802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Presented By Devon Callahan
Mar 16, 2016
802.11 Denial-of-Service Attacks Real Vulnerabilities
and Practical Solutions
John Bellardo and Stefan Savage
Department of Computer Science and Engineering
University of California, San Diego
Presented By Devon Callahan
Outline Introduction to 802.11and Motivation Related Work Vulnerabilities of 802.11 Practical Attacks and Defenses Experimental Results Conclusions Final Thoughts
Introduction
802.11 networks are everywhere Usually network clients are in a star
topology with the Access point 802.11 b and g are most popular With such high dependency on
802.11 are there vulnerabilities...
Related Work Most of the work has focused on the
confidentiality weakness in security of 802.11( WEP and
WPA) What about availability? Lough identified vulnerabilities of
MAC(disassociation, deauthentication, virtual carrier sensing) but did not validate
Related work (cont) Faria, and Cheriton identified problems
posed by Authentication DoS attacks and purpose new authentication framework (not very light weight)
AirJack, Omerta, void11, Radiate all wireless tools from early 2000's
Some general 802.11 DoS attacks based on resource consumption(frame rate control)
Vulnerabilities of 802.11 Denial of Service the act of denying
a computer user of a particular service
Typically flood a client with more traffic than it can handle
802.11 more vulnerable than 802.3 because of the shared medium 2.4Ghz
Denial of Service on Wireless
The attacker wants to disrupt and deny access to services by legitimate users
Two main types of DoS in 802.11 RF Attacks or Jamming the
wireless spectrum- disruption occurs when signal-to-noise ratio reaches certain level
Protocol based attacking- the higher layers of communication which are easier $$ (Identity and Media-access control)
Identity Vulnerabilities A result of the trust placed in a speaker’s
source address 802.11 nodes are identified at MAC layer by
unique address as wired nodes are. Frames are not authenticated, meaning an
attacker can change his MAC address and spoof other nodes (similar to what is done in ARP spoofing)
Leads to 3 kinds of attacks: Disassociation attack Deauthentication attack Power saving mode attack
Disassociation A client can authenticate with multiple
APs but associate with one in order to allow the correct AP to forward packets
Association frames are unauthenticated 802.11 provides a disassociation
message similar to the deauth message Vulnerability is spoofed message causing
the AP to disassociate the client
Disassociation Attack
Authentication Request
Authentication Response
Association Request
Association Response
Data
Data
Attacker Disassociation
Disassociation
AP
Deauthentication Attack Authentication Procedure
After selecting an AP for communication, clients must authenticate themselves to the AP with their MAC address
Part of Authentication framework is a message allowing clients to explicitly deauthenticate from the AP
Vulnerability An attacker can spoof the deauthentication
message causing the communication between AP and client to suspend, causing a DoS
Result Client must re-authenticate to resume
communication with AP
Deauthentication Attack
Authentication Request
Authentication Response
Association Request
Association Response
Data
Data
Attacker Deauthentication
Deauthentication
AP
Deauthentication Attack (Cont.)
By repeating attack, client can be kept from transmitting or receiving data indefinitely
Attack can be executed on individual client or all clients
Individual Clients Attacker spoofs clients address telling AP to
deauthenticate them All Clients
Attacker spoofs AP telling all clients to deauthenticate
Deauthentication or Disassociation?
Deauthentication requires a RTT of 2 in order to resume communication
Disassociation requires a RTT of 1 in order to resume communication
Because it requires less work for the attacker Deauthentication is the more effective attack
Power Saving in 802.11 Nodes “sleep” to conserve energy AP will buffer clients packets until
requested with a poll message TIM (traffic indication map) is a periodic
packet sent by AP to notify client of buffered data
Relies on sync of packets so client is awake when the TIM is sent
Attacks on Power Saving Attacker can spoof on behalf of AP the
TIM message Client could think there is no data
and go back to sleep Attacker forge management sync
packets Cause client to fall out of sync with
AP Attacker spoof on behalf of the client
AP sends data while client is sleeping
Media Access Vulnerabilities
Avoid collisions at all costs!!! Is the Attitude
CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance
SIFS-time before preexisting frame exchange can occur(ACK)
Media Access Vulnerabilities(cont)
DIFS-time used for nodes initiating new traffic
Nodes will transmit randomly after the DIFS
Attacker can send signal before every SIFS slot to clog the channel
Requires 50,000 pps to shut down channel
More serious is RTS/CTS In order to avoid a “hidden
terminal”
Virtual Carrier Sense Mechanism needed in preventing collision
from two clients not hearing each other (hidden terminal problem)
RTS/CTS A client wanting to transmit a packet first
sends a RTS (Request to Send) RTS includes source, destination, and duration A client will respond with a CTS (Clear to Send)
packet
Frm Ctl
NAV VulnerabilityDuration Addr1 Addr2 Addr3 Seq Ctl Addr4 Data FCS
802.11 General Frame Format
2 6 6 6 66 0-2312 22
Virtual carrier sense allows a node to reserve the radio channel
Each frame contains a duration value Indicates # of microseconds channel is reserved Tracked per-node; Network Allocation Vector (NAV) Used by RTS/CTS
Nodes only allowed to xmit if NAV reaches 0
Simple NAV Attack:Forge packets with large
Duration
AccessPoint
Node 1 Node 2
Attacker
Duration=32000 Duration=3200
0
Access Point and Node 2 can’t xmit(but Node 1 can)
Extending NAV Attack w/RTS
AccessPoint
Node 1 Node 2
Attacker
Duration=32000RTS
Duration=31000CTS Duration=31000
CTS
Duration=31000CTS
AP and both nodes barredfrom transmitting
Practical Attacks and Defenses Authors were able to
implement these attacks with current software and hardware
IPAQ running Linux with DLINK PCMCIA card
Built app that monitors wireless channels for AP and clients
Once identified by MAC a DNS resolver and dsnif are used to obtain better identifiers(userids)
How to Generate Arbitrary 802.11 Frames?
