Title: 802.11 Denial of Service Attacks: Real Vulnerabilities and Practical Solutions
1802.11 Denial of Service Attacks Real
Vulnerabilities and Practical Solutions
- Written By John Bellardo and Stefan Savage
- University of California at San Diego
- Presented By Michael Kroll and Jian Shi
- University of South Carolina
2Wireless BackgroundWireless Establishment
- Communication over the air in close proximity
- Workstations, handhelds, Access Points
- Access Points/Routers link to others or into
wired LANs/WANs - No single standard like Ethernet for radio
networks - Proprietary products, incompatible hardware
- September 1997 IEEE 802.11 Wireless (WiFi)
3Wireless BackgroundWireless Establishment
- Slow implementation Complexity and mandatory
features - Loss of backwards compatibility
- Frequency Hopping (1Mb/s), then Direct Sequence
(1-2Mb/s) - Spring 1999 802.11a (5ghz) at 2-12Mb/s
- Still not very popular
- Shortly afterward 802.11b (2.4ghz) at 5-11Mb/s
4Wireless BackgroundWireless Establishment
- Higher standardization/volumes on 802.11b
- Low prices, became highly popular
- June 2003 802.11g at 54Mb/s
- Popularity makes this the current standard
- Projected for July 2007 802.11n at 540Mb/s
- Possible upgrades in features and security
5Wireless BackgroundTopology
- Basic Service Set (BSS) Basic building block of
WLAN, groups of any number of stations - Independent BSS (IBSS or Ad-Hoc) Peer-to-peer
between individual stations - Infrastructure BSS Stations in group talk to an
Access Point (AP) that relays their frames
elsewhere - Extended Service Set (ESS) APs relay to other
BSS's through other APs - Make use of Distribution System of connected
APs/wired LANs)
6Wireless BackgroundTopology
7Wireless BackgroundStructure
- 802.11 similar in most respects to 802.3 Ethernet
- BUT mobility of devices and overlapping radio
- PHY layer for several different signaling methods
- Media Access Control (MAC) and data delivery
- Upper layers MUST see standard 802.3 LAN
- MAC abstract all WiFi for the upper layers
8Wireless BackgroundStructure
9Wireless BackgroundConnecting to Wireless LAN
- Dilemma 1 WiFi devices dynamically moving
(roaming), limited ranges, unreliable connections - Step 1 Authentication to WLAN
- Step 2 Association (if connect to Access Point)
- Proceed with transmissions
- End Step 1 Disassociate (if on an Access Point)
- End Step 2 Deauthenticate from WLAN
10Wireless BackgroundConnecting to Wireless LAN
11Wireless BackgroundCSMA/CA
- Dilemma 2 Radio creates noisy medium, requires
sensing different from Ethernet - CSMA/CA Carrier Sense Multiple Access with
Collision Avoidance - Prevent device radios from overlapping and loss
of transmissions - 4 Packets in 2 Pairs RTS with CTS, Data with ACK
12Wireless BackgroundCSMA/CA RTS with CTS
- RTS Request to Send passed to receiver
- CTS Clear to Send from receiver if ready and
medium free - RTS/CTS contain Duration fields
- Since radio, all nodes will see any packets on
medium - All other nodes update their NAVs to match
Durations - Nodes countdown on NAVs, no one but
sender/receiver talks until countdown 0
13Wireless BackgroundCSMA/CA Data with ACK
- Data Packets containing senders transmissions
- ACK Receiver confirmation of each Data packet
- Durations also here, constantly raising other
nodes NAVs if more Data still to go - Possibility of radio noise and unclear channel
- Sender/Receiver wait SIFS (short time period)
between all transmissions for safe packets
14Wireless BackgroundCSMA/CA Nodes Released
- Sender/Receiver finish, others reach 0 on NAVs
- All nodes wait DIFS (longer than SIFS) after 0
hit - Following DIFS, each node randomly chooses a time
slot to start - Both DIFS and slot prevent all nodes starting
immediately after 0 NAVs and colliding - If two nodes still collide, both wait random
exponential backoff (like Ethernet)
15Wireless BackgroundSecurity and Growth
- Optional authentication/encryption in MAC with
WEP - WEP easy to break and flawed
- Protocol extensions like WPA, 802.11i, 802.1x
- 802.11 Wireless hit 1 Billion in 2001
