Download 802.11 Denial-of-Service Attacks: Real Vulnerabilities

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Network tap wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Lag wikipedia , lookup

Computer security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Cross-site scripting wikipedia , lookup

CAN bus wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript
802.11 Denial-of-Service Attacks:
Real Vulnerabilities & Practical Solutions
Luat Vu
Alexander Alexandrov
802.11 Advantages
Free spectrum
Efficient channel coding
Cheap interface hardware
Easy to extend a network
Easy to deploy
802.11 Problems
Attractive targets for potential attacks
Flexible for an attacker to decide where
and when to launch and attack.
Difficult to locate the source of
transmissions
Not easy to detect well-planned attacks
Vulnerabilities in the 802.11 MAC
protocols
WEP
Wired Equivalency Protocol
Provide data privacy between 802.11
clients and access points
Rely on shared secret keys
Use challenge-response authentication
protocol
Data packets are encrypted when
transferred
WEP Vulnerabilities
Recurring weak keys
Secret key can be recovered
Under attack, network resources can be
fully utilized and an attacker can monitor
the traffic of other networks
WEP-protected frames can be modified,
new frames can be injected, authentication
frames can be spoofed all without knowing
the shared secret key
802.11 MAC protocol
 Designed to address problems specific to
wireless networks
 Have abilities to discover networks, join and
leave networks, and coordinate access
 Deauthentication/disassociation
 Virtual carrier sense attacks
 Authentication DoS attacks
 Need new protocol to overcome current security
problems
802.11 Frame Types
Management Frames
Authentication Frames
Deauthentication Frames
Association request Frames
Association response Frames
Reassociation request Frames
Reassociation response Frames
Disassociation Frames
Beacon Frames
Probe Request Frames
Probe Response Frames
802.11 Frame Types
Data Frames
Control Frames
Request to Send (RTS) Frame
Clear to Send (CTS) Frame
Acknowledgement (ACK) Frame
Deauthentication
A client must first authenticate itself to the
AP before further communication
Clients and AP use messages to explicitly
request deauthentication from each other
This message can be spoofed by an
attacker because it is not authenticated by
any key material
Deauthentication
Deauthentication
An attacker has a great flexibility in
attacking
An attacker can pretend to be AP or the
client
An attacker may elect to deny access to
individual clients, or even rate-limit their
access
Disassocation
 A client may be authenticated with multiple APs
at once
 802.11 standard provides a special association
message to allow the client and AP to agree
which AP will forward packets
 802.11 provides a disassociation message if
association frames are unauthenticated
 An attacker can exploit this vulnerability to
launch the deauthentication attack
Power Saving
 To conserve energy, clients are allowed to enter
a sleep state
 The client has to announces its intention to the
AP before going to a sleep state
 AP will buffer any inbound traffic for the node
 When the client wakes up, it will poll the AP for
any pending traffic
 By spoofing the polling message on behalf of the
client, an attacker can cause the AP to discard
the client’s packets while it is asleep
Media Access Vulnerabilities
 Short Interframe Space (SIFS)
 Distributed Coordination Function Interframe
Space (DIFS)
 Before any frame can be sent, the sending radio
must observe a quiet medium for one of the
defined window periods
 SIFS window is used for frames as part of
preexisting frame exchange
 DIFS window is used for nodes wishing to
initiate a new frame exchange
Media Access Vulnerabilities
To avoid all nodes transmitting
immediately after the DIFS expires, the
time after the DIFS is subdivided into slots
Each time slot is picked randomly and with
equal probability by a node to start
transmitting
If a collision occurs, a sender uses a
random exponential backoff algorithm
before retransmitting
Media Access Vulnerabilities
Media Access Vulnerabilities
A SIFS period is 20 microsecond
An attacker can monopolize the channel
by sending a short signal before the end of
every SIFS period
This attack is highly affective but consider
lots of efforts.
Media Access Vulnerabilities
Duration field – another serious
vulnerability.
Duration field is used to indicate the
number of microseconds that the channel
is reserved.
Is used to implemented Network Allocation
Vector (NAV)
NAV is used in RTS/CLS handsake
802.11 Attack Infrastructure
It seems all 802.11 NIC are inherently able
to generate arbitrary frames
In practice devices implement key MAC
functions in firmware to moderate access
Could use undocumented modes of
operation such as HostAP and HostBSS
Choice Microsystems AUX Port used for
debugging
802.11 Attack Infrastructure
802.11 Deauthentication Attack
Deauthentication Attack Implementation
1 attacker, 1 access point, 1 monitoring
station, 4 legitimate clients
Deauthentication Attack Solution
All 4 clients gave up connecting
Could be solved by authentication-expensive
Practical solution – queue the requests for 510 seconds – if no subsequent traffic – drop
the connection – simply modify firmware
Solves the problem however introduces a
new one
Problems with this solution..
When a mobile client roams, which AP to
receive packets destined the client ?
An adversary can keep a connection open
to the old AP by continuously sending
packets
Intelligent and dumb infrastructures
Easy to solve for intelligent, more
problematic for dumb infrastructures
802.11 Virtual Carrier-sense attack
Virtual carrier-sense attack
Current 802.11 devices do not follow
properly the specification
NS-2 Attack Simulation
Assuming this bug will be fixed, simulate
the attack in ns-2
18 static client nodes, 1 static attacker
node sending arbitrary duration values 30
times a second
Channel is completely blocked – much
harder to defend compared to
deauthentication attack
Simulation Results
Solution – low and high caps on CTS
duration time
Still not perfect…
By increasing the attacker’s frequency to
90 packets per second, the network could
still be shut down
Virtual Carrier-sense attack solution
Solution – abandon portions of the
standard 802.11 MAC functionality
Four key frames that contain duration
values – ACK, data, RTS, CTS
Stop fragmentation – no need for ACK and
data duration values.
RTS-CTS-data valid sequence
Lone CTS – unsolicited or observing node
is a hidden terminal – solution each node
independently ignores lone CTS packets
Still suboptimal…
Still not perfect – at threshold 30%, the
attacker can still lower the available
bandwidth by 1/3.
Best solution – explicit authentication to
802.11 control packets.
Requires fresh cryptographically signed
copy of the originating RTS
Significant alteration to 802.11 standards,
benefit/cost ratio not clear
Related Work – Launching and Detecting
Jamming Attacks in 802.11
Jamming – emitting radio frequencies that
do not follow 802.11 MAC protocol
Measured by PSR and PDR
Four attacking models – constant,
deceptive, random, reactive jammer
Effectiveness of Jamming Attacks
Basic Statistics for Detecting Jamming
Signal Strength
Can be either Basic Average or Signal
Strength Spectral Discrimination – unreliable
Basic Statistics for Detecting Jamming
 Carrier Sensing Time
 However have to differentiate between
congestion and jamming
 With PDR of 75% 60 ms determined to be
optimal threshold for 99% confidence
 Still detect only constant and deceptive jammers
 Packet Delivery Ratio – effective for all jammers,
still cannot differentiate between jamming and
other network dynamics like sending running out
of battery power
Conclusions
Wireless networks popular due to
convenience however confidentiality and
availability critical
Arbitrary 802.11 frames can be easily sent
using commodity hardware
Deauthentication attacks effective, virtual
carrier-sense attacks will be.
Simple stop-gap solutions can be applied
with low overhead on existing hardware.
Thank you !
Any questions ?