Download 802.11 Denial-of-Service Attacks: Real Vulnerabilities

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
Document related concepts

Network tap wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Lag wikipedia , lookup

Computer security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Cross-site scripting wikipedia , lookup

CAN bus wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
802.11 Denial-of-Service Attacks:
Real Vulnerabilities & Practical Solutions
Luat Vu
Alexander Alexandrov
802.11 Advantages
Free spectrum
Efficient channel coding
Cheap interface hardware
Easy to extend a network
Easy to deploy
802.11 Problems
Attractive targets for potential attacks
Flexible for an attacker to decide where
and when to launch and attack.
Difficult to locate the source of
transmissions
Not easy to detect well-planned attacks
Vulnerabilities in the 802.11 MAC
protocols
WEP
Wired Equivalency Protocol
Provide data privacy between 802.11
clients and access points
Rely on shared secret keys
Use challenge-response authentication
protocol
Data packets are encrypted when
transferred
WEP Vulnerabilities
Recurring weak keys
Secret key can be recovered
Under attack, network resources can be
fully utilized and an attacker can monitor
the traffic of other networks
WEP-protected frames can be modified,
new frames can be injected, authentication
frames can be spoofed all without knowing
the shared secret key
802.11 MAC protocol
 Designed to address problems specific to
wireless networks
 Have abilities to discover networks, join and
leave networks, and coordinate access
 Deauthentication/disassociation
 Virtual carrier sense attacks
 Authentication DoS attacks
 Need new protocol to overcome current security
problems
802.11 Frame Types
Management Frames
Authentication Frames
Deauthentication Frames
Association request Frames
Association response Frames
Reassociation request Frames
Reassociation response Frames
Disassociation Frames
Beacon Frames
Probe Request Frames
Probe Response Frames
802.11 Frame Types
Data Frames
Control Frames
Request to Send (RTS) Frame
Clear to Send (CTS) Frame
Acknowledgement (ACK) Frame
Deauthentication
A client must first authenticate itself to the
AP before further communication
Clients and AP use messages to explicitly
request deauthentication from each other
This message can be spoofed by an
attacker because it is not authenticated by
any key material
Deauthentication
Deauthentication
An attacker has a great flexibility in
attacking
An attacker can pretend to be AP or the
client
An attacker may elect to deny access to
individual clients, or even rate-limit their
access
Disassocation
 A client may be authenticated with multiple APs
at once
 802.11 standard provides a special association
message to allow the client and AP to agree
which AP will forward packets
 802.11 provides a disassociation message if
association frames are unauthenticated
 An attacker can exploit this vulnerability to
launch the deauthentication attack
Power Saving
 To conserve energy, clients are allowed to enter
a sleep state
 The client has to announces its intention to the
AP before going to a sleep state
 AP will buffer any inbound traffic for the node
 When the client wakes up, it will poll the AP for
any pending traffic
 By spoofing the polling message on behalf of the
client, an attacker can cause the AP to discard
the client’s packets while it is asleep
Media Access Vulnerabilities
 Short Interframe Space (SIFS)
 Distributed Coordination Function Interframe
Space (DIFS)
 Before any frame can be sent, the sending radio
must observe a quiet medium for one of the
defined window periods
 SIFS window is used for frames as part of
preexisting frame exchange
 DIFS window is used for nodes wishing to
initiate a new frame exchange
Media Access Vulnerabilities
To avoid all nodes transmitting
immediately after the DIFS expires, the
time after the DIFS is subdivided into slots
Each time slot is picked randomly and with
equal probability by a node to start
transmitting
If a collision occurs, a sender uses a
random exponential backoff algorithm
before retransmitting
Media Access Vulnerabilities
Media Access Vulnerabilities
A SIFS period is 20 microsecond
An attacker can monopolize the channel
by sending a short signal before the end of
every SIFS period
This attack is highly affective but consider
lots of efforts.
Media Access Vulnerabilities
Duration field – another serious
vulnerability.
