Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seminar class presentation Student: Chuming Chen & Xinliang Zheng

Published byΠύθιος Τομαραίοι Modified over 6 years ago

Similar presentations

Presentation on theme: "Seminar class presentation Student: Chuming Chen & Xinliang Zheng"— Presentation transcript:

1 Seminar class presentation Student: Chuming Chen & Xinliang Zheng
Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Dept of UC San Diego Seminar class presentation Supervisor: Dr. Huang Student: Chuming Chen & Xinliang Zheng

2 Outline Background information about IEEE802.11
Theoretical vulnerability analysis Practical attack infrastructure Deauthentication attack and defense Virtual carrier-sense attack and defense Conclusions References 11/27/2018

3 Background information about IEEE802.11
What is IEEE802.11 MAC frame Authentication and Association Transitions Hidden Terminal Problem Solution to Hidden Terminal Problem 11/27/2018

4 What is IEEE802.11 IEEE is a series of specifications for wireless local area network MAC and Physical layer. 11/27/2018

5 MAC frame By specifying different fields we can get different types of frames: RTS, CTS, PS-Poll, ACK, Data, and so on. 11/27/2018

6 Type and Subtype Identifier
Management frames (type=00) Association request (0000) Association response (0001) Disassociation (1010) Deauthentication (1100) Control frames (type=01) Power Save (PS)-Poll (1010) RTS (1011) CTS (1100) Data frame (type=10) Data (0000) Data+CF-Ack (0001) 11/27/2018

7 Authentication and Association Transitions
Deauthentication and disassociation packets can be sent out by both Access Point (AP) and Wireless Station (WS). 11/27/2018

8 Hidden Terminal Problem
In wireless LAN stations may not be able to “see” each other (CSMA/CD is not fit for here.). 11/27/2018

9 Solution to Hidden Terminal Problem (Physical and Virtual Carrier Sensing are used together.)
1. RTS/CTS sequence is used to clear the wireless medium when transmission just started. 11/27/2018

10 Solution to Hidden Terminal Problem (Physical and Virtual Carrier Sensing are used together.)
2. Different Inter-Frame Spaces (SIFS, DIFS) and Network Allocation Vector (NAV) are used to reserve the medium. 11/27/2018

11 Theoretical vulnerability analysis
Identity Vulnerabilities Picturing of Deauthentication Attack Media Access Vulnerabilities Picturing of Virtual Carrier-Sense Attack 11/27/2018

12 Identity Vulnerabilities
Fundamental reason Deauthentication and Disassociation packets (others also) are sent without authentication. Deauthentication attack Adversary (A) can pretend WS/AP sent Deauthentication packet to AP/WS. Disassociation attack Adversary (A) can pretend WS/AP sent Disassociation packet to AP/WS. Power Saving Sequence attack A pretends WS sending PS-Poll to AP causing buffered frames discarded. A pretends AP sending spoofed Traffic Indication Map (TIM) to WS making it keep sleeping or desynchronized. 11/27/2018

13 Picturing of Deauthentication Attack
11/27/2018

14 Media Access Vulnerabilities
Fundamental reason Still because packet sending to the media is not authenticated in One possible attack Sending packet within each SIFS to compete the media; may require sending 50,000 packets/second. Virtual Carrier-Sense attack Sending out packets with large NAV. (30 p/s) 11/27/2018

15 Picturing of Virtual Carrier-Sense Attack
11/27/2018

16 Practical 802.11 attack infrastructure
What A need to implement the attack? General structure of current Network Interface Cards (NIC) Practical Problem Solution to the Practical Problem 11/27/2018

17 What A need to implement the attack?
It’s possible that A can design and make new NIC which can send out different packets as A wants, but it’s more likely improbable. Hopefully A can use current available NIC to implement attacks. 11/27/2018

18 General structure of current NIC
Generally the Firmware can be updated but the Hardware can not be changed. 11/27/2018

19 Practical Problem A wide variety of NIC tested by the authors do not typically allow the generation of any control frames, permit other key fields (such as NAV) to specified by the host, or allow reserved or illegal field values to be transmitted. 11/27/2018

20 Solution to the Practical Problem
Most of current NIC designs originated by Choice Microsystems, in which we can use AUX Port (original purpose is for debugging) to change frame fields. The authors modify the firmware to access AUX port then change frame fields to devise attacks. 11/27/2018

