Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Simplified Solution For Critical A-MPDU DoS Issues

Published byLorraine Holland Modified over 5 years ago

Similar presentations

Presentation on theme: "A Simplified Solution For Critical A-MPDU DoS Issues"— Presentation transcript:

1 A Simplified Solution For Critical A-MPDU DoS Issues
July 2008 doc.: IEEE /1021r0 September 2008 A Simplified Solution For Critical A-MPDU DoS Issues Date: Authors: Luke Qian etc. Luke Qian etc, Cisco

2 July 2008 doc.: IEEE /1021r0 September 2008 Abstract Current operation rules for A-MPDU and BAR facilitate a number of Denial of Service (DoS) attacks as presented in /0703r0. This submission proposes a simplified solution to mitigate the most damaging and easiest-to-launch ones. Luke Qian etc. Luke Qian etc, Cisco

3 Overview for the Issues
September 2008 Overview for the Issues Per current 11n A-MPDU/BA rules, advanced SN in data frames or BAR can advance the left edge of the BA re-ordering buffer on the receiver. However, BAR is a control frame which is not encrypted, nor has any authentication information SN in a data frame is not protected with encryption. As a result, a receiver running BA can be exposed to DoS attacks by rogue devices which move the receiver BA reordering buffer with falsely advanced SN, potentially causing subsequent valid frames to be discarded Such identified DoS attacks include: (Ref /0703) Forged packets with advanced Sequence Numbers (SN) Captured and Replayed packets with modified SN. Captured and Replayed packets with advanced SN without modification. False Block ACK Request (BAR) with advanced SN. False BA to prevent retransmission. They can cause severe performance degradation, such as drop of voice calls, lost connection for TCP traffic etc. Luke Qian etc.

4 Uniqueness of the DoS Issues
July 2008 doc.: IEEE /1021r0 September 2008 Uniqueness of the DoS Issues Hit-and-run type of attack as only one packet is needed to cause the DoS. So an attacker does not need to be at the spot to launch attacks persistently, making it hard to identify or catch the attackers. Significantly long period of DoS for a single attack At the order of tens of seconds. Can cause disassociations or dropped sessions, especially problematic for tcp sessions and voice connections A regular DoS, CTS with excessive NAV setting for example, can only cause a DoS for a period of tens of ms, several order of magnitudes less than that of an A-MPDU DoS, and will have to repeatedly launch the attacks. Luke Qian etc. Luke Qian etc, Cisco

5 September 2008 The Proposed Approach The proposed solution focuses on one of the two easiest-to-launch DoS for a better acceptance in TGn: False Block ACK Request (BAR) with advanced SN. Note 1- The another is Forged packets with advanced Sequence Numbers (SN), addressed by switching the blocks of BA reordering and decryption Note2 - Both are “fire and forget” attacks whereby an attacker need nothing but a single packet to launch a DoS. Luke Qian etc.

6 A Simpler Solution September 2008
July 2008 doc.: IEEE /1021r0 September 2008 A Simpler Solution Introduce a capability bit to signal the protection for backward compatibility Transmitter rules: Never sends BAR with a SN which would cause the receiver to advance the left edge over a “hole” Sends an 11w type of encrypted management action frame, the protected ADDBA, to advance the left edge of the receiver window over a “hole” when needed. Overload the existing ADDBA request frame ADDBA request already contains all the required information Only need to allow an ADDBA request to be used during an established BA session to move the left edge of receiver window Receiver rules: On receiving a BAR which advances the left edge of receiver window over a “hole”, drop the BAR and flag a DoS attack (immediate detection of attack upon receipt of just one frame from attacker), and tear down BA session to minimize disruption On receiving a protected ADDBA for an established BA session, adjust the left edge as requested. Luke Qian etc. Luke Qian etc, Cisco

7 A Capability Bit for Negotiation: RSN Element changes
September 2008 A Capability Bit for Negotiation: RSN Element changes Pre-Auth No Pairwise PTKSA Replay Counter GTKSA Replay Counter Reserved PeerKey Enabled SPP A-MSDU Capable & Required PBAC Resv B0 B1 B2 B3 B4 B5 B6 B8 B9 B10 B11 B12 B13 B15 Modified RSN Capabilities subfield of the RSN Element A bit for signaling the capability: PBAC – Protected BAR Capable Indicates capability to perform modified BAR rules and decryption ordering If both STA advertise PBAC=1, then PBAC SHALL be used If at least one STA of a pair advertises PBAC=0, then PBA SHALL NOT be used STA that supports PBAC must also indicate TGw (e.g. dot11RSNAProtectedManagementFramesEnabled) Luke Qian etc.

