Seminar class presentation Student: Chuming Chen & Xinliang Zheng

Slides:



Advertisements
Similar presentations
Contents IEEE MAC layer operation Basic CSMA/CA operation
Advertisements

Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic
Jesús Alonso-Zárate, Elli Kartsakli, Luis Alonso, and Christos Verikoukis May 2010, Cape Town, South Africa, ICC 2010 Coexistence of a Novel MAC Protocol.
1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
John Bellardo Stefan Savage Presented by: Hal Lindsey
1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.
1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
MAC Protocol By Ervin Kulenica & Chien Pham.
Chapter 5 outline 5.1 Introduction and services
CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards.
IEEE Project started by IEEE for setting standard for LAN. This project started in (1980, February), Name given to project is year and month.
CWNA Guide to Wireless LANs, Second Edition
MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.
K. Salah 1 Chapter 15 Wireless LANs. K. Salah 2 Figure 15.1 BSSs IEEE Specification for Wireless LAN: IEEE , which covers the physical and data.
IEEE Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE defines two MAC sublayers Distributed coordination function (DCF) Point coordination.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John BellardoStefan Savage Presented by: Hal Lindsey.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions
F ACULTY OF C OMPUTER S CIENCE & E NGINEERING Chapter 05. MAC and Physical Layers.
DoS Attacks On Wireless Voice Over IP Systems By Brendon Wesley Supervisor- Noria Foukia.
1 Chapter 8 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3.
Chapter 6 Medium Access Control Protocols and Local Area Networks Wireless LAN.
Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov.
WLAN. Networks: Wireless LANs2 Distribute Coordination Function (DCF) Distributed access protocol Contention-Based Uses CSMA/ CA – Uses both physical.
Natalie Podrazik – CS 491V – “ Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April.
MAC Sublayer MAC layer tasks: – Control medium access – Roaming, authentication, power conservation Traffic services – DCF (Distributed Coordination.
Wireless Protocols. 2 Outline MACA 3 ISM: Industry, Science, Medicine unlicensed frequency spectrum: 900Mhz, 2.4Ghz, 5.1Ghz, 5.7Ghz.
1/23 Power Management in IEEE Yu-Chee Tseng.
MAC Layer Protocols for Wireless Networks. What is MAC? MAC stands for Media Access Control. A MAC layer protocol is the protocol that controls access.
DSSS PHY packet format Synchronization SFD (Start Frame Delimiter)
COMP2322 Lab 1 Introduction to Wireless LAN Weichao Li Apr. 8, 2016.
IEEE Wireless LAN. Wireless LANs: Characteristics Types –Infrastructure based –Ad-hoc Advantages –Flexible deployment –Minimal wiring difficulties.
1 CSCD 433 Network Programming Fall 2016 Lecture 7 Ethernet and Wireless
Wireless LAN Protocols This talk is based on the course: CPSC Networks and Distributed Processing Spring2006/
MAC Protocols for Sensor Networks
Media Access Methods MAC Functionality CSMA/CA with ACK
History and Implementation of the IEEE 802 Security Architecture
Outline What is Wireless LAN Wireless Transmission Types
Wireless MAC.
EA C451 (Internetworking Technologies)
David S. L. Wei Joint Work with Alex Chia-Chun Hsu and C.-C. Jay Kuo
The University of Adelaide, School of Computer Science
Wireless LANs Wireless proliferating rapidly.
Computer Communication Networks
Lecture 27 WLAN Part II Dr. Ghalib A. Shah
Data Link Layer Dr. Muazzam A. Khan.
The Medium Access Control Sublayer
WiFi Networks: IEEE b Wireless LANs
Computer Communication & Networks
IEEE Wireless LAN wireless LANs: untethered (often mobile) networking
ACK Protection Schemes for the IEEE ac MU-MIMO Downlink
Using Dynamic PCF to improve the capacity of VoIP traffic in IEEE 802
Power Management in IEEE
Chapter 6 Medium Access Control Protocols and Local Area Networks
Basic processes in IEEE networks Configuration parameters
basics Richard Dunn CSE July 2, 2003.
Protocol Details John Bellardo UCSD.
Introduction to Wireless Networks
Performance Evaluation of an Integrated-service IEEE Network
MAC continued.
Wireless LAN Simulation IEEE MAC Protocol
EEC-484/584 Computer Networks
Antti Miettinen (modified by JJ)
ECSE-4730: Computer Communication Networks (CCN)
ACK Protection Schemes for the IEEE ac MU-MIMO Downlink
WiFi Networks: IEEE b Wireless LANs
Considerations on MU-MIMO Protection in 11ac
Chapter 15 Wireless LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Presentation transcript:

