Natalie Podrazik – CS 491V – “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April.

Slides:



Advertisements
Similar presentations
Medium Access Control Onno W. Purbo
Advertisements

Lecture 5: IEEE Wireless LANs (Cont.). Mobile Communication Technology according to IEEE (examples) Local wireless networks WLAN a.
– Wireless PHY and MAC Stallings Types of Infrared FHSS (frequency hopping spread spectrum) DSSS (direct sequence.
© Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS591 – Wireless & Network Security.
Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic
Module C- Part 1 WLAN Performance Aspects
IEEE b Wireless LANs Carey Williamson Department of Computer Science University of Calgary.
1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
John Bellardo Stefan Savage Presented by: Hal Lindsey
1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.
CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards 1.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
20 – Collision Avoidance, : Wireless and Mobile Networks6-1.
1 Introduction to Wireless Networks Michalis Faloutsos.
1 Elements of a wireless network network infrastructure wireless hosts r laptop, PDA, IP phone r run applications r may be stationary (non- mobile) or.
Rensselaer Polytechnic Institute © Shivkumar Kalvanaraman & © Biplab Sikdar1 ECSE-4730: Computer Communication Networks (CCN) Chapter 5: The Data Link.
5-1 Data Link Layer r Wireless Networks m Wi-Fi (Wireless LAN) Example Problems m RTS/CTS.
5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.
Semester EEE449 Computer Networks The Data Link Layer Part 2: Media Access Control En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex,
8/7/20151 Mobile Computing COE 446 Wireless Multiple Access Tarek Sheltami KFUPM CCSE COE hthttp://faculty.kfupm.edu.sa/coe/tarek/coe446.htm Principles.
6: Wireless and Mobile Networks6-1 Elements of a wireless network network infrastructure wireless hosts r laptop, PDA, IP phone r run applications r may.
Network Security Wireless LAN. Network Security About WLAN  IEEE standard  Use wireless transmission medium such as radio, microwave, infrared.
Chapter 5 outline 5.1 Introduction and services
Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.
CIS 725 Wireless networks. Low bandwidth High error rates.
CS640: Introduction to Computer Networks Aditya Akella Lecture 22 - Wireless Networking.
CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards.
Wireless LAN Advantages 1. Flexibility 2. Planning 3. Design
Overview of Wireless LANs Use wireless transmission medium Issues of high prices, low data rates, occupational safety concerns, & licensing requirements.
MAC layer Taekyoung Kwon. Media access in wireless - start with IEEE In wired link, –Carrier Sense Multiple Access with Collision Detection –send.
IEEE Project started by IEEE for setting standard for LAN. This project started in (1980, February), Name given to project is year and month.
Ethernet. Problem In an Ethernet, suppose there are three stations very close to each other, A, B and C. Suppose at time 0, all of them have a frame to.
CWNA Guide to Wireless LANs, Second Edition
IEEE Wireless LAN Part II Access Point, Power Management, Polling, and Frame Format 14-1.
14.1 Chapter 14 Wireless LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.
IEEE Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE defines two MAC sublayers Distributed coordination function (DCF) Point coordination.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John BellardoStefan Savage Presented by: Hal Lindsey.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions
Wireless II. Frames Frames – Notes 3 Frame type ▫Management  Beacons  Probes  Request  Response  Associations  Request  Response  Disassociate.
Effects of Multi-Rate in Ad Hoc Wireless Networks
Wireless and Mobility The term wireless is normally used to refer to any type of electrical or electronic operation which is accomplished without the use.
Fundamentals of Computer Networks ECE 478/578
Chapter 6 Medium Access Control Protocols and Local Area Networks Wireless LAN.
WIRELESS COMMUNICATION Husnain Sherazi Lecture 1.
Wi-Fi. Basic structure: – Stations plus an access point – Stations talk to the access point, then to outside – Access point talks to stations – Stations.
Denial-of-Service Attacks: Real Vulnerabilities & Practical Solutions Luat Vu Alexander Alexandrov.
Universität Karlsruhe Institut für Telematik ECE 591
WLAN. Networks: Wireless LANs2 Distribute Coordination Function (DCF) Distributed access protocol Contention-Based Uses CSMA/ CA – Uses both physical.
Chapter 14 Wireless LANs.
MAC Sublayer MAC layer tasks: – Control medium access – Roaming, authentication, power conservation Traffic services – DCF (Distributed Coordination.
Wireless Protocols. 2 Outline MACA 3 ISM: Industry, Science, Medicine unlicensed frequency spectrum: 900Mhz, 2.4Ghz, 5.1Ghz, 5.7Ghz.
802.11: Introduction Reference: “IEEE : moving closer to practical wireless LANs”; Stallings, W.; IT Professional, Volume: 3 Issue: 3, May- June.
MAC Layer Protocols for Wireless Networks. What is MAC? MAC stands for Media Access Control. A MAC layer protocol is the protocol that controls access.
S-MAC Taekyoung Kwon. MAC in sensor network Energy-efficient Scalable –Size, density, topology change Fairness Latency Throughput/utilization.
1 Chapter 4 MAC Layer – Wireless LAN Jonathan C.L. Liu, Ph.D. Department of Computer, Information Science and Engineering (CISE), University of Florida.
DSSS PHY packet format Synchronization SFD (Start Frame Delimiter)
Wireless LAN Requirements (1) Same as any LAN – High capacity, short distances, full connectivity, broadcast capability Throughput: – efficient use wireless.
IEEE Wireless LAN. Wireless LANs: Characteristics Types –Infrastructure based –Ad-hoc Advantages –Flexible deployment –Minimal wiring difficulties.
EA C451 (Internetworking Technologies)
Computer Communication Networks
Lecture 27 WLAN Part II Dr. Ghalib A. Shah
Computer Communication & Networks
IEEE Wireless LAN wireless LANs: untethered (often mobile) networking
Chapter 6 Medium Access Control Protocols and Local Area Networks
Seminar class presentation Student: Chuming Chen & Xinliang Zheng
Protocol Details John Bellardo UCSD.
Wireless LAN Simulation IEEE MAC Protocol
EEC-484/584 Computer Networks
ECSE-4730: Computer Communication Networks (CCN)
Presentation transcript:

Natalie Podrazik – CS 491V – “ Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April 19, 2006

Natalie Podrazik – CS 491V – Overview I.What is II Vulnerabilities I.Identity II.MAC Layer III.Experiment I.Tools and Modifications II.Results IV.Conclusions V.Relevancy to E-Voting Project

Natalie Podrazik – CS 491V – What is ? IEEE wireless internet standard b, a, g flavors Popular Cheap Easy to set up, maintain Operates on 2.4 GHz band

Natalie Podrazik – CS 491V – Client, Name: ABCDEFGHIJKL Access Point, Name: AccessPoint00 How does work? Authentication Request & Response Association Request & Response Data Payload Acknowledgements Deauthentication Request & Response

Natalie Podrazik – CS 491V – Vulnerabilities 1. Identity Use of MAC frames with sender and receiver 2. MAC Layer Use of MAC frames to avoid collisions Client, Name: MNOPQRSTUVWX To: AccessPoint00 From: MNOPQRSTUVWX Duration: 100  s Frame Spoofing Stalling Hi, I’m ABCDEFGHIJKL...

Natalie Podrazik – CS 491V – Access Point, Name: AccessPoint00 Spoof Attack 1: Deauthentication Authentication Request & Response Association Request & Response Data Payload Deauthentication Request Client, Name: ABCDEFGHIJKL Attacker, Name: MNOPQRSTUVWX x Deauthentication Response

Natalie Podrazik – CS 491V – Access Point, Name: AccessPoint00 Approaches to Deauthentication Spoof client or Access Point To: AccessPoint00 From: ABCDEFGHIJKL Msg: DEAUTH MAC Frame Attacker, Name: MNOPQRSTUVWX To: ABCDEFGHIJKL From: AccessPoint00 Msg: DEAUTH MAC Frame Client, Name: ABCDEFGHIJKL

Natalie Podrazik – CS 491V – Strength of Deauthentication Attack Client must re-establish connection Prevention of sending or receiving any data Possibilities Forbid or limit access to certain clients Block entire access point More work for attacker Clean attacks – new auths No escape for client to other AP’s

Natalie Podrazik – CS 491V – Access Point, Name: AccessPoint00 Spoof Attack 2: Disassociation Authentication Request & Response Association Request & Response Data Payload Disassociation Request Client, Name: ABCDEFGHIJKL Attacker, Name: MNOPQRSTUVWX x Deauthentication Response

Natalie Podrazik – CS 491V – Evaluation of Disassociation Attack Similar to deauthentication Less efficient Deauthentication forces the client do to more work: re-establish authentication + association Disassociation only forces client to reestablish association, not authentication.

Natalie Podrazik – CS 491V – Access Point, Name: AccessPoint00 Spoof Attack #3: While you were sleeping... Power-saving techniques allow clients to go to sleep Client, Name: ABCDEFGHIJKL I’m going to sleep Ok, I’ll take your messages zzzz z I’m awake. Any messages?

