Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.11 Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov.

Published byJane George Modified over 8 years ago

Similar presentations

Presentation on theme: "802.11 Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov."— Presentation transcript:

1 802.11 Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov

2 802.11 Advantages Free spectrum Efficient channel coding Cheap interface hardware Easy to extend a network Easy to deploy

3 802.11 Problems Attractive targets for potential attacks Flexible for an attacker to decide where and when to launch and attack. Difficult to locate the source of transmissions Not easy to detect well-planned attacks Vulnerabilities in the 802.11 MAC protocols

4 WEP Wired Equivalency Protocol Provide data privacy between 802.11 clients and access points Rely on shared secret keys Use challenge-response authentication protocol Data packets are encrypted when transferred

5 WEP Vulnerabilities Recurring weak keys Secret key can be recovered Under attack, network resources can be fully utilized and an attacker can monitor the traffic of other networks WEP-protected frames can be modified, new frames can be injected, authentication frames can be spoofed all without knowing the shared secret key

6 802.11 MAC protocol Designed to address problems specific to wireless networks Have abilities to discover networks, join and leave networks, and coordinate access Deauthentication/disassociation Virtual carrier sense attacks Authentication DoS attacks Need new protocol to overcome current security problems

7 802.11 Frame Types Management Frames  Authentication Frames  Deauthentication Frames  Association request Frames  Association response Frames  Reassociation request Frames  Reassociation response Frames  Disassociation Frames  Beacon Frames  Probe Request Frames  Probe Response Frames

8 802.11 Frame Types Data Frames Control Frames  Request to Send (RTS) Frame  Clear to Send (CTS) Frame  Acknowledgement (ACK) Frame

9 Deauthentication A client must first authenticate itself to the AP before further communication Clients and AP use messages to explicitly request deauthentication from each other This message can be spoofed by an attacker because it is not authenticated by any key material

10 Deauthentication

11 An attacker has a great flexibility in attacking An attacker can pretend to be AP or the client An attacker may elect to deny access to individual clients, or even rate-limit their access

12 Disassocation A client may be authenticated with multiple APs at once 802.11 standard provides a special association message to allow the client and AP to agree which AP will forward packets 802.11 provides a disassociation message if association frames are unauthenticated An attacker can exploit this vulnerability to launch the deauthentication attack

13 Power Saving To conserve energy, clients are allowed to enter a sleep state The client has to announces its intention to the AP before going to a sleep state AP will buffer any inbound traffic for the node When the client wakes up, it will poll the AP for any pending traffic By spoofing the polling message on behalf of the client, an attacker can cause the AP to discard the client’s packets while it is asleep

14 Media Access Vulnerabilities Short Interframe Space (SIFS) Distributed Coordination Function Interframe Space (DIFS) Before any frame can be sent, the sending radio must observe a quiet medium for one of the defined window periods SIFS window is used for frames as part of preexisting frame exchange DIFS window is used for nodes wishing to initiate a new frame exchange

15 Media Access Vulnerabilities To avoid all nodes transmitting immediately after the DIFS expires, the time after the DIFS is subdivided into slots Each time slot is picked randomly and with equal probability by a node to start transmitting If a collision occurs, a sender uses a random exponential backoff algorithm before retransmitting

16 Media Access Vulnerabilities

17 A SIFS period is 20 microsecond An attacker can monopolize the channel by sending a short signal before the end of every SIFS period This attack is highly affective but consider lots of efforts.

18 Media Access Vulnerabilities Duration field – another serious vulnerability. Duration field is used to indicate the number of microseconds that the channel is reserved. Is used to implemented Network Allocation Vector (NAV) NAV is used in RTS/CLS handsake

19 802.11 Attack Infrastructure It seems all 802.11 NIC are inherently able to generate arbitrary frames In practice devices implement key MAC functions in firmware to moderate access Could use undocumented modes of operation such as HostAP and HostBSS Choice Microsystems AUX Port used for debugging

20 802.11 Attack Infrastructure

21 802.11 Deauthentication Attack Deauthentication Attack Implementation 1 attacker, 1 access point, 1 monitoring station, 4 legitimate clients

22 Deauthentication Attack Solution All 4 clients gave up connecting Could be solved by authentication-expensive Practical solution – queue the requests for 5- 10 seconds – if no subsequent traffic – drop the connection – simply modify firmware Solves the problem however introduces a new one

23 Problems with this solution.. When a mobile client roams, which AP to receive packets destined the client ? An adversary can keep a connection open to the old AP by continuously sending packets Intelligent and dumb infrastructures Easy to solve for intelligent, more problematic for dumb infrastructures

24 802.11 Virtual Carrier-sense attack Virtual carrier-sense attack Current 802.11 devices do not follow properly the specification