Seminar class presentation Student: Chuming Chen & Xinliang Zheng 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Dept of CSE @ UC San Diego Seminar class presentation Supervisor: Dr. Huang Student: Chuming Chen & Xinliang Zheng

Outline Background information about IEEE802.11 Theoretical vulnerability analysis Practical 802.11 attack infrastructure Deauthentication attack and defense Virtual carrier-sense attack and defense Conclusions References 11/27/2018 CSE@USC

Background information about IEEE802.11 What is IEEE802.11 802.11 MAC frame Authentication and Association Transitions Hidden Terminal Problem Solution to Hidden Terminal Problem 11/27/2018 CSE@USC

What is IEEE802.11 IEEE802.11 is a series of specifications for wireless local area network MAC and Physical layer. 11/27/2018 CSE@USC

802.11 MAC frame By specifying different fields we can get different types of frames: RTS, CTS, PS-Poll, ACK, Data, and so on. 11/27/2018 CSE@USC

Type and Subtype Identifier Management frames (type=00) Association request (0000) Association response (0001) Disassociation (1010) Deauthentication (1100) Control frames (type=01) Power Save (PS)-Poll (1010) RTS (1011) CTS (1100) Data frame (type=10) Data (0000) Data+CF-Ack (0001) 11/27/2018 CSE@USC

Authentication and Association Transitions Deauthentication and disassociation packets can be sent out by both Access Point (AP) and Wireless Station (WS). 11/27/2018 CSE@USC

Hidden Terminal Problem In wireless LAN stations may not be able to “see” each other (CSMA/CD is not fit for here.). 11/27/2018 CSE@USC

Solution to Hidden Terminal Problem (Physical and Virtual Carrier Sensing are used together.) 1. RTS/CTS sequence is used to clear the wireless medium when transmission just started. 11/27/2018 CSE@USC

Solution to Hidden Terminal Problem (Physical and Virtual Carrier Sensing are used together.) 2. Different Inter-Frame Spaces (SIFS, DIFS) and Network Allocation Vector (NAV) are used to reserve the medium. 11/27/2018 CSE@USC

Theoretical vulnerability analysis Identity Vulnerabilities Picturing of Deauthentication Attack Media Access Vulnerabilities Picturing of Virtual Carrier-Sense Attack 11/27/2018 CSE@USC

Identity Vulnerabilities Fundamental reason Deauthentication and Disassociation packets (others also) are sent without authentication. Deauthentication attack Adversary (A) can pretend WS/AP sent Deauthentication packet to AP/WS. Disassociation attack Adversary (A) can pretend WS/AP sent Disassociation packet to AP/WS. Power Saving Sequence attack A pretends WS sending PS-Poll to AP causing buffered frames discarded. A pretends AP sending spoofed Traffic Indication Map (TIM) to WS making it keep sleeping or desynchronized. 11/27/2018 CSE@USC

Picturing of Deauthentication Attack 11/27/2018 CSE@USC

Media Access Vulnerabilities Fundamental reason Still because packet sending to the media is not authenticated in 802.11. One possible attack Sending packet within each SIFS to compete the media; may require sending 50,000 packets/second. Virtual Carrier-Sense attack Sending out packets with large NAV. (30 p/s) 11/27/2018 CSE@USC

