802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Slides:

Advertisements

Similar presentations

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Advertisements

Nick Feamster CS 4251 Computer Networking II Spring 2008

Andrew Taylor. Electronic/Phy layer Overpowering, modulation techniques Management Frame DoS i.e. RTS/CTS Application Specific Application layer vulnerabilities.

Security in Mobile Ad Hoc Networks

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

DENIAL OF SERVICE IN SENSOR NETWORKS Pratik Zirpe Instructor – Dr. T. Andrew Yang.

1 An Approach to Real-Time Support in Ad Hoc Wireless Networks Mark Gleeson Distributed Systems Group Dept.

Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic

Jesús Alonso-Zárate, Elli Kartsakli, Luis Alonso, and Christos Verikoukis May 2010, Cape Town, South Africa, ICC 2010 Coexistence of a Novel MAC Protocol.

Module C- Part 1 WLAN Performance Aspects

An Energy-Efficient MAC Protocol for Wireless Sensor Networks

John Bellardo Stefan Savage Presented by: Hal Lindsey

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

20 – Collision Avoidance, : Wireless and Mobile Networks6-1.

Napoli - 21 February 2004 – Simone Merlin SLIDE 1 Analysis of the hidden terminal effect in multi-rate IEEE b networks Simone Merlin Department of.

Hidden Terminal based Attack, Diagnosis and Detection Yao Zhao, Leo Zhao, Yan Chen Lab for Internet & Security Tech, Northwestern Univ.

© Rabat Anam Mahmood ITTC 1 Resilience To Jamming Attacks Rabat Anam Mahmood Department of Electrical Engineering & Computer Science

Spanning Tree and Wireless EE122 Discussion 10/28/2011.

A Cross Layer Approach for Power Heterogeneous Ad hoc Networks Vasudev Shah and Srikanth Krishnamurthy ICDCS 2005.

Medium Access Control Protocols Using Directional Antennas in Ad Hoc Networks CIS 888 Prof. Anish Arora The Ohio State University.

1 Computer Networks Course: CIS 3003 Fundamental of Information Technology.

Chapter 5 outline 5.1 Introduction and services

Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.

RTS/CTS-Induced Congestion in Ad Hoc Wireless LANs Saikat Ray, Jeffrey B. Carruthers, and David Starobinski Department of Electrical and Computer Engineering.

CS640: Introduction to Computer Networks Aditya Akella Lecture 22 - Wireless Networking.

CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards.

IEEE Project started by IEEE for setting standard for LAN. This project started in (1980, February), Name given to project is year and month.

MAC Protocols and Security in Ad hoc and Sensor Networks

Wireless Medium Access. Multi-transmitter Interference Problem  Similar to multi-path or noise  Two transmitting stations will constructively/destructively.

Secure Cell Relay Routing Protocol for Sensor Networks Xiaojiang Du, Fengiing Lin Department of Computer Science North Dakota State University 24th IEEE.

Multi-Channel MAC for Ad Hoc Networks: Handling Multi-Channel Hidden Terminals Using A Single Transceiver Jungmin So and Nitin Vaidya University of Illinois.

CWNA Guide to Wireless LANs, Second Edition

ECE 256, Spring 2008 Multi-Channel MAC for Ad Hoc Networks: Handling Multi-Channel Hidden Terminals Using A Single Transceiver Jungmin So & Nitin Vaidya.

An Energy-Efficient MAC Protocol for Wireless Sensor Networks (S-MAC) Wei Ye, John Heidemann, Deborah Estrin.

MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.

K. Salah 1 Chapter 15 Wireless LANs. K. Salah 2 Figure 15.1 BSSs IEEE Specification for Wireless LAN: IEEE , which covers the physical and data.

IEEE Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE defines two MAC sublayers Distributed coordination function (DCF) Point coordination.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John BellardoStefan Savage Presented by: Hal Lindsey.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions

Effects of Multi-Rate in Ad Hoc Wireless Networks

Demand Based Bandwidth Assignment MAC Protocol for Wireless LANs K.Murugan, B.Dushyanth, E.Gunasekaran S.Arivuthokai, RS.Bhuvaneswaran, S.Shanmugavel.