Key idea: AUX/Debug Port allows Raw access to NIC
SRAM
1. Download frame to NIC
2. Find frame in SRAM3. Request transmission4. Wait until firmware
modifies frame5. Rewrite frame via AUX
port
Host Interface to NIC
BAP
AUX Port
SRAM
Xmit Q
Xmitprocess
Virtualized firmware interface
Physical resources
Radio Modem Interface
Simulating the NAV attack So how bad would the attack be? Simulated NAV attack using NS2
18 Users 1 Access Point 1 Attacker
30 attack frames per second 32.767 ms duration per attack frame
NAV Attack Simulation
050
100150200250300350
10 16 22 28 34 40 46 52 58 64 70 76 82 88 94
Simulated Seconds
Packets
Attacker - Users
Practical NAV Defense Legitimate duration values are
relatively small Determine maximum reasonable
NAV values for all frames Each node enforces this limit < .5 ms for all frames except ACK and
CTS ~3 ms for ACK and CTS
Reran the simulation after adding defense to the simulator
Simulated NAV Defense
050
100150200250300350
10 16 22 28 34 40 46 52 58 64 70 76 82 88 94Simulated Seconds
Packets
Attacker - Users
Why the NAV attack doesn’t work
Surprise: many vendors do not implement the 802.11 spec correctly
Duration field not respected by other nodes
Excerpt from a NAV Attack Trace
Time (s) Source Destination Duration (ms) Type
1.294020 :e7:00:15:01 32.767 802.11 CTS
1.295192 :93:ea:e7:0f :93:ea:ab:df 0.258 TCP Data
1.296540 :93:ea:e7:0f 0 802.11 Ack
1.297869 :93:ea:ab:df :93:ea:e7:0f 0.258 TCP Data
1.2952 - 1.2940= 1.2 ms
Deauth Attack Results
0100200300400500600700800
1 11 21 31 41 51 61 71 81 91 101 112 122 132 141 151Time (s)
Packets
Attacker Win XP Linux Thinkpad Linux iPaq MacOS
Practical Deauth Defense Based on the observed behavior that
legitimate nodes do not deauthenticate themselves and then send data
Delay honoring Deauthentication request Small interval (5-10 seconds) If no other frames received from source then
honor request If source sends other frames then discard request
Requires no protocol changes and is backwards compatible with existing hardware
Deauthentication Defense Results
0100200300400500600700
1 5 9 13 17 21 25 29 33 37 41 45Time (s)
Packets
Attacker Win XP Linux Thinkpad Linux iPaq MacOS
More Robust Defense
Defense in Depth
Attacker Deauthentication Num 4
AP
Data
Num 1
Num 2
Num 3
Data
Num 4
Num 5
RSS -35 dBm
RSS -36 dBm
RSS -35 dBm
RSS -18 dBm
MAC 00-14-A4-2D-BE-1D
RSS -34 dBm
MAC 00-14-A4-2D-BE-1D
Num 1 -35 dBm
Num 2 -36 dBm
Num 3 -35 dBm
Num 4 -18 dBm Num 4 -34 dBm
Identity theft (MAC spoofing)
occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges
Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network.
Man-in-the-middle attacks attacker entices computers to log
into a computer which is set up as a soft AP
hacker connects to a real access point through another wireless card
The hacker can then sniff the traffic
Caffe Latte attack Way to defeat WEP By using a process that targets the
Windows wireless stack, it is possible to obtain the WEP key from a remote client
By sending a flood of encrypted ARP requests
Attacker uses the ARP responses to obtain the WEP key in less than 6 minutes
Conclusion Deauthentication attack is most
immediate concern
Denial of Service Attacks in 802.11 are very plausible with existing equipment
Although this research paper was published in 2003 the threat remains for 802.11 networks
THANK YOU!
Questions?