Title: 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Dept of CSE @ UC San Diego
1802.11 Denial-of-Service Attacks Real
Vulnerabilities and Practical SolutionsJohn
Bellardo and Stefan SavageDept of CSE _at_ UC San
Diego
- Seminar class presentation
- Supervisor Dr. Huang
- Student Chuming Chen Xinliang Zheng
2Outline
- Background information about IEEE802.11
- Theoretical vulnerability analysis
- Practical 802.11 attack infrastructure
- Deauthentication attack and defense
- Virtual carrier-sense attack and defense
- Conclusions
- References
3Background information about IEEE802.11
- What is IEEE802.11
- 802.11 MAC frame
- Authentication and Association Transitions
- Hidden Terminal Problem
- Solution to Hidden Terminal Problem
4What is IEEE802.11
- IEEE802.11 is a series of specifications for
wireless local area network MAC and Physical
layer.
5802.11 MAC frame
- By specifying different fields we can get
different types of frames RTS, CTS, PS-Poll,
ACK, Data, and so on.
6Type and Subtype Identifier
- Management frames (type00)
- Association request (0000)
- Association response (0001)
- Disassociation (1010)
- Deauthentication (1100)
- Control frames (type01)
- Power Save (PS)-Poll (1010)
- RTS (1011)
- CTS (1100)
- Data frame (type10)
- Data (0000)
- DataCF-Ack (0001)
7Authentication and Association Transitions
- Deauthentication and disassociation packets can
be sent out by both Access Point (AP) and
Wireless Station (WS).
8Hidden Terminal Problem
- In wireless LAN stations may not be able to see
each other (CSMA/CD is not fit for here.).
9Solution to Hidden Terminal Problem(Physical and
Virtual Carrier Sensing are used together.)
- 1. RTS/CTS sequence is used to clear the wireless
medium when transmission just started.
10Solution to Hidden Terminal Problem(Physical and
Virtual Carrier Sensing are used together.)
- 2. Different Inter-Frame Spaces (SIFS, DIFS) and
Network Allocation Vector (NAV) are used to
reserve the medium.
11Theoretical vulnerability analysis
- Identity Vulnerabilities
- Picturing of Deauthentication Attack
- Media Access Vulnerabilities
- Picturing of Virtual Carrier-Sense Attack
12Identity Vulnerabilities
- Fundamental reason
- Deauthentication and Disassociation packets
(others also) are sent without authentication. - Deauthentication attack
- Adversary (A) can pretend WS/AP sent
Deauthentication packet to AP/WS. - Disassociation attack
- Adversary (A) can pretend WS/AP sent
Disassociation packet to AP/WS. - Power Saving Sequence attack
- A pretends WS sending PS-Poll to AP causing
buffered frames discarded. A pretends AP sending
spoofed Traffic Indication Map (TIM) to WS making
it keep sleeping or desynchronized.
13Picturing of Deauthentication Attack
14Media Access Vulnerabilities
- Fundamental reason
- Still because packet sending to the media is not
authenticated in 802.11. - One possible attack
- Sending packet within each SIFS to compete the
media may require sending 50,000 packets/second. - Virtual Carrier-Sense attack
- Sending out packets with large NAV. (30 p/s)
15Picturing of Virtual Carrier-Sense Attack
16Practical 802.11 attack infrastructure
- What A need to implement the attack?
- General structure of current Network Interface
Cards (NIC) - Practical Problem
- Solution to the Practical Problem
17What A need to implement the attack?
- Its possible that A can design and make new NIC
which can send out different packets as A wants,
but its more likely improbable. - Hopefully A can use current available NIC to
implement attacks.
18General structure of current NIC
- Generally the Firmware can be updated but the
Hardware can not be changed.
19Practical Problem
- A wide variety of 802.11 NIC tested by the
authors do not typically allow the generation of
any control frames, permit other key fields (such
as NAV) to specified by the host, or allow
reserved or illegal field values to be
transmitted.
20Solution to the Practical Problem
- Most of current NIC designs originated by Choice
Microsystems, in which we can use AUX Port
(original purpose is for debugging) to change
frame fields. - The authors modify the firmware to access AUX
port then change frame fields to devise attacks.
21Deauthentication attack and defense
- Experimental settings
- Deauthentication Attack
- Defense to Deauthentication Attacks
22Experimental Settings
- Small 802.11 network with 7 machines
- 1 attacker, 1 access point, 1 monitoring station
and 4 legitimate clients. - In-kernel software-based access point with Linux
HostAP driver. - Clients attempted to ftp a large file through the
access point machine a transfer exceeding the
testing period
23Deauthentication Attack
- Using iPAQ H3600 with Dlink DWL-650 card running
software with the firmware updated.
24Defense to Deauthentication Attacks
- Method delay deauthentication (5-10 s) after
received the deauthentication request packet. - WS roaming is not really affected.
25Virtual carrier-sense attack and defense
- Virtual Carrier-Sense Attack Using A Real NIC
- Virtual Carrier-Sense Attack Using ns simulator
- Defense to Virtual Carrier-Sense Attack
26Virtual Carrier-Sense Attack Using A Real NIC
- It does not work
- Conclusion most of the devices available do not
properly implement 802.11, i.e. NAV reserve
period is not fully executed.
27Virtual Carrier-Sense Attack Using ns simulator
- ns simulator implements 802.11 faithfully.
- Attack is devised by sending packet with large
NAV.
28Defense to Virtual Carrier-Sense Attack
- One way is to specify a maximal valid NAV
transmission time (max. packet) medium access
backoffs. - However, increasing the frequency of sending
Virtual Carrier-Sense Attack packet will still
show effects.
29Defense to Virtual Carrier-Sense Attack
- Another way specified by the authors needs to
modify 802.11 - No fragmentation, since the default fragmentation
thresholds in wireless media is significantly
exceed the Ethernet MTU. - For four key frame types contains NAV
- ACK and Data frame ignore NAV since there is no
fragmentation. - RTS frame NAV respected until such time as a
data frame should be sent. - CTS frame NAV specify some threshold (30) if
such time is used by CTS frame then ignore NAV. - This way is not tested by the authors of the
paper.
30Conclusions
- Vulnerabilities in the 802.11 management and
media access services are identified. - Theoretical attacks are analyzed.
- Implementing of deauthenticaiton and virtual
carrier-sense attacks are provided with testing
results. - Low-overhead, non-cryptographic countermeasures
are specified, some test results with the
suggested improvement are also provided.
31References
- 1. 802.11 Denial-of-Service Attacks Real
Vulnerabilities and Practical Solutions, John
Bellardo and Stefan Savage, Dept of CSE _at_ UC San
Diego. - 2. 802.11 Wireless Networks The Definitive
Guide, Matthew S. Gast, OReilly 2002. - 3. Real 802.11 Security WI-Fi Protected Access
and 802.11i, Jon Edney and William A. Arbaugh,
Addison-Wesley 2003.