- Wide use and continued security improvements
- However, focus on access control/confidentiality,
NOT on availability
16Introduction of ThreatDoS on 802.11
- Paper focuses on Denial-of-Service attacks
- DoS particularly threatening on 802.11
- No physical infrastructure gives attacker
flexibility in where and when - Anonymity due to difficulty of locating
transmission - Immature 802.11 network tools for diagnosis
- Attacker selective or complete disruption
17Introduction of ThreatOverview
- Four principle contributions
- Demonstrate can circumvent normal operation of
firmware in commodity 802.11 devices - Description of vulnerabilities in 802.11
- Implement and test DoS attacks on vulnerabilities
- Implement and evaluate non-cryptographic
countermeasures - Solutions should only need firmware upgrades in
existing hardware
18Attack InfrastructureFirmware Limits
- 802.11 NIC firmware provide moderate access to
radio through constrained interface - Some experts say Virtual Carrier-Sense attacks
impossible due to limited interfaces - Most NICs do allow management frames using semi
or undocumented modes of operation - Firmware, however, often overwrites invalid
frames or attacks with proper values
19Attack InfrastructureFirmware Bypass
- Specially configure host/NIC
- Write frame to BAP
- Find in SRAM
- Request transmit
- Modify packet by AUX Port
- Changing packet after firmware processes but
before sends
20Attack InfrastructureDevice
- H3600 Pocket PC with DLink PCMCIA 802.11
interface - Familiar Linux using modified dsniff
- MAC address and DNS Resolver to find clients
- Select individuals or en masse attacks
21Identity VulnerabilitiesDeauthentication
- Clients must authenticate to APs before further
communication - Deauthentication
- Contained in unauthenticated message
- Attackers spoof deauthentication message to stop
the communication - This attack has great flexibility
- Attackers can control their damage
- Attackers need to scan channels
22Identity VulnerabilitiesDeauthentication
23Deauthentication attackAttack simulation
- In a small simulated network
- 1 AP, 4 good clients, 1 attackers, 1 monitoring
station - Spoof deauthentication request from a client to
an AP - Rate limited to 10 frames per second
- Attacks have obvious impact
- 2 attacks, 1 to a certain client, 1 to all of
them - A computer even got crashed in a small attack
24Deauthentication AttackAttack Simulation
25Deauthentication AttackAttack Solution
- Explicitly authenticate management frames and
drop invalid requests - High overhead
- Low overhead system-level solution
- Buffer deauthentication requests and delay
deauthentication for 5-10 sec - Check subsequent arrival sequence of management
frames and data packets - If the sequence is reasonable, accept management
requests. Otherwise, drop them - Proved to be of significant value
26Deauthentication AttackAttack Solution
27Deauthentication AttackNew Possible
Vulnerability of the Solution
- Mobile Clients roaming between APs
- The intelligent frame
- APs have an explicit means of coordination that
can be used to update routes information - The dumb frame
- Deauthentication time out cant do much
- These vulnerabilities will not likely to cause
practical threat
28Identity VulnerabilitiesDisassociation
- Association request follows authentication
- Disassociation
- Very similar to deauthentication
- Similar way as deauthentication attack
- This attack is less efficient
- Victims can recover from disassociation attack
faster
29Identity VulnerabilitiesPower Saving
- Polling message can be spoofed
- Cause the loss of buffered data
- Sync management message can be spoofed
- Cause clients to fall out of sync with their AP
and fail to wake up at the right time - All these vulnerabilities can be resolved with
appropriate authentication of all messages
30Identity VulnerabilitiesIn 802.11i
- Depends on the implementation of mutual
authentication - Like EAP-TLS, it has strong mutual authentication
mechanism. The adversary can not authenticate
itself to either side of the communicating two.