Download ppt "A Simplified Solution For Critical A-MPDU DoS Issues"

Similar presentations

Doc.: IEEE 802.11-08/0703r0 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Issues and Solutions to IEEE 802.11n A-MPDU Denial of Service.

Doc.: IEEE /0703r0 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Issues and Solutions to IEEE n A-MPDU Denial of Service.
Doc.: IEEE 802.11-08/0755r1 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Review of 802.11n A-MPDU DoS Issues – Progress and Status Authors:

Doc.: IEEE /0755r1 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Review of n A-MPDU DoS Issues – Progress and Status Authors:
Doc.: IEEE 802.11-08/1021r1 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: 2008-09-04 Authors:

Doc.: IEEE /1021r1 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: Authors:
Doc.: IEEE 802.11-08/0562r0 Submission May 2008 Adrian Stephens, Intel CorporationSlide 1 TGn LB124 – A detect and mitigate solution to the BA DoS problems.

Doc.: IEEE /0562r0 Submission May 2008 Adrian Stephens, Intel CorporationSlide 1 TGn LB124 – A detect and mitigate solution to the BA DoS problems.
Doc.: IEEE 802.11-08/0833r2 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.

Doc.: IEEE /0833r2 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.
Doc.: IEEE 802.11-08/1021r3 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: 2008-09-09 Authors:

Doc.: IEEE /1021r3 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: Authors:
Doc.: IEEE 802.11-08/0833r3 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.

Doc.: IEEE /0833r3 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.
Doc.:IEEE 802.11-12/0859r0 July 2012 Simone Merlin, Qualcomm Inc Short Block Ack Date: 2012-07-16 Authors:

Doc.:IEEE /0859r0 July 2012 Simone Merlin, Qualcomm Inc Short Block Ack Date: Authors:
PS-Poll TXOP Using RTS/CTS Protection

PS-Poll TXOP Using RTS/CTS Protection
Doc.: IEEE 802.11-12/0840r1 Submission AP Assisted Medium Synchronization Date: 2012-09-17 Authors: September 2012 Minyoung Park, Intel Corp.Slide 1.

Doc.: IEEE /0840r1 Submission AP Assisted Medium Synchronization Date: Authors: September 2012 Minyoung Park, Intel Corp.Slide 1.
Doc.: IEEE 802.11-10/0079r0 Submission Interference Signalling Enhancements Date: 2010-03-xx Mar 2010 Allan Thomson, Cisco SystemsSlide 1 Authors:

Doc.: IEEE /0079r0 Submission Interference Signalling Enhancements Date: xx Mar 2010 Allan Thomson, Cisco SystemsSlide 1 Authors:
Doc.: IEEE 802.11-04/0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.

Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.:IEEE 802.11-10/0313r1 Submission Robert Stacey (Intel) March 12, 2010 Slide 1 Rekeying Protocol Fix Authors: Date: 2010-03-12.

Doc.:IEEE /0313r1 Submission Robert Stacey (Intel) March 12, 2010 Slide 1 Rekeying Protocol Fix Authors: Date:
Doc.: IEEE 802.15-01/250r0 Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: IEEE802.15.3:

Doc.: IEEE /250r0 Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: IEEE :
Doc.: IEEE 802.11-15/0150r11 Submission July 2015 Ganesh Venkatesan (Intel Corporation)Slide 1 GCR using SYNRA for GLK Date: 2015-07-09 Authors:

Doc.: IEEE /0150r11 Submission July 2015 Ganesh Venkatesan (Intel Corporation)Slide 1 GCR using SYNRA for GLK Date: Authors:
Doc.: IEEE 802.11-08/0615r0 Submission May 2008 Naveen K. Kakani, Nokia IncSlide 1 Multicast Transmission in WLAN Date: 2008-05-13 Authors:

Doc.: IEEE /0615r0 Submission May 2008 Naveen K. Kakani, Nokia IncSlide 1 Multicast Transmission in WLAN Date: Authors:
Flow control for EDMG devices

Flow control for EDMG devices
Location Measurement Protocol for Unassociated STAs

Location Measurement Protocol for Unassociated STAs
Flow control for EDMG devices

Flow control for EDMG devices
Implementation for Intra-AC Differentiated Services

Implementation for Intra-AC Differentiated Services

Similar presentations

Ads by Google