* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 802.11 Denial-of-Service Attacks: Real Vulnerabilities
Network tap wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Computer security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
IEEE 802.11 wikipedia , lookup
Cross-site scripting wikipedia , lookup
Wireless security wikipedia , lookup
802.11 Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov 802.11 Advantages Free spectrum Efficient channel coding Cheap interface hardware Easy to extend a network Easy to deploy 802.11 Problems Attractive targets for potential attacks Flexible for an attacker to decide where and when to launch and attack. Difficult to locate the source of transmissions Not easy to detect well-planned attacks Vulnerabilities in the 802.11 MAC protocols WEP Wired Equivalency Protocol Provide data privacy between 802.11 clients and access points Rely on shared secret keys Use challenge-response authentication protocol Data packets are encrypted when transferred WEP Vulnerabilities Recurring weak keys Secret key can be recovered Under attack, network resources can be fully utilized and an attacker can monitor the traffic of other networks WEP-protected frames can be modified, new frames can be injected, authentication frames can be spoofed all without knowing the shared secret key 802.11 MAC protocol Designed to address problems specific to wireless networks Have abilities to discover networks, join and leave networks, and coordinate access Deauthentication/disassociation Virtual carrier sense attacks Authentication DoS attacks Need new protocol to overcome current security problems 802.11 Frame Types Management Frames Authentication Frames Deauthentication Frames Association request Frames Association response Frames Reassociation request Frames Reassociation response Frames Disassociation Frames Beacon Frames Probe Request Frames Probe Response Frames 802.11 Frame Types Data Frames Control Frames Request to Send (RTS) Frame Clear to Send (CTS) Frame Acknowledgement (ACK) Frame Deauthentication A client must first authenticate itself to the AP before further communication Clients and AP use messages to explicitly request deauthentication from each other This message can be spoofed by an attacker because it is not authenticated by any key material Deauthentication Deauthentication An attacker has a great flexibility in attacking An attacker can pretend to be AP or the client An attacker may elect to deny access to individual clients, or even rate-limit their access Disassocation A client may be authenticated with multiple APs at once 802.11 standard provides a special association message to allow the client and AP to agree which AP will forward packets 802.11 provides a disassociation message if association frames are unauthenticated An attacker can exploit this vulnerability to launch the deauthentication attack Power Saving To conserve energy, clients are allowed to enter a sleep state The client has to announces its intention to the AP before going to a sleep state AP will buffer any inbound traffic for the node When the client wakes up, it will poll the AP for any pending traffic By spoofing the polling message on behalf of the client, an attacker can cause the AP to discard the client’s packets while it is asleep Media Access Vulnerabilities Short Interframe Space (SIFS) Distributed Coordination Function Interframe Space (DIFS) Before any frame can be sent, the sending radio must observe a quiet medium for one of the defined window periods SIFS window is used for frames as part of preexisting frame exchange DIFS window is used for nodes wishing to initiate a new frame exchange Media Access Vulnerabilities To avoid all nodes transmitting immediately after the DIFS expires, the time after the DIFS is subdivided into slots Each time slot is picked randomly and with equal probability by a node to start transmitting If a collision occurs, a sender uses a random exponential backoff algorithm before retransmitting Media Access Vulnerabilities Media Access Vulnerabilities A SIFS period is 20 microsecond An attacker can monopolize the channel by sending a short signal before the end of every SIFS period This attack is highly affective but consider lots of efforts. Media Access Vulnerabilities Duration field – another serious vulnerability. Duration field is used to indicate the number of microseconds that the channel is reserved. Is used to implemented Network Allocation Vector (NAV) NAV is used in RTS/CLS handsake 802.11 Attack Infrastructure It seems all 802.11 NIC are inherently able to generate arbitrary frames In practice devices implement key MAC functions in firmware to moderate access Could use undocumented modes of operation such as HostAP and HostBSS Choice Microsystems AUX Port used for debugging 802.11 Attack Infrastructure 802.11 Deauthentication Attack Deauthentication Attack Implementation 1 attacker, 1 access point, 1 monitoring station, 4 legitimate clients Deauthentication Attack Solution All 4 clients gave up connecting Could be solved by authentication-expensive Practical solution – queue the requests for 510 seconds – if no subsequent traffic – drop the connection – simply modify firmware Solves the problem however introduces a new one Problems with this solution.. When a mobile client roams, which AP to receive packets destined the client ? An adversary can keep a connection open to the old AP by continuously sending packets Intelligent and dumb infrastructures Easy to solve for intelligent, more problematic for dumb infrastructures 802.11 Virtual Carrier-sense attack Virtual carrier-sense attack Current 802.11 devices do not follow properly the specification NS-2 Attack Simulation Assuming this bug will be fixed, simulate the attack in ns-2 18 static client nodes, 1 static attacker node sending arbitrary duration values 30 times a second Channel is completely blocked – much harder to defend compared to deauthentication attack Simulation Results Solution – low and high caps on CTS duration time Still not perfect… By increasing the attacker’s frequency to 90 packets per second, the network could still be shut down Virtual Carrier-sense attack solution Solution – abandon portions of the standard 802.11 MAC functionality Four key frames that contain duration values – ACK, data, RTS, CTS Stop fragmentation – no need for ACK and data duration values. RTS-CTS-data valid sequence Lone CTS – unsolicited or observing node is a hidden terminal – solution each node independently ignores lone CTS packets Still suboptimal… Still not perfect – at threshold 30%, the attacker can still lower the available bandwidth by 1/3. Best solution – explicit authentication to 802.11 control packets. Requires fresh cryptographically signed copy of the originating RTS Significant alteration to 802.11 standards, benefit/cost ratio not clear Related Work – Launching and Detecting Jamming Attacks in 802.11 Jamming – emitting radio frequencies that do not follow 802.11 MAC protocol Measured by PSR and PDR Four attacking models – constant, deceptive, random, reactive jammer Effectiveness of Jamming Attacks Basic Statistics for Detecting Jamming Signal Strength Can be either Basic Average or Signal Strength Spectral Discrimination – unreliable Basic Statistics for Detecting Jamming Carrier Sensing Time However have to differentiate between congestion and jamming With PDR of 75% 60 ms determined to be optimal threshold for 99% confidence Still detect only constant and deceptive jammers Packet Delivery Ratio – effective for all jammers, still cannot differentiate between jamming and other network dynamics like sending running out of battery power Conclusions Wireless networks popular due to convenience however confidentiality and availability critical Arbitrary 802.11 frames can be easily sent using commodity hardware Deauthentication attacks effective, virtual carrier-sense attacks will be. Simple stop-gap solutions can be applied with low overhead on existing hardware. Thank you ! Any questions ?