802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Presented By Devon Callahan
Outline Introduction to 802.11and Motivation Related Work Vulnerabilities of 802.11 Practical Attacks and Defenses Experimental Results Conclusions Final Thoughts
Introduction 802.11 networks are everywhere Usually network clients are in a star topology with the Access point 802.11 b and g are most popular With such high dependency on 802.11 are there vulnerabilities...
Related Work Most of the work has focused on the confidentiality weakness in security of 802.11( WEP and WPA) What about availability? Lough identified vulnerabilities of MAC(disassociation, deauthentication, virtual carrier sensing) but did not validate
Related work (cont) Faria, and Cheriton identified problems posed by Authentication DoS attacks and purpose new authentication framework (not very light weight) AirJack, Omerta, void11, Radiate all wireless tools from early 2000's Some general 802.11 DoS attacks based on resource consumption(frame rate control)
Vulnerabilities of 802.11 Denial of Service the act of denying a computer user of a particular service Typically flood a client with more traffic than it can handle 802.11 more vulnerable than 802.3 because of the shared medium 2.4Ghz
Denial of Service on Wireless The attacker wants to disrupt and deny access to services by legitimate users Two main types of DoS in 802.11 RF Attacks or Jamming the wireless spectrum- disruption occurs when signal-to-noise ratio reaches certain level Protocol based attacking- the higher layers of communication which are easier $$ (Identity and Media-access control)
Identity Vulnerabilities A result of the trust placed in a speaker’s source address 802.11 nodes are identified at MAC layer by unique address as wired nodes are. Frames are not authenticated, meaning an attacker can change his MAC address and spoof other nodes (similar to what is done in ARP spoofing) Leads to 3 kinds of attacks: Disassociation attack Deauthentication attack Power saving mode attack
Disassociation A client can authenticate with multiple APs but associate with one in order to allow the correct AP to forward packets Association frames are unauthenticated 802.11 provides a disassociation message similar to the deauth message Vulnerability is spoofed message causing the AP to disassociate the client
Disassociation Attack AP Authentication Request Authentication Response Association Request Association Response Data Data Attacker Disassociation Disassociation
Deauthentication Attack Authentication Procedure After selecting an AP for communication, clients must authenticate themselves to the AP with their MAC address Part of Authentication framework is a message allowing clients to explicitly deauthenticate from the AP Vulnerability An attacker can spoof the deauthentication message causing the communication between AP and client to suspend, causing a DoS Result Client must re-authenticate to resume communication with AP
Deauthentication Attack AP Authentication Request Authentication Response Association Request Association Response Data Data Attacker Deauthentication Deauthentication
Deauthentication Attack (Cont.) By repeating attack, client can be kept from transmitting or receiving data indefinitely Attack can be executed on individual client or all clients Individual Clients Attacker spoofs clients address telling AP to deauthenticate them All Clients Attacker spoofs AP telling all clients to deauthenticate
Deauthentication or Disassociation? Deauthentication requires a RTT of 2 in order to resume communication Disassociation requires a RTT of 1 in order to resume communication Because it requires less work for the attacker Deauthentication is the more effective attack
Power Saving in 802.11 Nodes “sleep” to conserve energy AP will buffer clients packets until requested with a poll message TIM (traffic indication map) is a periodic packet sent by AP to notify client of buffered data Relies on sync of packets so client is awake when the TIM is sent
Attacks on Power Saving Attacker can spoof on behalf of AP the TIM message Client could think there is no data and go back to sleep Attacker forge management sync packets Cause client to fall out of sync with AP Attacker spoof on behalf of the client AP sends data while client is sleeping