25 NS-2 Attack Simulation Assuming this bug will be fixed, simulate the attack in ns-2 18 static client nodes, 1 static attacker node sending arbitrary duration values 30 times a second Channel is completely blocked – much harder to defend compared to deauthentication attack

26 Simulation Results Solution – low and high caps on CTS duration time

27 Still not perfect… By increasing the attacker’s frequency to 90 packets per second, the network could still be shut down

28 Virtual Carrier-sense attack solution Solution – abandon portions of the standard 802.11 MAC functionality Four key frames that contain duration values – ACK, data, RTS, CTS Stop fragmentation – no need for ACK and data duration values. RTS-CTS-data valid sequence Lone CTS – unsolicited or observing node is a hidden terminal – solution each node independently ignores lone CTS packets

29 Still suboptimal… Still not perfect – at threshold 30%, the attacker can still lower the available bandwidth by 1/3. Best solution – explicit authentication to 802.11 control packets. Requires fresh cryptographically signed copy of the originating RTS Significant alteration to 802.11 standards, benefit/cost ratio not clear

30 Related Work – Launching and Detecting Jamming Attacks in 802.11 Jamming – emitting radio frequencies that do not follow 802.11 MAC protocol Measured by PSR and PDR Four attacking models – constant, deceptive, random, reactive jammer

31 Effectiveness of Jamming Attacks

32 Basic Statistics for Detecting Jamming Signal Strength Can be either Basic Average or Signal Strength Spectral Discrimination – unreliable

33 Basic Statistics for Detecting Jamming Carrier Sensing Time However have to differentiate between congestion and jamming With PDR of 75% 60 ms determined to be optimal threshold for 99% confidence Still detect only constant and deceptive jammers Packet Delivery Ratio – effective for all jammers, still cannot differentiate between jamming and other network dynamics like sending running out of battery power

34 Conclusions Wireless networks popular due to convenience however confidentiality and availability critical Arbitrary 802.11 frames can be easily sent using commodity hardware Deauthentication attacks effective, virtual carrier-sense attacks will be. Simple stop-gap solutions can be applied with low overhead on existing hardware.

35 Thank you ! Any questions ?

Download ppt "802.11 Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov."

Similar presentations

Nick Feamster CS 4251 Computer Networking II Spring 2008

Nick Feamster CS 4251 Computer Networking II Spring 2008
Medium Access Issues David Holmer

Medium Access Issues David Holmer
Contents IEEE MAC layer operation Basic CSMA/CA operation

Contents IEEE MAC layer operation Basic CSMA/CA operation
802.11 – Wireless PHY and MAC Stallings 502-507. Types of 802.11 802.11 Infrared 802.11 FHSS (frequency hopping spread spectrum) 802.11 DSSS (direct sequence.

– Wireless PHY and MAC Stallings Types of Infrared FHSS (frequency hopping spread spectrum) DSSS (direct sequence.
© Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS591 – Wireless & Network Security.

© Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS591 – Wireless & Network Security.
Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic 802.11.

Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic
1 Power Management in IEEE 802.11 Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.

1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
John Bellardo Stefan Savage Presented by: Hal Lindsey

John Bellardo Stefan Savage Presented by: Hal Lindsey
1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.

1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.
1 Power Management in IEEE 802.11 Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.

1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE 802.11 Media Access Control and Network Layer Standards 1.

CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards 1.
Wireless Networking So we talked about wired networks. What about wireless?

Wireless Networking So we talked about wired networks. What about wireless?
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
Resilience To Jamming Attacks

Resilience To Jamming Attacks
20 – Collision Avoidance, 802.11 6: Wireless and Mobile Networks6-1.

20 – Collision Avoidance, : Wireless and Mobile Networks6-1.
1 Network Architecture and Design Wireless & Mobile Systems IEEE 802.11 WLAN.

1 Network Architecture and Design Wireless & Mobile Systems IEEE WLAN.
1 Introduction to Wireless Networks Michalis Faloutsos.

1 Introduction to Wireless Networks Michalis Faloutsos.
© Rabat Anam Mahmood ITTC 1 Resilience To Jamming Attacks Rabat Anam Mahmood Department of Electrical Engineering & Computer Science

© Rabat Anam Mahmood ITTC 1 Resilience To Jamming Attacks Rabat Anam Mahmood Department of Electrical Engineering & Computer Science
The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks Authors: Wenyuan XU, Wade Trappe, Yanyong Zhang and Timothy Wood Wireless.

The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks Authors: Wenyuan XU, Wade Trappe, Yanyong Zhang and Timothy Wood Wireless.
802.11 MAC Protocol By Ervin Kulenica & Chien Pham.

MAC Protocol By Ervin Kulenica & Chien Pham.

Similar presentations

Ads by Google