Duration field is used to indicate the
number of microseconds that the channel
is reserved.
Is used to implemented Network Allocation
Vector (NAV)
NAV is used in RTS/CLS handsake
802.11 Attack Infrastructure
It seems all 802.11 NIC are inherently able
to generate arbitrary frames
In practice devices implement key MAC
functions in firmware to moderate access
Could use undocumented modes of
operation such as HostAP and HostBSS
Choice Microsystems AUX Port used for
debugging
802.11 Attack Infrastructure
802.11 Deauthentication Attack
Deauthentication Attack Implementation
1 attacker, 1 access point, 1 monitoring
station, 4 legitimate clients
Deauthentication Attack Solution
All 4 clients gave up connecting
Could be solved by authentication-expensive
Practical solution – queue the requests for 510 seconds – if no subsequent traffic – drop
the connection – simply modify firmware
Solves the problem however introduces a
new one
Problems with this solution..
When a mobile client roams, which AP to
receive packets destined the client ?
An adversary can keep a connection open
to the old AP by continuously sending
packets
Intelligent and dumb infrastructures
Easy to solve for intelligent, more
problematic for dumb infrastructures
802.11 Virtual Carrier-sense attack
Virtual carrier-sense attack
Current 802.11 devices do not follow
properly the specification
NS-2 Attack Simulation
Assuming this bug will be fixed, simulate
the attack in ns-2
18 static client nodes, 1 static attacker
node sending arbitrary duration values 30
times a second
Channel is completely blocked – much
harder to defend compared to
deauthentication attack
Simulation Results
Solution – low and high caps on CTS
duration time
Still not perfect…
By increasing the attacker’s frequency to
90 packets per second, the network could
still be shut down
Virtual Carrier-sense attack solution
Solution – abandon portions of the
standard 802.11 MAC functionality
Four key frames that contain duration
values – ACK, data, RTS, CTS
Stop fragmentation – no need for ACK and
data duration values.
RTS-CTS-data valid sequence
Lone CTS – unsolicited or observing node
is a hidden terminal – solution each node
independently ignores lone CTS packets
Still suboptimal…
Still not perfect – at threshold 30%, the
attacker can still lower the available
bandwidth by 1/3.
Best solution – explicit authentication to
802.11 control packets.
Requires fresh cryptographically signed
copy of the originating RTS
Significant alteration to 802.11 standards,
benefit/cost ratio not clear
Related Work – Launching and Detecting
Jamming Attacks in 802.11
Jamming – emitting radio frequencies that
do not follow 802.11 MAC protocol
Measured by PSR and PDR
Four attacking models – constant,
deceptive, random, reactive jammer
Effectiveness of Jamming Attacks
Basic Statistics for Detecting Jamming
Signal Strength
Can be either Basic Average or Signal
Strength Spectral Discrimination – unreliable
Basic Statistics for Detecting Jamming
 Carrier Sensing Time
 However have to differentiate between
congestion and jamming
 With PDR of 75% 60 ms determined to be
optimal threshold for 99% confidence
 Still detect only constant and deceptive jammers
 Packet Delivery Ratio – effective for all jammers,
still cannot differentiate between jamming and
other network dynamics like sending running out
of battery power
Conclusions
Wireless networks popular due to
convenience however confidentiality and
availability critical
Arbitrary 802.11 frames can be easily sent
using commodity hardware
Deauthentication attacks effective, virtual
carrier-sense attacks will be.
Simple stop-gap solutions can be applied
with low overhead on existing hardware.
Thank you !
Any questions ?
Related documents
Ethan Frome - Grand Valley State University
Ethan Frome - Grand Valley State University
Good Design
Good Design
DoS Attacks On Wireless Voice Over IP Systems
DoS Attacks On Wireless Voice Over IP Systems
Economics 302 Quiz #1
Economics 302 Quiz #1
Digital Photos Frames in the Classroom Presented with permission
Digital Photos Frames in the Classroom Presented with permission
p4 - Describe What Data Elements Are and why they are important
p4 - Describe What Data Elements Are and why they are important
Word Classes
Word Classes
Frames are critical...because how parties frame and define a
Frames are critical...because how parties frame and define a
Information Architects
Information Architects
Error Control (Data Link Layer)
Error Control (Data Link Layer)