802.11 Denial-of-Service Attacks:Real Vulnerabilities & Practical Solutions

Luat Vu

Alexander Alexandrov

802.11 Advantages

Free spectrumEfficient channel codingCheap interface hardwareEasy to extend a networkEasy to deploy

802.11 Problems

Attractive targets for potential attacksFlexible for an attacker to decide where

and when to launch and attack.Difficult to locate the source of

transmissionsNot easy to detect well-planned attacksVulnerabilities in the 802.11 MAC

protocols

WEP

Wired Equivalency ProtocolProvide data privacy between 802.11

clients and access pointsRely on shared secret keysUse challenge-response authentication

protocolData packets are encrypted when

transferred

WEP Vulnerabilities

Recurring weak keysSecret key can be recoveredUnder attack, network resources can be

fully utilized and an attacker can monitor the traffic of other networks

WEP-protected frames can be modified, new frames can be injected, authentication frames can be spoofed all without knowing the shared secret key

802.11 MAC protocol

Designed to address problems specific to wireless networks

Have abilities to discover networks, join and leave networks, and coordinate access

Deauthentication/disassociation Virtual carrier sense attacks Authentication DoS attacks Need new protocol to overcome current security

problems

802.11 Frame Types

Management Frames Authentication Frames Deauthentication Frames Association request Frames Association response Frames Reassociation request Frames Reassociation response Frames Disassociation Frames Beacon Frames Probe Request Frames Probe Response Frames

802.11 Frame Types

Data FramesControl Frames

Request to Send (RTS) Frame Clear to Send (CTS) Frame Acknowledgement (ACK) Frame

Deauthentication

A client must first authenticate itself to the AP before further communication

Clients and AP use messages to explicitly request deauthentication from each other

This message can be spoofed by an attacker because it is not authenticated by any key material

Deauthentication

Deauthentication

An attacker has a great flexibility in attacking

An attacker can pretend to be AP or the client

An attacker may elect to deny access to individual clients, or even rate-limit their access

Disassocation

A client may be authenticated with multiple APs at once

802.11 standard provides a special association message to allow the client and AP to agree which AP will forward packets

802.11 provides a disassociation message if association frames are unauthenticated

An attacker can exploit this vulnerability to launch the deauthentication attack

Power Saving

To conserve energy, clients are allowed to enter a sleep state

The client has to announces its intention to the AP before going to a sleep state

AP will buffer any inbound traffic for the node When the client wakes up, it will poll the AP for

any pending traffic By spoofing the polling message on behalf of the

client, an attacker can cause the AP to discard the client’s packets while it is asleep

Media Access Vulnerabilities

Short Interframe Space (SIFS) Distributed Coordination Function Interframe

Space (DIFS) Before any frame can be sent, the sending radio

must observe a quiet medium for one of the defined window periods

SIFS window is used for frames as part of preexisting frame exchange

DIFS window is used for nodes wishing to initiate a new frame exchange

Media Access Vulnerabilities

To avoid all nodes transmitting immediately after the DIFS expires, the time after the DIFS is subdivided into slots

Each time slot is picked randomly and with equal probability by a node to start transmitting

If a collision occurs, a sender uses a random exponential backoff algorithm before retransmitting

Media Access Vulnerabilities

Media Access Vulnerabilities

A SIFS period is 20 microsecondAn attacker can monopolize the channel

by sending a short signal before the end of every SIFS period

This attack is highly affective but consider lots of efforts.

Media Access Vulnerabilities

Duration field – another serious vulnerability.

Duration field is used to indicate the number of microseconds that the channel is reserved.

Is used to implemented Network Allocation Vector (NAV)

NAV is used in RTS/CLS handsake

802.11 Attack Infrastructure

It seems all 802.11 NIC are inherently able to generate arbitrary frames

In practice devices implement key MAC functions in firmware to moderate access

Could use undocumented modes of operation such as HostAP and HostBSS

Choice Microsystems AUX Port used for debugging

802.11 Attack Infrastructure

802.11 Deauthentication Attack

Deauthentication Attack Implementation1 attacker, 1 access point, 1 monitoring

station, 4 legitimate clients

Deauthentication Attack Solution

All 4 clients gave up connectingCould be solved by authentication-expensivePractical solution – queue the requests for 5-

10 seconds – if no subsequent traffic – drop the connection – simply modify firmware

Solves the problem however introduces a new one

Problems with this solution..

When a mobile client roams, which AP to receive packets destined the client ?

An adversary can keep a connection open to the old AP by continuously sending packets

Intelligent and dumb infrastructuresEasy to solve for intelligent, more

problematic for dumb infrastructures

802.11 Virtual Carrier-sense attack

Virtual carrier-sense attackCurrent 802.11 devices do not follow

properly the specification

NS-2 Attack Simulation

Assuming this bug will be fixed, simulate the attack in ns-2

18 static client nodes, 1 static attacker node sending arbitrary duration values 30 times a second

Channel is completely blocked – much harder to defend compared to deauthentication attack

Simulation Results

Solution – low and high caps on CTS duration time

Still not perfect…

By increasing the attacker’s frequency to 90 packets per second, the network could still be shut down

Virtual Carrier-sense attack solution

Solution – abandon portions of the standard 802.11 MAC functionality

Four key frames that contain duration values – ACK, data, RTS, CTS

Stop fragmentation – no need for ACK and data duration values.

RTS-CTS-data valid sequenceLone CTS – unsolicited or observing node

is a hidden terminal – solution each node independently ignores lone CTS packets

Still suboptimal…

Still not perfect – at threshold 30%, the attacker can still lower the available bandwidth by 1/3.

Best solution – explicit authentication to 802.11 control packets.

Requires fresh cryptographically signed copy of the originating RTS

Significant alteration to 802.11 standards, benefit/cost ratio not clear

Related Work – Launching and Detecting Jamming Attacks in 802.11

Jamming – emitting radio frequencies that do not follow 802.11 MAC protocol

Measured by PSR and PDRFour attacking models – constant,

deceptive, random, reactive jammer

Effectiveness of Jamming Attacks

Basic Statistics for Detecting Jamming

Signal Strength Can be either Basic Average or Signal

Strength Spectral Discrimination – unreliable

Basic Statistics for Detecting Jamming

Carrier Sensing Time However have to differentiate between

congestion and jamming With PDR of 75% 60 ms determined to be

optimal threshold for 99% confidence Still detect only constant and deceptive jammers Packet Delivery Ratio – effective for all jammers,

still cannot differentiate between jamming and other network dynamics like sending running out of battery power

Conclusions

Wireless networks popular due to convenience however confidentiality and availability critical

Arbitrary 802.11 frames can be easily sent using commodity hardware

Deauthentication attacks effective, virtual carrier-sense attacks will be.

Simple stop-gap solutions can be applied with low overhead on existing hardware.

Thank you !

Any questions ?