802.11 Denial of Service Attacks: Real Vulnerabilities and Practical Solutions

1
802.11 Denial of Service Attacks Real
Vulnerabilities and Practical Solutions

• Written By John Bellardo and Stefan Savage
• University of California at San Diego
• Presented By Michael Kroll and Jian Shi
• University of South Carolina

2
Wireless BackgroundWireless Establishment

• Communication over the air in close proximity
• Workstations, handhelds, Access Points
• Access Points/Routers link to others or into
  wired LANs/WANs
• No single standard like Ethernet for radio
  networks
• Proprietary products, incompatible hardware
• September 1997 IEEE 802.11 Wireless (WiFi)

3
Wireless BackgroundWireless Establishment

• Slow implementation Complexity and mandatory
  features
• Loss of backwards compatibility
• Frequency Hopping (1Mb/s), then Direct Sequence
  (1-2Mb/s)
• Spring 1999 802.11a (5ghz) at 2-12Mb/s
• Still not very popular
• Shortly afterward 802.11b (2.4ghz) at 5-11Mb/s

4
Wireless BackgroundWireless Establishment

• Higher standardization/volumes on 802.11b
• Low prices, became highly popular
• June 2003 802.11g at 54Mb/s
• Popularity makes this the current standard
• Projected for July 2007 802.11n at 540Mb/s
• Possible upgrades in features and security

5
Wireless BackgroundTopology

• Basic Service Set (BSS) Basic building block of
  WLAN, groups of any number of stations
• Independent BSS (IBSS or Ad-Hoc) Peer-to-peer
  between individual stations
• Infrastructure BSS Stations in group talk to an
  Access Point (AP) that relays their frames
  elsewhere
• Extended Service Set (ESS) APs relay to other
  BSS's through other APs
• Make use of Distribution System of connected
  APs/wired LANs)

6
Wireless BackgroundTopology
7
Wireless BackgroundStructure

• 802.11 similar in most respects to 802.3 Ethernet
• BUT mobility of devices and overlapping radio
• PHY layer for several different signaling methods
• Media Access Control (MAC) and data delivery
• Upper layers MUST see standard 802.3 LAN
• MAC abstract all WiFi for the upper layers

8
Wireless BackgroundStructure
9
Wireless BackgroundConnecting to Wireless LAN

• Dilemma 1 WiFi devices dynamically moving
  (roaming), limited ranges, unreliable connections
• Step 1 Authentication to WLAN
• Step 2 Association (if connect to Access Point)
• Proceed with transmissions
• End Step 1 Disassociate (if on an Access Point)
• End Step 2 Deauthenticate from WLAN

10
Wireless BackgroundConnecting to Wireless LAN
11
Wireless BackgroundCSMA/CA

• Dilemma 2 Radio creates noisy medium, requires
  sensing different from Ethernet
• CSMA/CA Carrier Sense Multiple Access with
  Collision Avoidance
• Prevent device radios from overlapping and loss
  of transmissions
• 4 Packets in 2 Pairs RTS with CTS, Data with ACK

12
Wireless BackgroundCSMA/CA RTS with CTS

• RTS Request to Send passed to receiver
• CTS Clear to Send from receiver if ready and
  medium free
• RTS/CTS contain Duration fields
• Since radio, all nodes will see any packets on
  medium
• All other nodes update their NAVs to match
  Durations
• Nodes countdown on NAVs, no one but
  sender/receiver talks until countdown 0

13
Wireless BackgroundCSMA/CA Data with ACK

• Data Packets containing senders transmissions
• ACK Receiver confirmation of each Data packet
• Durations also here, constantly raising other
  nodes NAVs if more Data still to go
• Possibility of radio noise and unclear channel
• Sender/Receiver wait SIFS (short time period)
  between all transmissions for safe packets

14
Wireless BackgroundCSMA/CA Nodes Released

• Sender/Receiver finish, others reach 0 on NAVs
• All nodes wait DIFS (longer than SIFS) after 0
  hit
• Following DIFS, each node randomly chooses a time
  slot to start
• Both DIFS and slot prevent all nodes starting
  immediately after 0 NAVs and colliding
• If two nodes still collide, both wait random
  exponential backoff (like Ethernet)

15
Wireless BackgroundSecurity and Growth

• Optional authentication/encryption in MAC with
  WEP
• WEP easy to break and flawed
• Protocol extensions like WPA, 802.11i, 802.1x
• 802.11 Wireless hit 1 Billion in 2001
• Wide use and continued security improvements
• However, focus on access control/confidentiality,
  NOT on availability

16
Introduction of ThreatDoS on 802.11

• Paper focuses on Denial-of-Service attacks
• DoS particularly threatening on 802.11
• No physical infrastructure gives attacker
  flexibility in where and when
• Anonymity due to difficulty of locating
  transmission
• Immature 802.11 network tools for diagnosis
• Attacker selective or complete disruption