Media Access Vulnerabilities Avoid collisions at all costs!!! Is the Attitude CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance SIFS-time before preexisting frame exchange can occur(ACK)
Media Access Vulnerabilities(cont) DIFS-time used for nodes initiating new traffic Nodes will transmit randomly after the DIFS Attacker can send signal before every SIFS slot to clog the channel Requires 50,000 pps to shut down channel
More serious is RTS/CTS In order to avoid a “hidden terminal”
Virtual Carrier Sense Mechanism needed in preventing collision from two clients not hearing each other (hidden terminal problem) RTS/CTS A client wanting to transmit a packet first sends a RTS (Request to Send) RTS includes source, destination, and duration A client will respond with a CTS (Clear to Send) packet
NAV Vulnerability 2 2 6 6 6 6 6 0-2312 2 Frm Ctl Duration Addr1 Addr2 Addr3 Seq Ctl Addr4 Data FCS 802.11 General Frame Format Virtual carrier sense allows a node to reserve the radio channel Each frame contains a duration value Indicates # of microseconds channel is reserved Tracked per-node; Network Allocation Vector (NAV) Used by RTS/CTS Nodes only allowed to xmit if NAV reaches 0
Simple NAV Attack: Forge packets with large Duration Attacker Access Point and Node 2 can’t xmit (but Node 1 can) Duration=32000 Access Point Node 1 Node 2
Extending NAV Attack w/RTS AP and both nodes barred from transmitting Attacker Duration=32000 RTS Duration=31000 CTS Access Point Node 1 Node 2
Practical Attacks and Defenses Authors were able to implement these attacks with current software and hardware IPAQ running Linux with DLINK PCMCIA card Built app that monitors wireless channels for AP and clients Once identified by MAC a DNS resolver and dsnif are used to obtain better identifiers(userids)
How to Generate Arbitrary 802.11 Frames? Host Interface to NIC Key idea: AUX/Debug Port allows Raw access to NIC SRAM Download frame to NIC Find frame in SRAM Request transmission Wait until firmware modifies frame Rewrite frame via AUX port AUX Port Xmit Q SRAM BAP Xmit process Physical resources Virtualized firmware interface Radio Modem Interface
Simulating the NAV attack So how bad would the attack be? Simulated NAV attack using NS2 18 Users 1 Access Point 1 Attacker 30 attack frames per second 32.767 ms duration per attack frame
NAV Attack Simulation
Practical NAV Defense Legitimate duration values are relatively small Determine maximum reasonable NAV values for all frames Each node enforces this limit < .5 ms for all frames except ACK and CTS ~3 ms for ACK and CTS Reran the simulation after adding defense to the simulator
Simulated NAV Defense
Why the NAV attack doesn’t work Surprise: many vendors do not implement the 802.11 spec correctly Duration field not respected by other nodes Time (s) Source Destination Duration (ms) Type 1.294020 :e7:00:15:01 32.767 802.11 CTS 1.295192 :93:ea:e7:0f :93:ea:ab:df 0.258 TCP Data 1.296540 802.11 Ack 1.297869 1.2952 - 1.2940 = 1.2 ms Excerpt from a NAV Attack Trace
Deauth Attack Results
Practical Deauth Defense Based on the observed behavior that legitimate nodes do not deauthenticate themselves and then send data Delay honoring Deauthentication request Small interval (5-10 seconds) If no other frames received from source then honor request If source sends other frames then discard request Requires no protocol changes and is backwards compatible with existing hardware
Deauthentication Defense Results
More Robust Defense
Defense in Depth MAC 00-14-A4-2D-BE-1D Num 1 -35 dBm MAC AP Data Num 3 -35 dBm Num 4 -18 dBm Num 4 -34 dBm Num 1 RSS -35 dBm Num 2 RSS -36 dBm Num 3 RSS -35 dBm Attacker Deauthentication Num 4 RSS -18 dBm Data Num 4 RSS -34 dBm Num 5
Identity theft (MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network.
Man-in-the-middle attacks attacker entices computers to log into a computer which is set up as a soft AP hacker connects to a real access point through another wireless card The hacker can then sniff the traffic
Caffe Latte attack Way to defeat WEP By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client By sending a flood of encrypted ARP requests Attacker uses the ARP responses to obtain the WEP key in less than 6 minutes
Conclusion Deauthentication attack is most immediate concern Denial of Service Attacks in 802.11 are very plausible with existing equipment Although this research paper was published in 2003 the threat remains for 802.11 networks
THANK YOU! Questions?