natalie podrazik – cs 491v – [email protected] “802.11 denial-of-service attacks: real...
TRANSCRIPT
![Page 1: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/1.jpg)
Natalie Podrazik – CS 491V – [email protected]
““802.11 Denial-of-Service 802.11 Denial-of-Service Attacks:Attacks:
Real Vulnerabilities and Real Vulnerabilities and Practical Solutions”Practical Solutions”
Natalie PodrazikApril 19, 2006
![Page 2: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/2.jpg)
Natalie Podrazik – CS 491V – [email protected]
OverviewOverviewI. What is 802.11II. 802.11 Vulnerabilities
I. IdentityII. MAC Layer
III. ExperimentI. Tools and ModificationsII. Results
IV. ConclusionsV. Relevancy to E-Voting Project
![Page 3: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/3.jpg)
Natalie Podrazik – CS 491V – [email protected]
What is 802.11?What is 802.11?• IEEE wireless internet standard
• 802.11b, 802.11a, 802.11g flavors
• Popular• Cheap• Easy to set up, maintain
• Operates on 2.4 GHz band
![Page 4: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/4.jpg)
Natalie Podrazik – CS 491V – [email protected]
Client,Name:
ABCDEFGHIJKL
Access Point,Name:
AccessPoint00
How does 802.11 work?How does 802.11 work?
Authentication Request & Response
Association Request & Response
Data Payload
Acknowledgements
Deauthentication Request & Response
![Page 5: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/5.jpg)
Natalie Podrazik – CS 491V – [email protected]
VulnerabilitiesVulnerabilities1. Identity
• Use of MAC frames with sender and receiver
2. MAC Layer• Use of MAC frames
to avoid collisions
Client,Name:
MNOPQRSTUVWX
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 100 s
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 100 s
Frame
Spoofing
Stalling
Hi, I’m ABCDEFGHIJKL...
![Page 6: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/6.jpg)
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoof Attack 1:Spoof Attack 1:DeauthenticationDeauthenticationAuthentication Request & Response
Association Request & Response
Data Payload
Deauthentication Request
Client,Name:
ABCDEFGHIJKL
Attacker,Name:
MNOPQRSTUVWX
xDeauthentication Response
![Page 7: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/7.jpg)
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Approaches to Approaches to DeauthenticationDeauthentication
• Spoof client or Access Point
To: AccessPoint00
From:ABCDEFGHIJKL
Msg: DEAUTH
To: AccessPoint00
From:ABCDEFGHIJKL
Msg: DEAUTH
MAC Frame
Attacker,Name:
MNOPQRSTUVWX
To: ABCDEFGHIJKL
From:AccessPoint00
Msg: DEAUTH
To: ABCDEFGHIJKL
From:AccessPoint00
Msg: DEAUTH
MAC Frame
Client,Name:
ABCDEFGHIJKL
![Page 8: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/8.jpg)
Natalie Podrazik – CS 491V – [email protected]
Strength of Deauthentication Strength of Deauthentication AttackAttack
• Client must re-establish connection• Prevention of sending or receiving any
data• Possibilities
• Forbid or limit access to certain clients• Block entire access point
• More work for attacker• Clean attacks – new auths• No escape for client to other AP’s
![Page 9: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/9.jpg)
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoof Attack 2:Spoof Attack 2:DisassociationDisassociation
Authentication Request & Response
Association Request & Response
Data Payload
Disassociation Request
Client,Name:
ABCDEFGHIJKL
Attacker,Name:
MNOPQRSTUVWX
xDeauthentication Response
![Page 10: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/10.jpg)
Natalie Podrazik – CS 491V – [email protected]
Evaluation of Disassociation Evaluation of Disassociation AttackAttack
• Similar to deauthentication• Less efficient
• Deauthentication forces the client do to more work: re-establish authentication + association
• Disassociation only forces client to reestablish association, not authentication.
![Page 11: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/11.jpg)
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoof Attack #3: Spoof Attack #3: While you were sleeping...While you were sleeping...
