Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review of n A-MPDU DoS Issues – Progress and Status

Published byFrancis Davidson Modified over 4 years ago

Similar presentations

Presentation on theme: "Review of n A-MPDU DoS Issues – Progress and Status"— Presentation transcript:

1 Review of 802.11n A-MPDU DoS Issues – Progress and Status
September 2006 doc.: IEEE /xxxxr0 March 2008 Review of n A-MPDU DoS Issues – Progress and Status Authors: Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

2 September 2006 doc.: IEEE /xxxxr0 March 2008 Objective Provide a brief review of the current status and evolvement of A-MPDU Deny of Service (DoS) Issues for the convenience of further discussion in TGn for an acceptable solution. We also propose an approach to going forward. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

3 Status of A-MPDU DoS Issues
September 2006 doc.: IEEE /xxxxr0 March 2008 Status of A-MPDU DoS Issues New types of DoS identified and acknowledged since LB115 They possess a set of unique characteristics than regular DoS. Can cause performance degradation Will not cause network security problems A number of comments raised by various commenters during LBs. Numerous proposals have been made by various parties. Remain unaddressed as of LB 129. More work is needed for broadly supported solutions to the issues. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

4 September 2006 doc.: IEEE /xxxxr0 March 2008 The A-MPDU DoS Issues 802.11n devices with A-MPDU are exposed to a number of newly identified types of DOS attack associated with the use of Block ACK (BA) and the BA reordering buffer and window. These DOS attacks include: 1) Forged packets with advanced Sequence Numbers (SN) 2) Captured and Replayed packets with modified SN. 3) Captured and Replayed packets with advanced SN without modification. 4) False Block ACK Request (BAR) with advanced SN. 5) False BA to prevent retransmission. For detailed description of these DoS, please see /0703r0 Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

5 Uniqueness of the A-MPDU DoS Issues
September 2006 doc.: IEEE /xxxxr0 March 2008 Uniqueness of the A-MPDU DoS Issues Hit-and-run type of attack as only one packet is needed to cause the DoS. So an attacker does not need to be at the spot to launch attacks persistently, making it hard to identify or catch the attackers. Significantly long period of DoS for a single attack At the order of tens of seconds. Can cause disassociations or dropped sessions, especially problematic for tcp sessions and voice connections A regular DoS, CTS with excessive NAV setting for example, can only cause a DoS for a period of tens of ms, several order of magnitudes less than that of an A-MPDU DoS, and will have to repeatedly launch the attacks. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

6 Proposals for the Issues
September 2006 doc.: IEEE /xxxxr0 March 2008 Proposals for the Issues A number of proposals have been submitted by various parties to address the issues: /2163r0 “A-MPDU Security Issues” /0026r0 “BA Reordering for A-MPDU” /0703r0 “Issues and Solutions to IEEE n A- MPDU Denial of Service Attacks” /0562r0 “A ‘detect and mitigate’ solution to the BA DoS problems” /0665r0 “Block Ack Security“ None of them is well accepted. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

7 Relating Comments and Resolutions in LB 115 (Jan 2008)
September 2006 doc.: IEEE /xxxxr0 March 2008 Relating Comments and Resolutions in LB 115 (Jan 2008) CID for example: There is a potential DoS attack identified on the receiving side of the data plane Proposed solution: “BA Reordering for A-MPDU" /0026r0, Jan, 2008 Resolution MAC: :17:55Z Reject - as follows: It is accepted that a denial of service (DoS) attack exists in which a forger generates Data MPDUs with an arbitrary SN, forcing a STA to consider validly sent MPDUs to be outside its BA window. The proposed change correctly addresses this attack. However, the same DoS attack also exists as a replay attack. In this case the hacker captures a single encrypted Data MPDU addressed to the victim. It then replays this MPDU as much as it wants to, while changing its SN field. Because the SN field is not part of the AAD, this MPDU continues to pass through the integrity check logic, and will still cause the Block Ack receiver buffer to be flushed. Eventually the problematic MPDU reaches the replay logic, where it is discarded - but not before the damage to the BlockAck buffer has been done. Given that the proposed solution does not fully address the attack on the block ack reordering buffer. Request a more complete solution. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