DoS Attacks On Wireless Voice Over IP Systems By Brendon Wesley Supervisor- Noria Foukia.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Full auto rate MAC protocol for wireless ad hoc networks Z. Li, A. Das, A.K. Gupta and S. Nandi School of Computer Engineering Nanyang Technological University.

Fundamentals of Computer Networks ECE 478/578

Wireless. 2 A talks to B C senses the channel – C does not hear A’s transmission C talks to B Signals from A and B collide Carrier Sense will be ineffective.

Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov.

WLAN. Networks: Wireless LANs2 Distribute Coordination Function (DCF) Distributed access protocol Contention-Based Uses CSMA/ CA – Uses both physical.

Natalie Podrazik – CS 491V – “ Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April.

A Multi-Channel CSMA MAC Protocol with Receiver Based Channel Selection for Multihop Wireless Networks Nitin Jain, Samir R. Das Department of Electrical.

A+MAC: A Streamlined Variable Duty-Cycle MAC Protocol for Wireless Sensor Networks 1 Sang Hoon Lee, 2 Byung Joon Park and 1 Lynn Choi 1 School of Electrical.

KAIS T Medium Access Control with Coordinated Adaptive Sleeping for Wireless Sensor Network Wei Ye, John Heidemann, Deborah Estrin 2003 IEEE/ACM TRANSACTIONS.

An Energy-Efficient MAC Protocol for Wireless Sensor Networks Speaker: hsiwei Wei Ye, John Heidemann and Deborah Estrin. IEEE INFOCOM 2002 Page

MAC Sublayer MAC layer tasks: – Control medium access – Roaming, authentication, power conservation Traffic services – DCF (Distributed Coordination.

Security in Wireless Networks Mike Swift CSE b Summer 2003.

Medium Access Control in Wireless networks

CS541 Advanced Networking 1 Contention-based MAC Protocol for Wireless Sensor Networks Neil Tang 4/20/2009.

MAC Layer Protocols for Wireless Networks. What is MAC? MAC stands for Media Access Control. A MAC layer protocol is the protocol that controls access.

S-MAC Taekyoung Kwon. MAC in sensor network Energy-efficient Scalable –Size, density, topology change Fairness Latency Throughput/utilization.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

1 Chapter 4 MAC Layer – Wireless LAN Jonathan C.L. Liu, Ph.D. Department of Computer, Information Science and Engineering (CISE), University of Florida.

Distributed-Queue Access for Wireless Ad Hoc Networks Authors: V. Baiamonte, C. Casetti, C.-F. Chiasserini Dipartimento di Elettronica, Politecnico di.

CS440 Computer Networks 1 Wireless LAN (IEEE ) Neil Tang 10/01/2008.

EA C451 (Internetworking Technologies)

Outline Basics of network security Definitions Sample attacks

Lecture 27 WLAN Part II Dr. Ghalib A. Shah

Seminar class presentation Student: Chuming Chen & Xinliang Zheng

Outline Basics of network security Definitions Sample attacks

Presentation transcript:

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego

Motivation based networks have flourished Home, business, health care, military, etc. Security is an obvious concern Threats to confidentiality well understood and being addressed [WPA, i] Threats to availability (denial-of-service) not widely appreciated & not being addressed

Live DoS Demonstration Demonstration Not Available In this version of the Presentation

RF Jamming Real threat, highly vulnerable; not our focus Bandwidth consumption (flooding) has same vulnerability as wired nets; not our focus Attacks on protocol itself Easy to mount, low overhead, selective, hard to debug Media access vulnerabilities Management vulnerabilities This talk focuses on these DoS attacks, their practicality, their effectiveness and how to defend against them DoS Attacks

Media Access Vulnerabilities includes collision avoidance mechanisms Typically require universal cooperation between all nodes in the network Media access vulnerabilities arise from the assumption of universal cooperation Virtual carrier sense is an example of a media access mechanism that is vulnerable to DoS attacks