Under this mechanism, it can only perform
eavesdropping attack. - Any 802.11i implementation needs to consider a
mutual authentication
31Media Access VulnerabilitiesCollision Avoidance
- Hidden terminals prevent perfect collision
detection - Both Physical Carrier-Sense and Virtual
Carrier-Sense used for access to channel - Physical DIFS and SIFS time delays
- Virtual 4 packet Duration values on the NAVs
- But both exploitable by attacker
32Media Access VulnerabilitiesPhysical
Carrier-Sense
- Nodes either wait DIFS or SIFS
- Since DIFS smaller than SIFS, all nodes
guaranteed to wait at least SIFS delay - Attacker sends short signal every SIFS period,
all nodes forced to keep waiting - SIFS is only 20 microseconds
- Attacker must send 50,000 packets per second
- Attacker expending considerable energy to disable
network access
33Media Access VulnerabilitiesVirtual Carrier-Sense
Attack
Repeated Attacks
34Media Access VulnerabilitiesVirtual Carrier-Sense
- Well-behaved nodes always obey Durations from
RTS, CTS, Data, and ACKs - Attacker sends a large duration field, constantly
forcing NAV countdowns - Max Duration 32767 or 32 milliseconds
- Attacker transmit only 30 packets per second
- Attacker expends very little energy
- RTS/CTS/ACK not authenticated/non-repudiation
- Low power or directional antenna reduces being
located
35Virtual Carrier-Sense AttackAttack Simulation
- Physical attack inefficient, Virtual much better
- Initial physical test of nodes and Access Point
failed - Both APs and nodes emit packets 1 millisecond
after a CTS with duration 32767 - Various devices repeated problem, impossible
under 802.11 standard - Assume most devices not implementing proper
802.11 specification with setting of NAVs
36Virtual Carrier-Sense AttackAttack Simulation
- Utilize NS Simulator, uses proper 802.11
- 1 static attacker sending 30 times a second
- 18 static client nodes running ftp sessions
- Attacker ignores Duration values sent by others
- Tests using high Durations in both RTS/CTS and
ACK - Result was complete block of entire channel while
attacker sending
37Virtual Carrier-Sense AttackAttack Simulation
Other Nodes
Attacker
38Virtual Carrier-Sense AttackAttack Solution
- Virtual Carrier much harder to defend than
Deauthentication - Set limits to the size of the Duration allowed
- If RTS or management, force small Duration
- If ACK or CTS, force Duration to max of 1500
bytes - Ethernet MTU roughly 1500 bytes, most 802.11 APs
bridge to Ethernet - With same attack simulation, individual node
sessions were able to proceed
39Virtual Carrier-Sense AttackAttack Solution
Other Nodes
Attacker
40Virtual Carrier-Sense AttackAttack Expansion
- Increase attacks from 30 to 90 packets per second
using ACK - ACK forces the 1500 bytes Duration
- Excessive Durations above stop traffic again
- 802.11 puts inherent trust in duration values set
by nodes - Defending requires abandon some of 802.11
standard by defining durations for 4 frame types
41Virtual Carrier-Sense AttackSolution for ACK/Data
- Both ACK and Data frames should only carry large
Durations if reserving medium for next fragment - Fragmentation almost never used
- Fragmentation thresholds exceed Ethernet MTUs
- Drop fragmentation and disregard Durations in ACK
and data frames
42Virtual Carrier-Sense AttackSolution for RTS
- RTS only exists in an RTS-CTS-Data transmission
sequence - Duration is set for time of following CTS and
data - Treat the RTS Duration speculatively
- Allow the RTS Duration
- Wait until usual expected time for data arrives
- If no data in correct time, abandon the Duration
43Virtual Carrier-Sense AttackSolution for CTS
- CTS frame arrives at receiver, addressed to it
- If node/AP sent no RTS, order a 0 Duration
- CTS frame arrives but not addressed to receiver
- Could belong to node/AP out-of-range, so might be
good - Choose to ignore lone CTSs for a fraction of
time stalled on CTS request, attackers only gain
30 of bandwidth - Cryptographically sign CTS with originating RTS,
but significantly alters 802.11 standard and
costly
44Related Work
- Researches focused on weakness of WEP
- Fluhrer et al use weak keys to recover secret
key - Stubblefield et al recover keys via monitoring
- Borisov et al vulnerabilities of WEP frame
- Security vulnerabilities in 802.11 MAC protocol
- Lough. But he doesnt validate them empirically
- Problems posed by authentication DoS attacks
- Faria and Chariton. Their solution has high
overhead
45Related Work
- Implementation of deauthentication attack
- black-hat community
- Schiffmans toolkit can inject raw 802.11 frames
into the channel - Congested-based MAC layer Dos attacks
- Gupta et al. Kyasanur and Vaidya. They dont
focus on attacks on 802.11 MAC protocol itself - 802.11 TGi working group
- They are aware of threats but they dont propose
protection against them.
46Conclusion
- 802.11 WiFi standard set complexity/design
- Standard created widespread usage
- Still security issues, fixes focus on Access
Control and Confidentiality - This paper presents issue of Availability (DoS)
- Vulnerabilities to DoS
- Deauthentication Tests showed practically
effective - Virtual Carrier-sense Tests show only
theoretical due to deficiencies in commodity
802.11
47Conclusion
- Countermeasures developed for Attacks
- Low overhead on both hardware and traffic
- Require just firmware upgrades to existing NICs
and APs - Only a stopgap solution
- Mobile Deauthentication, Power Saving attacks,
limitations on CTS frames still vulnerable - Long term needs appropriate per-packet
authentication - High overhead but it is the ultimate safe solution