFGHIJKL TIM Packets • Traffic Indication Map • Spoof broadcast of TIM zzzzz 0 1 2 3 4 5 6 7 Client,Name: ABCDEFGHIJKL Natalie Podrazik – CS 491V – natalie2@umbc.edu
Timing • Waking up timing relies on: • Period of TIM packets • Timestamp broadcast from access point • Both are sent in the clear • Attack: • Get client out of sync • Wake up at the wrong times Natalie Podrazik – CS 491V – natalie2@umbc.edu
MAC Frame To: AccessPoint00 From: ABCDEFGHIJKLWindow: DIFS MAC Vulnerabilities • Access to MAC divided into windows • Short InterFrame Space (SIFS) • For already connected exchanges • Distributed Coordination Function InterFrame Space (DIFS) • To initiate new frames • Sender specifies which window • No immediate ACK = collision • Random exponential backoff algorithm Natalie Podrazik – CS 491V – natalie2@umbc.edu
MAC Attack #1: Waiting to Transmit • Every transmitting node has to wait at least 1 SIFS interval • Attack: send short message before end of each SIFS interval • Unlikely: SIFS period = 20 s, many packets per second to send 1 SIFS interval (20 s) Backoff Natalie Podrazik – CS 491V – natalie2@umbc.edu
MAC Frame To: AccessPoint00From:MNOPQRSTUVWXDuration: 32767 s MAC Attack #2: Duration • Every 802.11 frame has a duration field • How many s the channel will be reserved • Used to setup Network Allocation Vector (NAV) • Nodes can only transmit when NAV == 0 Natalie Podrazik – CS 491V – natalie2@umbc.edu
Duration Attacks • Possible to use almost any frame to control NAV • ACK • RTS (Request To Send) / CTS (Clear To Send) • Attacker uses little resources • Transmit ~30 times / second to jam channel • Little power used • Use of a directional antennae Natalie Podrazik – CS 491V – natalie2@umbc.edu
Experiment • Challenge: • Modifying MAC frames to spoof sender address • Generating any old control frames • Solution: • Tweak “Buffer Access Path” firmware and Aux-Port • Intervenes between NIC’s passing of packets to hardware • Attacks via OTS hardware Natalie Podrazik – CS 491V – natalie2@umbc.edu
Attacker • iPAQ H3600 with Dlink DWL-650 card • Linux • Weighs 375 g (~12oz) • Easily fits in a coat pocket • Listening application • Clients identified by MAC addresses • DNS-resolver used Natalie Podrazik – CS 491V – natalie2@umbc.edu
Experiments Attacker Monitoring Station Client(Windows XP) Client(MacOS X) Access Point(Linux HostAP) Client(Linux Thinkpad) Client(Linux iPaq) Natalie Podrazik – CS 491V – natalie2@umbc.edu
Attack #1: Deauth Against One Attacker Monitoring Station Client(MacOS X) Access Point(Linux HostAP) Client(Linux Thinkpad) Client(Linux iPaq) Natalie Podrazik – CS 491V – natalie2@umbc.edu
Single Client Attack • Transfer immediately halted • Attack lasted for < 10 sec • Rate of transfer wasn’t up to par for more than a minute Recovery Natalie Podrazik – CS 491V – natalie2@umbc.edu
Attack #2: Deauth Against All Attacker Monitoring Station Client(MacOS X) Access Point(Linux HostAP) Client(Linux Thinkpad) Client(Linux iPaq) Natalie Podrazik – CS 491V – natalie2@umbc.edu
Attack Against All Clients • Windows XP can still send a little bit • Packets not from that session – underlying UDP packets from another XP service Natalie Podrazik – CS 491V – natalie2@umbc.edu
Attacker Monitoring Station Access Point MAC Attack • Plays by timing rules but sets large durations • Sends packets out 30 times per second • Ignores all duration values from any other node 18 client nodes in this experiment Natalie Podrazik – CS 491V – natalie2@umbc.edu
Results of MAC Attack • Channel is completely blocked for the duration of the attack • Similar results with ACK and RTS/CTS frames Natalie Podrazik – CS 491V – natalie2@umbc.edu
Defenses to MAC Attack • Cap on duration values • Sending 90 packets per second brought network down Natalie Podrazik – CS 491V – natalie2@umbc.edu
Overall Recommendations • Authentication of 802.11 control packets • Limiting the size of ACK frames • Individual nodes’ duration threshold • Situational Awareness Natalie Podrazik – CS 491V – natalie2@umbc.edu
New and Relevant • Modifying frames at data link layer through OTS hardware • Strength of attacks • Ease of attack • Scale of attack • Resources needed • Capabilities of modern cell phones Natalie Podrazik – CS 491V – natalie2@umbc.edu
Mobile Devices 8215Smartphone iPAQ H6315Pocket PC LinkSysWIP300 F1000G T-Mobile M/DA Verizon XV6700 Natalie Podrazik – CS 491V – natalie2@umbc.edu
AVS WINvote Natalie Podrazik – CS 491V – natalie2@umbc.edu
Works Cited • “Access Point". Wikipedia. Last updated: 13 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Access_Point • Bellardo, John, and Stefan Savage. "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August 2003. • Friedl, Steve. "Network Guru's Guide to 802.11b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: http://mvp.unixwiz.net/techtips/wireless-guide.html • "HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: http://pocketpccentral.net/ipaq6300.htm • "Media Access Control". Wikipedia. Last updated: 12 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Media_Access_Control • "Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: http://www.brighthand.com \ • "UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: http://www.utstar.com/Solutions/Handsets/WiFi/ • "Wi-Fi". Wikipedia. Last updated: 18 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Wi-Fi Natalie Podrazik – CS 491V – natalie2@umbc.edu