17
Introduction of ThreatOverview

• Four principle contributions
• Demonstrate can circumvent normal operation of
  firmware in commodity 802.11 devices
• Description of vulnerabilities in 802.11
• Implement and test DoS attacks on vulnerabilities
• Implement and evaluate non-cryptographic
  countermeasures
• Solutions should only need firmware upgrades in
  existing hardware

18
Attack InfrastructureFirmware Limits

• 802.11 NIC firmware provide moderate access to
  radio through constrained interface
• Some experts say Virtual Carrier-Sense attacks
  impossible due to limited interfaces
• Most NICs do allow management frames using semi
  or undocumented modes of operation
• Firmware, however, often overwrites invalid
  frames or attacks with proper values

19
Attack InfrastructureFirmware Bypass

• Specially configure host/NIC
• Write frame to BAP
• Find in SRAM
• Request transmit
• Modify packet by AUX Port
• Changing packet after firmware processes but
  before sends

20
Attack InfrastructureDevice

• H3600 Pocket PC with DLink PCMCIA 802.11
  interface
• Familiar Linux using modified dsniff
• MAC address and DNS Resolver to find clients
• Select individuals or en masse attacks

21
Identity VulnerabilitiesDeauthentication

• Clients must authenticate to APs before further
  communication
• Deauthentication
• Contained in unauthenticated message
• Attackers spoof deauthentication message to stop
  the communication
• This attack has great flexibility
• Attackers can control their damage
• Attackers need to scan channels

22
Identity VulnerabilitiesDeauthentication
23
Deauthentication attackAttack simulation

• In a small simulated network
• 1 AP, 4 good clients, 1 attackers, 1 monitoring
  station
• Spoof deauthentication request from a client to
  an AP
• Rate limited to 10 frames per second
• Attacks have obvious impact
• 2 attacks, 1 to a certain client, 1 to all of
  them
• A computer even got crashed in a small attack

24
Deauthentication AttackAttack Simulation
25
Deauthentication AttackAttack Solution

• Explicitly authenticate management frames and
  drop invalid requests
• High overhead
• Low overhead system-level solution
• Buffer deauthentication requests and delay
  deauthentication for 5-10 sec
• Check subsequent arrival sequence of management
  frames and data packets
• If the sequence is reasonable, accept management
  requests. Otherwise, drop them
• Proved to be of significant value

26
Deauthentication AttackAttack Solution
27
Deauthentication AttackNew Possible
Vulnerability of the Solution

• Mobile Clients roaming between APs
• The intelligent frame
• APs have an explicit means of coordination that
  can be used to update routes information
• The dumb frame
• Deauthentication time out cant do much
• These vulnerabilities will not likely to cause
  practical threat

28
Identity VulnerabilitiesDisassociation

• Association request follows authentication
• Disassociation
• Very similar to deauthentication
• Similar way as deauthentication attack
• This attack is less efficient
• Victims can recover from disassociation attack
  faster

29
Identity VulnerabilitiesPower Saving

• Polling message can be spoofed
• Cause the loss of buffered data
• Sync management message can be spoofed
• Cause clients to fall out of sync with their AP
  and fail to wake up at the right time
• All these vulnerabilities can be resolved with
  appropriate authentication of all messages

30
Identity VulnerabilitiesIn 802.11i

• Depends on the implementation of mutual
  authentication
• Like EAP-TLS, it has strong mutual authentication
  mechanism. The adversary can not authenticate
  itself to either side of the communicating two.
  Under this mechanism, it can only perform
  eavesdropping attack.
• Any 802.11i implementation needs to consider a
  mutual authentication

31
Media Access VulnerabilitiesCollision Avoidance

• Hidden terminals prevent perfect collision
  detection
• Both Physical Carrier-Sense and Virtual
  Carrier-Sense used for access to channel
• Physical DIFS and SIFS time delays
• Virtual 4 packet Duration values on the NAVs
• But both exploitable by attacker

32
Media Access VulnerabilitiesPhysical
Carrier-Sense

• Nodes either wait DIFS or SIFS
• Since DIFS smaller than SIFS, all nodes
  guaranteed to wait at least SIFS delay
• Attacker sends short signal every SIFS period,
  all nodes forced to keep waiting
• SIFS is only 20 microseconds
• Attacker must send 50,000 packets per second
• Attacker expending considerable energy to disable
  network access

33
Media Access VulnerabilitiesVirtual Carrier-Sense
Attack
Repeated Attacks
34
Media Access VulnerabilitiesVirtual Carrier-Sense