8 Relating Comments and Resolutions in LB 124 (May 2008)
September 2006 doc.: IEEE /xxxxr0 March 2008 Relating Comments and Resolutions in LB 124 (May 2008) Comments: CID 6232, 6233, 6070, 6071 etc Proposed solutions: " Issues and Solutions to IEEE n A-MPDU Denial of Service Attacks“, by Cisco, /0703r0, merged with 11-08/0665, 0537 “A detect and mitigate solution to the BA DoS problems“, by Intel, /0562r0 "Block Ack Security", 11-08/0665, 11-08/0537, by Broadcomm and Cisso, proposed as a merged solution and was rejected. Resolution "GEN: :35:58Z Reject - While the described DoS attack is a potential vulnerability, the additional complexity and cost of implementation of the jointly developed solutions in 08/0665r4 was considered to be unacceptable. " Request a less complex solution. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

9 Relating Comments in LB 129 (June 2008)
September 2006 doc.: IEEE /xxxxr0 March 2008 Relating Comments in LB 129 (June 2008) Comments: CID 8075, 8076 Essentially the same comments carried over from the previous LBs. Proposed approach to going forward: the resolution in LB 115 requests a more complete solution than /0026r0 the resolution in LB 124 requests a less complex solution than /0665r0 The TG seems to suggest finding a solution in the middle ground of the above two in terms of complexity. To going forward, we propose: prioritize these DoS attacks on their severity, address only those more severer than regular DoS Limit the fix to reducing the damages by DoS to regular DoS attacks. Will work within TGn for an acceptable solution. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

10 Prioritizing the A-MPDU DoS Attacks
September 2006 doc.: IEEE /xxxxr0 March 2008 Prioritizing the A-MPDU DoS Attacks Sort the A-MPDU DoS Types on their ease of launching: 1) Forged packets with advanced Sequence Numbers (SN) easy to launch, can be addressed, e.g., by reversing the order of BA reordering and decryption. 4) False Block ACK Request (BAR) with advanced SN. easy to launch, can be addressed, e.g., by protecting the BAR by wrapping it in an encrypted management frame, an 11w mechanism. 2) Captured and Replayed packets with modified SN. more difficult, can be addressed by encrypting the SN, ( drop this one ?) 3) Captured and Replayed packets with advanced SN without modification. more difficult, less likely to be successful, can be addressed by, e.g., a replay check before BA reordering, ( drop this one?) 5) False BA to prevent retransmission. less likely be successful, not unique since regular ACK can cause similar DoS., (drop this one?) Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

11 September 2006 doc.: IEEE /xxxxr0 March 2008 Recommendation Focus solutions on addressing only these two most severer DoS: 1) Forged packets with advanced Sequence Numbers (SN) . 4) False Block ACK Request (BAR) with advanced SN. with a simplified version of /0665r0 “Block Ack Security“ or adopt other proposals. Luke Qian etc, Cisco Systems, Inc Matthew Fischer (Broadcom)

Download ppt "Review of n A-MPDU DoS Issues – Progress and Status"

Similar presentations

Doc.: IEEE 802.11-08/0703r0 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Issues and Solutions to IEEE 802.11n A-MPDU Denial of Service.

Doc.: IEEE /0703r0 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Issues and Solutions to IEEE n A-MPDU Denial of Service.
Doc.: IEEE 802.11-08/0755r1 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Review of 802.11n A-MPDU DoS Issues – Progress and Status Authors:

Doc.: IEEE /0755r1 Submission March 2008 Luke Qian etc, Cisco Systems, IncSlide 1 Review of n A-MPDU DoS Issues – Progress and Status Authors:
Doc.: IEEE 802.11-08/1021r1 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: 2008-09-04 Authors:

Doc.: IEEE /1021r1 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: Authors:
Doc.: IEEE 802.11-08/0833r2 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.