• Power-saving techniques allow clients to go to sleep
Client,Name:
ABCDEFGHIJKL
I’m going to sleep
Ok, I’ll take your
messages.
0 1 2 3 4 5 6 7
zzzzz
I’m awake. Any
messages?0 1 2 3 4 5 6 7
![Page 12: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/12.jpg)
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoofing the Polling Spoofing the Polling MessageMessage
Client,Name:
ABCDEFGHIJKL
0 1 2 3 4 5 6 7
zzzzz I’m awake.
Any messages?
I’m ABCDEFGHIJK, and I’m awake.
Nope.
0 1 2 3 4 5 6 7x
Attacker,Name:
MNOPQRSTUVWX
![Page 13: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/13.jpg)
Natalie Podrazik – CS 491V – [email protected]
TIM PacketsTIM Packets• Traffic Indication Map• Spoof broadcast of TIM
Access Point,Name:
AccessPoint00
Client,Name:
ABCDEFGHIJKL
0 1 2 3 4 5 6 7
zzzzz
TIM
No pendingmessages for
ABCDEFGHIJKL
![Page 14: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/14.jpg)
Natalie Podrazik – CS 491V – [email protected]
TimingTiming
• Waking up timing relies on:• Period of TIM packets• Timestamp broadcast from access point
• Both are sent in the clear• Attack:
• Get client out of sync• Wake up at the wrong times
![Page 15: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/15.jpg)
Natalie Podrazik – CS 491V – [email protected]
MAC VulnerabilitiesMAC Vulnerabilities• Access to MAC divided into windows
• Short InterFrame Space (SIFS)• For already connected exchanges
• Distributed Coordination Function InterFrame Space (DIFS)• To initiate new frames
• Sender specifies which window• No immediate ACK = collision
• Random exponential backoff algorithm
To: AccessPoint00
From: ABCDEFGHIJKL
Window: DIFS
To: AccessPoint00
From: ABCDEFGHIJKL
Window: DIFS
MAC Frame
![Page 16: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/16.jpg)
Natalie Podrazik – CS 491V – [email protected]
MAC Attack #1: Waiting to MAC Attack #1: Waiting to TransmitTransmit
• Every transmitting node has to wait at least 1 SIFS interval
• Attack: send short message before end of each SIFS interval
• Unlikely: SIFS period = 20 s, many packets per second to send
1 SIFS interval (20 s)
Backoff
![Page 17: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/17.jpg)
Natalie Podrazik – CS 491V – [email protected]
MAC Attack #2: MAC Attack #2: DurationDuration
• Every 802.11 frame has a duration field• How many s the channel will be
reserved
• Used to setup Network Allocation Vector (NAV)
• Nodes can only transmit when NAV == 0
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 32767 s
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 32767 s
MAC Frame
![Page 18: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/18.jpg)
Natalie Podrazik – CS 491V – [email protected]
Duration AttacksDuration Attacks• Possible to use almost any frame to
control NAV• ACK• RTS (Request To Send) / CTS (Clear To
Send)
• Attacker uses little resources• Transmit ~30 times / second to jam
channel• Little power used• Use of a directional antennae
![Page 19: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/19.jpg)
Natalie Podrazik – CS 491V – [email protected]
ExperimentExperiment• Challenge:
• Modifying MAC frames to spoof sender address
• Generating any old control frames
• Solution:• Tweak “Buffer Access Path”
firmware and Aux-Port• Intervenes between NIC’s
passing of packets to hardware
• Attacks via OTS hardware
![Page 20: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/20.jpg)
Natalie Podrazik – CS 491V – [email protected]
AttackerAttacker• iPAQ H3600 with Dlink DWL-650 card• Linux• Weighs 375 g (~12oz)• Easily fits in a coat pocket
• Listening application• Clients identified by MAC addresses• DNS-resolver used
![Page 21: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/21.jpg)
Natalie Podrazik – CS 491V – [email protected]
ExperimentsExperiments
Client(Windows
XP)Access Point
(Linux HostAP)
Attacker
Client(Linux
Thinkpad)
Client(MacOS
X)
Client(Linux iPaq)
Monitoring Station
![Page 22: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/22.jpg)
