deepthi ratnayake

An improved authentication modelfor IEEE 802.11 to preventProbe Request DoS Attacks.

Deepthi Ratnayake(gdd0014@londonmet.ac.uk)

LMU PG Student Conference

12th Nov 2010

Topics

Introduction

Aim

Design Flaws

Experiment Test Bed

Results

Existing Countermeasures

Future Research

Introduction

What is IEEE 802.11?

What is Probe Request & Response ?

SecurityPolicyAgreement

Supplicant (STA)

Unauthenticated,Unassociated, 8021.1X

Blocked

Authenticator (AP)

Unauthenticated,Unassociated, 8021.1X

Blocked

1 - Beacon

1 - Probe Request

2 - Probe Response

3 - Authentication Request

4 - Authentication Response

6 - Association Response

5 - Association Request

Authenticated,Associated, 8021.1X

Blocked, SecurityParameters

Authenticated,Associated,

8021.1X Blocked,Security Parameters

Authentication Phase of IEEE 802.11

Introduction

What is a PRF Attack ? designed to manipulate 802.11 design flaws

Sends a flood of PR frames using MAC spoofing torepresent a large number of nodes scanning thewireless network

So what happens? Serious performance degradation or prevent

legitimate users from accessing networkresources (DoS). DoS attacks are the mostcommon

Aim

To find an effective method to: recognise rogue Probe Request frames,

and prevent an AP from triggering a ProbeResponse.

Length -Bytes

2 2 6 6 6 2 6 Variable Variable 4

FieldFrame

ControlDuration

IDDA SA BSSID

SequenceControl

SSIDSupported

RatesEstended

Supported RatesFCS

MAC HEADER FRAME BODY CRC

Length -Bits

2 2 4 1 1 1 1 1 1 1 1

Field Protocol Version TypeSub

TypeTo DS From DS More Frag Retry

PowerManagement

MoreData

WEP Reserved

FRAME CONTROL

Design Flaws

each request message sent by a STAmust be responded with a responsemessage sent by the AP.

Probe Request/Response frames areunprotected.

Test Bed

BSS

Test1-PC (User)Windows XP

Intel(R) PRO/Wireless LAN 2100 3B MiniPCI Adapter

MAC: Intel_5b:dd:b3

Test3-PC (Attacker)BackTrack4 (Linux)

MAC: Intel_a5:23:37

Test-AP (Access Point)MAC: Netgrar_42:cf:c0

Test2-PC (User)Windows Vista

Intel® PRO/Wireless 2200BGWireless Connection

MAC: Intel_39:c9:33

Sniffing & Injecting work !

Existing Countermeasures

Cryptography Encryption

long-term secret key

Client Puzzle

MAC Frame Fields Analysis of Sequence Number field.

Change Re-try limit

Response Delay

NIC Profiling & Signal Finger Printing

AI Models

The future research

Keep a “Safe List” of known attributes andgive priority to “Safe List”.

Pattern Recognition of “Transactions” andfilter peculiar Probe Requests.

Summary

What is IEEE 802.11?

What is Probe Request & Response ?

What is a Probe Request Flooding Attack ?

So what happens?

Aim

Design Flaws

Experiment

Existing Countermeasures

Future Research

References

Bicakci, K. and Tavli, B. (2009) Denial-of-Service attacks and countermeasures in IEEE802.11 wireless networks, Computer Standards and Interfaces 31(5), pp931-941, [Online]Available at http://www.sciencedirect.com [Accessed: 3rd October 2009].

Faria, D.B. and Cheriton, D.R. (2006) Detecting identity-based attacks in wireless networksusing signal prints, Proceedings of the 5th ACM workshop on Wireless security, Los Angeles,California [Online] Available at http://0-delivery.acm.org [Accessed: 30 November 2009].

Liu, C. and Yu, J. (2008) Rogue access point based DoS attacks against 802.11 WLANs,Fourth Advanced International Conference on Telecommunications, AICT '08., 8(13),pp271-276, [Online] Available at: http://0-ieeexplore.ieee.org [Accessed: 10 October2008].

Malekzadeh, M. et al. (2007) Security improvement for management frames in IEEE 802.11wireless networks, International Journal of Computer Science and Network Security, IJCSNS7(6) [Online] Available at: http://citeseerx.ist.psu.edu [Accessed: 2 February 2010].

Martinovic, I. et al. (2008) Wireless client puzzles in IEEE 802.11 networks: security bywireless. In Proceedings of the First ACM Conference on Wireless Network Security, WiSec'08, New York [Online] Available at: http://0-doi.acm.org [Accessed: 31 March 2010].

Thank You

Deepthi Ratnayake(gdd0014@londonmet.ac.uk)

LMU PG Student Conference

12th Nov 2010