Natalie Podrazik – CS 491V – Access Point, Name: AccessPoint00 Spoofing the Polling Message Client, Name: ABCDEFGHIJKL zzzz z I’m awake. Any messages? I’m ABCDEFGHIJ K, and I’m awake. Nope x Attacker, Name: MNOPQRSTUVWX

Natalie Podrazik – CS 491V – TIM Packets Traffic Indication Map Spoof broadcast of TIM Access Point, Name: AccessPoint00 Client, Name: ABCDEFGHIJKL zzzz z TIM No pending messages for ABCDEFGHIJKL

Natalie Podrazik – CS 491V – Timing Waking up timing relies on: Period of TIM packets Timestamp broadcast from access point Both are sent in the clear Attack: Get client out of sync Wake up at the wrong times

Natalie Podrazik – CS 491V – MAC Vulnerabilities Access to MAC divided into windows Short InterFrame Space (SIFS) For already connected exchanges Distributed Coordination Function InterFrame Space (DIFS) To initiate new frames Sender specifies which window No immediate ACK = collision Random exponential backoff algorithm To: AccessPoint00 From: ABCDEFGHIJKL Window: DIFS To: AccessPoint00 From: ABCDEFGHIJKL Window: DIFS MAC Frame

Natalie Podrazik – CS 491V – MAC Attack #1: Waiting to Transmit Every transmitting node has to wait at least 1 SIFS interval Attack: send short message before end of each SIFS interval Unlikely: SIFS period = 20  s, many packets per second to send 1 SIFS interval (20  s) Backoff

Natalie Podrazik – CS 491V – MAC Attack #2: Duration Every frame has a duration field How many  s the channel will be reserved Used to setup Network Allocation Vector (NAV) Nodes can only transmit when NAV == 0 To: AccessPoint00 From: MNOPQRSTUVWX Duration:  s MAC Frame

Natalie Podrazik – CS 491V – Duration Attacks Possible to use almost any frame to control NAV ACK RTS (Request To Send) / CTS (Clear To Send) Attacker uses little resources Transmit ~30 times / second to jam channel Little power used Use of a directional antennae

Natalie Podrazik – CS 491V – Experiment Challenge: Modifying MAC frames to spoof sender address Generating any old control frames Solution: Tweak “Buffer Access Path” firmware and Aux-Port Intervenes between NIC’s passing of packets to hardware Attacks via OTS hardware

Natalie Podrazik – CS 491V – Attacker iPAQ H3600 with Dlink DWL-650 card Linux Weighs 375 g (~12oz) Easily fits in a coat pocket Listening application Clients identified by MAC addresses DNS-resolver used

Natalie Podrazik – CS 491V – Experiments Client (Windows XP) Access Point (Linux HostAP) Attacker Client (Linux Thinkpad) Client (MacOS X) Client (Linux iPaq) Monitoring Station

Natalie Podrazik – CS 491V – Attack #1: Deauth Against One Access Point (Linux HostAP) Attacker Client (Linux Thinkpad) Client (MacOS X) Client (Linux iPaq) Monitoring Station

Natalie Podrazik – CS 491V – Single Client Attack Transfer immediately halted Attack lasted for < 10 sec Rate of transfer wasn’t up to par for more than a minute Recovery

Natalie Podrazik – CS 491V – Attack #2: Deauth Against All Access Point (Linux HostAP) Client (Linux Thinkpad) Client (MacOS X) Client (Linux iPaq) Monitoring Station Attacker

Natalie Podrazik – CS 491V – Attack Against All Clients Windows XP can still send a little bit Packets not from that session – underlying UDP packets from another XP service

Natalie Podrazik – CS 491V – Access Point Monitoring Station Attacker MAC Attack Plays by timing rules but sets large durations Sends packets out 30 times per second Ignores all duration values from any other node 18 client nodes in this experiment

Natalie Podrazik – CS 491V – Results of MAC Attack Channel is completely blocked for the duration of the attack Similar results with ACK and RTS/CTS frames

Natalie Podrazik – CS 491V – Defenses to MAC Attack Cap on duration values Sending 90 packets per second brought network down

Natalie Podrazik – CS 491V – Overall Recommendations Authentication of control packets Limiting the size of ACK frames Individual nodes’ duration threshold Situational Awareness

Natalie Podrazik – CS 491V – New and Relevant Modifying frames at data link layer through OTS hardware Strength of attacks Ease of attack Scale of attack Resources needed Capabilities of modern cell phones

Natalie Podrazik – CS 491V – Mobile Devices iPAQ H6315 Pocket PC F1000G LinkSys WIP Smartphone T-Mobile M/DA Verizon XV6700

Natalie Podrazik – CS 491V – AVS WINvote

Natalie Podrazik – CS 491V – Works Cited 1.“Access Point". Wikipedia. Last updated: 13 April Date of Access: 18 April 2006: Bellardo, John, and Stefan Savage. " Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August Friedl, Steve. "Network Guru's Guide to b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: 4."HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: 5."Media Access Control". Wikipedia. Last updated: 12 April Date of Access: 18 April 2006: "Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: \ 7."UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: "Wi-Fi". Wikipedia. Last updated: 18 April Date of Access: 18 April 2006:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.