Picturing of Virtual Carrier-Sense Attack 11/27/2018 CSE@USC

Practical 802.11 attack infrastructure What A need to implement the attack? General structure of current Network Interface Cards (NIC) Practical Problem Solution to the Practical Problem 11/27/2018 CSE@USC

What A need to implement the attack? It’s possible that A can design and make new NIC which can send out different packets as A wants, but it’s more likely improbable. Hopefully A can use current available NIC to implement attacks. 11/27/2018 CSE@USC

General structure of current NIC Generally the Firmware can be updated but the Hardware can not be changed. 11/27/2018 CSE@USC

Practical Problem A wide variety of 802.11 NIC tested by the authors do not typically allow the generation of any control frames, permit other key fields (such as NAV) to specified by the host, or allow reserved or illegal field values to be transmitted. 11/27/2018 CSE@USC

Solution to the Practical Problem Most of current NIC designs originated by Choice Microsystems, in which we can use AUX Port (original purpose is for debugging) to change frame fields. The authors modify the firmware to access AUX port then change frame fields to devise attacks. 11/27/2018 CSE@USC

Deauthentication attack and defense Experimental settings Deauthentication Attack Defense to Deauthentication Attacks 11/27/2018 CSE@USC

Experimental Settings Small 802.11 network with 7 machines: 1 attacker, 1 access point, 1 monitoring station and 4 legitimate clients. In-kernel software-based access point with Linux HostAP driver. Clients attempted to ftp a large file through the access point machine – a transfer exceeding the testing period 11/27/2018 CSE@USC

Deauthentication Attack Using iPAQ H3600 with Dlink DWL-650 card running software with the firmware updated. 11/27/2018 CSE@USC

Defense to Deauthentication Attacks Method: delay deauthentication (5-10 s) after received the deauthentication request packet. WS roaming is not really affected. 11/27/2018 CSE@USC

Virtual carrier-sense attack and defense Virtual Carrier-Sense Attack Using A Real NIC Virtual Carrier-Sense Attack Using ns simulator Defense to Virtual Carrier-Sense Attack 11/27/2018 CSE@USC

Virtual Carrier-Sense Attack Using A Real NIC It does not work Conclusion: most of the devices available do not properly implement 802.11, i.e. NAV reserve period is not fully executed. 11/27/2018 CSE@USC

Virtual Carrier-Sense Attack Using ns simulator ns simulator implements 802.11 faithfully. Attack is devised by sending packet with large NAV. 11/27/2018 CSE@USC

Defense to Virtual Carrier-Sense Attack One way is to specify a maximal valid NAV = transmission time (max. packet) + medium access backoffs. However, increasing the frequency of sending Virtual Carrier-Sense Attack packet will still show effects. 11/27/2018 CSE@USC

Defense to Virtual Carrier-Sense Attack Another way specified by the authors needs to modify 802.11: No fragmentation, since the default fragmentation thresholds in wireless media is significantly exceed the Ethernet MTU. For four key frame types contains NAV: ACK and Data frame: ignore NAV since there is no fragmentation. RTS frame NAV: respected until such time as a data frame should be sent. CTS frame NAV: specify some threshold (30%) if such time is used by CTS frame then ignore NAV. This way is not tested by the authors of the paper. 11/27/2018 CSE@USC

Conclusions Vulnerabilities in the 802.11 management and media access services are identified. Theoretical attacks are analyzed. Implementing of deauthenticaiton and virtual carrier-sense attacks are provided with testing results. Low-overhead, non-cryptographic countermeasures are specified, some test results with the suggested improvement are also provided. 11/27/2018 CSE@USC

References 1. 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, John Bellardo and Stefan Savage, Dept of CSE @ UC San Diego. 2. 802.11 Wireless Networks – The Definitive Guide, Matthew S. Gast, O’Reilly 2002. 3. Real 802.11 Security – WI-Fi Protected Access and 802.11i, Jon Edney and William A. Arbaugh, Addison-Wesley 2003. 11/27/2018 CSE@USC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.