Natalie Podrazik – CS 491V – [email protected]
Attack #1: Deauth Attack #1: Deauth Against OneAgainst One
Access Point(Linux HostAP)
Attacker
Client(Linux
Thinkpad)
Client(MacOS
X)
Client(Linux iPaq)
Monitoring Station
![Page 23: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/23.jpg)
Natalie Podrazik – CS 491V – [email protected]
Single Client AttackSingle Client Attack• Transfer immediately halted• Attack lasted for < 10 sec• Rate of transfer wasn’t up to par for more
than a minute Recovery
![Page 24: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/24.jpg)
Natalie Podrazik – CS 491V – [email protected]
Attack #2: Deauth Attack #2: Deauth Against AllAgainst All
Access Point(Linux HostAP)
Client(Linux
Thinkpad)
Client(MacOS
X)
Client(Linux iPaq)
Monitoring Station
Attacker
![Page 25: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/25.jpg)
Natalie Podrazik – CS 491V – [email protected]
Attack Against All Attack Against All ClientsClients
• Windows XP can still send a little bit• Packets not from that session – underlying UDP
packets from another XP service
![Page 26: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/26.jpg)
Natalie Podrazik – CS 491V – [email protected]
Access Point
Monitoring Station
Attacker
MAC AttackMAC Attack
• Plays by timing rules but sets large durations• Sends packets out 30 times per second• Ignores all duration values from any other node
18 client nodes in
this experiment
![Page 27: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/27.jpg)
Natalie Podrazik – CS 491V – [email protected]
Results of MAC AttackResults of MAC Attack
• Channel is completely blocked for the duration of the attack
• Similar results with ACK and RTS/CTS frames
![Page 28: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/28.jpg)
Natalie Podrazik – CS 491V – [email protected]
Defenses to MAC AttackDefenses to MAC Attack• Cap on duration values
• Sending 90 packets per second brought network down
![Page 29: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/29.jpg)
Natalie Podrazik – CS 491V – [email protected]
Overall Overall RecommendationsRecommendations
• Authentication of 802.11 control packets
• Limiting the size of ACK frames
• Individual nodes’ duration threshold
• Situational Awareness
![Page 30: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/30.jpg)
Natalie Podrazik – CS 491V – [email protected]
New and RelevantNew and Relevant
• Modifying frames at data link layer through OTS hardware
• Strength of attacks• Ease of attack• Scale of attack• Resources needed• Capabilities of modern cell phones
![Page 31: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/31.jpg)
Natalie Podrazik – CS 491V – [email protected]
Mobile DevicesMobile Devices
iPAQ H6315Pocket PC
F1000G LinkSysWIP300
8215Smartphone
T-Mobile M/DA
Verizon XV6700
![Page 33: Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April](https://reader030.vdocuments.mx/reader030/viewer/2022012900/5697c0061a28abf838cc548e/html5/thumbnails/33.jpg)
Natalie Podrazik – CS 491V – [email protected]
Works CitedWorks Cited1. “Access Point". Wikipedia. Last updated: 13 April 2006. Date of Access: 18 April 2006:
http://en.wikipedia.org/wiki/Access_Point
2. Bellardo, John, and Stefan Savage. "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August 2003.
3. Friedl, Steve. "Network Guru's Guide to 802.11b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: http://mvp.unixwiz.net/techtips/wireless-guide.html
4. "HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: http://pocketpccentral.net/ipaq6300.htm
5. "Media Access Control". Wikipedia. Last updated: 12 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Media_Access_Control
6. "Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: http://www.brighthand.com \
7. "UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: http://www.utstar.com/Solutions/Handsets/WiFi/
8. "Wi-Fi". Wikipedia. Last updated: 18 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Wi-Fi