Frm Ctl NAV Vulnerability DurationAddr1Addr2Addr3Seq CtlAddr4DataFCS General Frame Format Virtual carrier sense allows a node to reserve the radio channel Each frame contains a duration value Indicates # of microseconds channel is reserved Tracked per-node; Network Allocation Vector (NAV) Used by RTS/CTS Nodes only allowed to xmit if NAV reaches 0

Simple NAV Attack: Forge packets with large Duration Access Point Node 1 Node 2 Attacker Duration=32000 Access Point and Node 2 can’t xmit (but Node 1 can)

Extending NAV Attack w/RTS Access Point Node 1 Node 2 Attacker Duration=32000 RTS Duration=31000 CTS Duration=31000 CTS Duration=31000 CTS AP and both nodes barred from transmitting

Both wrong… Conventional Wisdom NAV attack not a practical threat Commodity hardware doesn’t allow Duration field to be set But would be highly effective if implemented Shut down all access to network

Commodity hardware Firmware-driven microcontroller Same code/architecture shared by most popular vendors (Choice Microsystems) Transmit path Host provides frame to NIC and requests xmit NIC firmware validates frame and overwrites key fields (e.g. duration) in real-time Frame then sent to baseband radio interface Not possible to send arbitrary frames via firmware interface

How to Generate Arbitrary Frames? Key idea: AUX/Debug Port allows Raw access to NIC SRAM 1.Download frame to NIC 2.Find frame in SRAM 3.Request transmission 4.Wait until firmware modifies frame 5.Rewrite frame via AUX port Host Interface to NIC BAP AUX Port SRAM Xmit Q Xmit process Virtualized firmware interface Physical resources Radio Modem Interface

Why the NAV attack doesn’t work Surprise: many vendors do not implement the spec correctly Duration field not respected by other nodes Excerpt from a NAV Attack Trace Time (s)SourceDestinationDuration (ms)Type :e7:00:15: CTS :93:ea:e7:0f:93:ea:ab:df0.258TCP Data :93:ea:e7:0f Ack :93:ea:ab:df:93:ea:e7:0f0.258TCP Data = 1.2 ms

Simulating the NAV attack This bug will likely get fixed Valuable for based telephony, video, etc. So how bad would the attack be? Simulated NAV attack using NS2 18 Users 1 Access Point 1 Attacker 30 attack frames per second ms duration per attack frame

NAV Attack Simulation

Practical NAV Defense Legitimate duration values are relatively small Determine maximum reasonable NAV values for all frames Each node enforces this limit <.5 ms for all frames except ACK and CTS ~3 ms for ACK and CTS Reran the simulation after adding defense to the simulator

Simulated NAV Defense

Management Vulnerabilities Management functions Authentication (validate identity) Association (picking access point) Most management operations unprotected Easy to spoof with false identity Source of vulnerabilities This problem is not being fixed Most management frames unencrypted 802.1x ports allocated after management functions take place i has deferred addressing this problem

Deauth Attack Authenticated Associated management requires nodes associate before sending data Attacker Victim Authentication Request Association Request Association Response Authentication Response Access Point

Deauth Attack Authenticated Associated Before node can transmit data, attacker send a spoofed deauthentication frame Attacker Victim Access Point Deauthentication

Deauth Attack Authenticated Associated Node attempts to transmit data, but it can not Attacker Victim Data Deauthentication Access Point

Deauth Attack Results

Practical Deauth Defense Based on the observed behavior that legitimate nodes do not deauthenticate themselves and then send data Delay honoring deauthentication request Small interval (5-10 seconds) If no other frames received from source then honor request If source sends other frames then discard request Requires no protocol changes and is backwards compatible with existing hardware

Deauth Defense Results

Conclusion DoS attacks require more attention Easy to mount and not addressed by existing standards Should not depend on restricted firmware interfaces (can send arbitrary pkts) Deauthentication attack is most immediate concern Simple, practical defense shown to be effective

Hands-on Demonstration Attack implemented on an iPaq See me for a hands- on demonstration during the break