• Well-behaved nodes always obey Durations from
  RTS, CTS, Data, and ACKs
• Attacker sends a large duration field, constantly
  forcing NAV countdowns
• Max Duration 32767 or 32 milliseconds
• Attacker transmit only 30 packets per second
• Attacker expends very little energy
• RTS/CTS/ACK not authenticated/non-repudiation
• Low power or directional antenna reduces being
  located

35
Virtual Carrier-Sense AttackAttack Simulation

• Physical attack inefficient, Virtual much better
• Initial physical test of nodes and Access Point
  failed
• Both APs and nodes emit packets 1 millisecond
  after a CTS with duration 32767
• Various devices repeated problem, impossible
  under 802.11 standard
• Assume most devices not implementing proper
  802.11 specification with setting of NAVs

36
Virtual Carrier-Sense AttackAttack Simulation

• Utilize NS Simulator, uses proper 802.11
• 1 static attacker sending 30 times a second
• 18 static client nodes running ftp sessions
• Attacker ignores Duration values sent by others
• Tests using high Durations in both RTS/CTS and
  ACK
• Result was complete block of entire channel while
  attacker sending

37
Virtual Carrier-Sense AttackAttack Simulation
Other Nodes
Attacker
38
Virtual Carrier-Sense AttackAttack Solution

• Virtual Carrier much harder to defend than
  Deauthentication
• Set limits to the size of the Duration allowed
• If RTS or management, force small Duration
• If ACK or CTS, force Duration to max of 1500
  bytes
• Ethernet MTU roughly 1500 bytes, most 802.11 APs
  bridge to Ethernet
• With same attack simulation, individual node
  sessions were able to proceed

39
Virtual Carrier-Sense AttackAttack Solution
Other Nodes
Attacker
40
Virtual Carrier-Sense AttackAttack Expansion

• Increase attacks from 30 to 90 packets per second
  using ACK
• ACK forces the 1500 bytes Duration
• Excessive Durations above stop traffic again
• 802.11 puts inherent trust in duration values set
  by nodes
• Defending requires abandon some of 802.11
  standard by defining durations for 4 frame types

41
Virtual Carrier-Sense AttackSolution for ACK/Data

• Both ACK and Data frames should only carry large
  Durations if reserving medium for next fragment
• Fragmentation almost never used
• Fragmentation thresholds exceed Ethernet MTUs
• Drop fragmentation and disregard Durations in ACK
  and data frames

42
Virtual Carrier-Sense AttackSolution for RTS

• RTS only exists in an RTS-CTS-Data transmission
  sequence
• Duration is set for time of following CTS and
  data
• Treat the RTS Duration speculatively
• Allow the RTS Duration
• Wait until usual expected time for data arrives
• If no data in correct time, abandon the Duration

43
Virtual Carrier-Sense AttackSolution for CTS

• CTS frame arrives at receiver, addressed to it
• If node/AP sent no RTS, order a 0 Duration
• CTS frame arrives but not addressed to receiver
• Could belong to node/AP out-of-range, so might be
  good
• Choose to ignore lone CTSs for a fraction of
  time stalled on CTS request, attackers only gain
  30 of bandwidth
• Cryptographically sign CTS with originating RTS,
  but significantly alters 802.11 standard and
  costly

44
Related Work

• Researches focused on weakness of WEP
• Fluhrer et al use weak keys to recover secret
  key
• Stubblefield et al recover keys via monitoring
• Borisov et al vulnerabilities of WEP frame
• Security vulnerabilities in 802.11 MAC protocol
• Lough. But he doesnt validate them empirically
• Problems posed by authentication DoS attacks
• Faria and Chariton. Their solution has high
  overhead

45
Related Work

• Implementation of deauthentication attack
• black-hat community
• Schiffmans toolkit can inject raw 802.11 frames
  into the channel
• Congested-based MAC layer Dos attacks
• Gupta et al. Kyasanur and Vaidya. They dont
  focus on attacks on 802.11 MAC protocol itself
• 802.11 TGi working group
• They are aware of threats but they dont propose
  protection against them.

46
Conclusion

• 802.11 WiFi standard set complexity/design
• Standard created widespread usage
• Still security issues, fixes focus on Access
  Control and Confidentiality
• This paper presents issue of Availability (DoS)
• Vulnerabilities to DoS
• Deauthentication Tests showed practically
  effective
• Virtual Carrier-sense Tests show only
  theoretical due to deficiencies in commodity
  802.11

47
Conclusion

• Countermeasures developed for Attacks
• Low overhead on both hardware and traffic
• Require just firmware upgrades to existing NICs
  and APs
• Only a stopgap solution
• Mobile Deauthentication, Power Saving attacks,
  limitations on CTS frames still vulnerable
• Long term needs appropriate per-packet
  authentication
• High overhead but it is the ultimate safe solution