Doc.: IEEE /0833r2 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.
Doc.: IEEE 802.11-08/1021r3 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: 2008-09-09 Authors:

Doc.: IEEE /1021r3 Submission September 2008 Luke Qian etc.Slide 1 A Simplified Solution For Critical A-MPDU DoS Issues Date: Authors:
Doc.: IEEE 802.11-08/0833r3 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.

Doc.: IEEE /0833r3 Submission July 2008 Luke Qian etc, CiscoSlide 1 A Proposed Scaled-down Solution to A- MPDU DoS Related Comments in LB 129.
Doc.: IEEE 802.11-08/0026r0 Submission Dec. 2007 Luke Qian, Doug Smith Cisco Systems, IncSlide 1 BA Reordering for A-MPDU Notice: This document has been.

Doc.: IEEE /0026r0 Submission Dec Luke Qian, Doug Smith Cisco Systems, IncSlide 1 BA Reordering for A-MPDU Notice: This document has been.
Submission doc.: IEEE 11-10/0745r2 May 2010 Matthew Fischer, BroadcomSlide 1 MFQ MMPDU MAC Sequence Numbering Date: 2010-06-01 Authors:

Submission doc.: IEEE 11-10/0745r2 May 2010 Matthew Fischer, BroadcomSlide 1 MFQ MMPDU MAC Sequence Numbering Date: Authors:
Doc.: IEEE 802.11-13/1434r0 Submission November 2013 Slide 1 CID 1376: NDP BlockAck Bitmap Protection Date: 2013-11-11 Authors: Alfred Asterjadhi, et.

Doc.: IEEE /1434r0 Submission November 2013 Slide 1 CID 1376: NDP BlockAck Bitmap Protection Date: Authors: Alfred Asterjadhi, et.
Doc.: IEEE 802.11-08/0633r0 Submission May 2008 Andrew Myles (Cisco)Slide 1 Discussion of 40Mhz coexistence with 20MHz BSS in secondary channel Date: 2008-05-14.

Doc.: IEEE /0633r0 Submission May 2008 Andrew Myles (Cisco)Slide 1 Discussion of 40Mhz coexistence with 20MHz BSS in secondary channel Date:
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Doc.: IEEE 802.11-15/0150r11 Submission July 2015 Ganesh Venkatesan (Intel Corporation)Slide 1 GCR using SYNRA for GLK Date: 2015-07-09 Authors:

Doc.: IEEE /0150r11 Submission July 2015 Ganesh Venkatesan (Intel Corporation)Slide 1 GCR using SYNRA for GLK Date: Authors:
Doc.: IEEE /0372r1 Submission March 2007 Matthew Fischer (Broadcom)Slide 1 TGn-LB97-mac-adhoc-report Notice: This document has been prepared to.

Doc.: IEEE /0372r1 Submission March 2007 Matthew Fischer (Broadcom)Slide 1 TGn-LB97-mac-adhoc-report Notice: This document has been prepared to.
doc.: IEEE <doc#>

doc.: IEEE <doc#>
Undetected Duplicate Frame Reception

Undetected Duplicate Frame Reception
RPSEC WG Issues with Routing Protocols security mechanisms

RPSEC WG Issues with Routing Protocols security mechanisms
Securing the WUR Date: Authors: July 2016 March 2014

Securing the WUR Date: Authors: July 2016 March 2014
P802.11aq Waiver request regarding IEEE RAC comments

P802.11aq Waiver request regarding IEEE RAC comments
P802.11aq Waiver request regarding IEEE RAC comments

P802.11aq Waiver request regarding IEEE RAC comments
Introduction to Networking

Introduction to Networking

Similar presentations

Ads by Google