802.11 denial-of-service attacks: real vulnerabilities & practical solutions luat vu alexander...
TRANSCRIPT
802.11 Denial-of-Service Attacks:Real Vulnerabilities & Practical Solutions
Luat Vu
Alexander Alexandrov
802.11 Advantages
Free spectrumEfficient channel codingCheap interface hardwareEasy to extend a networkEasy to deploy
802.11 Problems
Attractive targets for potential attacksFlexible for an attacker to decide where
and when to launch and attack.Difficult to locate the source of
transmissionsNot easy to detect well-planned attacksVulnerabilities in the 802.11 MAC
protocols
WEP
Wired Equivalency ProtocolProvide data privacy between 802.11
clients and access pointsRely on shared secret keysUse challenge-response authentication
protocolData packets are encrypted when
transferred
WEP Vulnerabilities
Recurring weak keysSecret key can be recoveredUnder attack, network resources can be
fully utilized and an attacker can monitor the traffic of other networks
WEP-protected frames can be modified, new frames can be injected, authentication frames can be spoofed all without knowing the shared secret key
802.11 MAC protocol
Designed to address problems specific to wireless networks
Have abilities to discover networks, join and leave networks, and coordinate access
Deauthentication/disassociation Virtual carrier sense attacks Authentication DoS attacks Need new protocol to overcome current security
problems
802.11 Frame Types
Management Frames Authentication Frames Deauthentication Frames Association request Frames Association response Frames Reassociation request Frames Reassociation response Frames Disassociation Frames Beacon Frames Probe Request Frames Probe Response Frames
802.11 Frame Types
Data FramesControl Frames
Request to Send (RTS) Frame Clear to Send (CTS) Frame Acknowledgement (ACK) Frame
Deauthentication
A client must first authenticate itself to the AP before further communication
Clients and AP use messages to explicitly request deauthentication from each other
This message can be spoofed by an attacker because it is not authenticated by any key material
Deauthentication
Deauthentication
An attacker has a great flexibility in attacking
An attacker can pretend to be AP or the client
An attacker may elect to deny access to individual clients, or even rate-limit their access
Disassocation
A client may be authenticated with multiple APs at once
802.11 standard provides a special association message to allow the client and AP to agree which AP will forward packets
802.11 provides a disassociation message if association frames are unauthenticated
An attacker can exploit this vulnerability to launch the deauthentication attack
Power Saving
To conserve energy, clients are allowed to enter a sleep state
The client has to announces its intention to the AP before going to a sleep state
AP will buffer any inbound traffic for the node When the client wakes up, it will poll the AP for
any pending traffic By spoofing the polling message on behalf of the
client, an attacker can cause the AP to discard the client’s packets while it is asleep
Media Access Vulnerabilities
Short Interframe Space (SIFS) Distributed Coordination Function Interframe
Space (DIFS) Before any frame can be sent, the sending radio
must observe a quiet medium for one of the defined window periods
SIFS window is used for frames as part of preexisting frame exchange
DIFS window is used for nodes wishing to initiate a new frame exchange
Media Access Vulnerabilities
To avoid all nodes transmitting immediately after the DIFS expires, the time after the DIFS is subdivided into slots
Each time slot is picked randomly and with equal probability by a node to start transmitting
If a collision occurs, a sender uses a random exponential backoff algorithm before retransmitting
Media Access Vulnerabilities
Media Access Vulnerabilities
A SIFS period is 20 microsecondAn attacker can monopolize the channel
by sending a short signal before the end of every SIFS period
This attack is highly affective but consider lots of efforts.
Media Access Vulnerabilities
Duration field – another serious vulnerability.
Duration field is used to indicate the number of microseconds that the channel is reserved.
Is used to implemented Network Allocation Vector (NAV)
NAV is used in RTS/CLS handsake
802.11 Attack Infrastructure
It seems all 802.11 NIC are inherently able to generate arbitrary frames
In practice devices implement key MAC functions in firmware to moderate access
Could use undocumented modes of operation such as HostAP and HostBSS
Choice Microsystems AUX Port used for debugging
802.11 Attack Infrastructure
802.11 Deauthentication Attack
Deauthentication Attack Implementation1 attacker, 1 access point, 1 monitoring
station, 4 legitimate clients
Deauthentication Attack Solution
All 4 clients gave up connectingCould be solved by authentication-expensivePractical solution – queue the requests for 5-
10 seconds – if no subsequent traffic – drop the connection – simply modify firmware
Solves the problem however introduces a new one
Problems with this solution..
When a mobile client roams, which AP to receive packets destined the client ?
An adversary can keep a connection open to the old AP by continuously sending packets
Intelligent and dumb infrastructuresEasy to solve for intelligent, more
problematic for dumb infrastructures
802.11 Virtual Carrier-sense attack
Virtual carrier-sense attackCurrent 802.11 devices do not follow
properly the specification
NS-2 Attack Simulation
Assuming this bug will be fixed, simulate the attack in ns-2
18 static client nodes, 1 static attacker node sending arbitrary duration values 30 times a second
Channel is completely blocked – much harder to defend compared to deauthentication attack
Simulation Results
Solution – low and high caps on CTS duration time
Still not perfect…
By increasing the attacker’s frequency to 90 packets per second, the network could still be shut down
Virtual Carrier-sense attack solution
Solution – abandon portions of the standard 802.11 MAC functionality
Four key frames that contain duration values – ACK, data, RTS, CTS
Stop fragmentation – no need for ACK and data duration values.
RTS-CTS-data valid sequenceLone CTS – unsolicited or observing node
is a hidden terminal – solution each node independently ignores lone CTS packets
Still suboptimal…
Still not perfect – at threshold 30%, the attacker can still lower the available bandwidth by 1/3.
Best solution – explicit authentication to 802.11 control packets.
Requires fresh cryptographically signed copy of the originating RTS
Significant alteration to 802.11 standards, benefit/cost ratio not clear
Related Work – Launching and Detecting Jamming Attacks in 802.11
Jamming – emitting radio frequencies that do not follow 802.11 MAC protocol
Measured by PSR and PDRFour attacking models – constant,
deceptive, random, reactive jammer
Effectiveness of Jamming Attacks
Basic Statistics for Detecting Jamming
Signal Strength Can be either Basic Average or Signal
Strength Spectral Discrimination – unreliable
Basic Statistics for Detecting Jamming
Carrier Sensing Time However have to differentiate between
congestion and jamming With PDR of 75% 60 ms determined to be
optimal threshold for 99% confidence Still detect only constant and deceptive jammers Packet Delivery Ratio – effective for all jammers,
still cannot differentiate between jamming and other network dynamics like sending running out of battery power
Conclusions
Wireless networks popular due to convenience however confidentiality and availability critical
Arbitrary 802.11 frames can be easily sent using commodity hardware
Deauthentication attacks effective, virtual carrier-sense attacks will be.
Simple stop-gap solutions can be applied with low overhead on existing hardware.
Thank you !
Any questions ?