21 Deauthentication attack and defense
Experimental settings Deauthentication Attack Defense to Deauthentication Attacks 11/27/2018

22 Experimental Settings
Small network with 7 machines: 1 attacker, 1 access point, 1 monitoring station and 4 legitimate clients. In-kernel software-based access point with Linux HostAP driver. Clients attempted to ftp a large file through the access point machine – a transfer exceeding the testing period 11/27/2018

23 Deauthentication Attack
Using iPAQ H3600 with Dlink DWL-650 card running software with the firmware updated. 11/27/2018

24 Defense to Deauthentication Attacks
Method: delay deauthentication (5-10 s) after received the deauthentication request packet. WS roaming is not really affected. 11/27/2018

25 Virtual carrier-sense attack and defense
Virtual Carrier-Sense Attack Using A Real NIC Virtual Carrier-Sense Attack Using ns simulator Defense to Virtual Carrier-Sense Attack 11/27/2018

26 Virtual Carrier-Sense Attack Using A Real NIC
It does not work Conclusion: most of the devices available do not properly implement , i.e. NAV reserve period is not fully executed. 11/27/2018

27 Virtual Carrier-Sense Attack Using ns simulator
ns simulator implements faithfully. Attack is devised by sending packet with large NAV. 11/27/2018

28 Defense to Virtual Carrier-Sense Attack
One way is to specify a maximal valid NAV = transmission time (max. packet) + medium access backoffs. However, increasing the frequency of sending Virtual Carrier-Sense Attack packet will still show effects. 11/27/2018

29 Defense to Virtual Carrier-Sense Attack
Another way specified by the authors needs to modify : No fragmentation, since the default fragmentation thresholds in wireless media is significantly exceed the Ethernet MTU. For four key frame types contains NAV: ACK and Data frame: ignore NAV since there is no fragmentation. RTS frame NAV: respected until such time as a data frame should be sent. CTS frame NAV: specify some threshold (30%) if such time is used by CTS frame then ignore NAV. This way is not tested by the authors of the paper. 11/27/2018

30 Conclusions Vulnerabilities in the management and media access services are identified. Theoretical attacks are analyzed. Implementing of deauthenticaiton and virtual carrier-sense attacks are provided with testing results. Low-overhead, non-cryptographic countermeasures are specified, some test results with the suggested improvement are also provided. 11/27/2018

31 References Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions, John Bellardo and Stefan Savage, Dept of UC San Diego. Wireless Networks – The Definitive Guide, Matthew S. Gast, O’Reilly 2002. 3. Real Security – WI-Fi Protected Access and i, Jon Edney and William A. Arbaugh, Addison-Wesley 2003. 11/27/2018

Download ppt "Seminar class presentation Student: Chuming Chen & Xinliang Zheng"

Similar presentations

Contents IEEE MAC layer operation Basic CSMA/CA operation

Contents IEEE MAC layer operation Basic CSMA/CA operation
Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic 802.11.

Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic
Jesús Alonso-Zárate, Elli Kartsakli, Luis Alonso, and Christos Verikoukis May 2010, Cape Town, South Africa, ICC 2010 Coexistence of a Novel MAC Protocol.

Jesús Alonso-Zárate, Elli Kartsakli, Luis Alonso, and Christos Verikoukis May 2010, Cape Town, South Africa, ICC 2010 Coexistence of a Novel MAC Protocol.
1 Power Management in IEEE 802.11 Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.

1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
John Bellardo Stefan Savage Presented by: Hal Lindsey

John Bellardo Stefan Savage Presented by: Hal Lindsey
1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.

1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.
1 Power Management in IEEE 802.11 Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.

1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
802.11 MAC Protocol By Ervin Kulenica & Chien Pham.

MAC Protocol By Ervin Kulenica & Chien Pham.
Chapter 5 outline 5.1 Introduction and services

Chapter 5 outline 5.1 Introduction and services
CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE 802.11 Media Access Control and Network Layer Standards.

CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards.
IEEE 802.11. 802 Project started by IEEE for setting standard for LAN. This project started in (1980, February), Name given to project is year and month.

IEEE Project started by IEEE for setting standard for LAN. This project started in (1980, February), Name given to project is year and month.
CWNA Guide to Wireless LANs, Second Edition

CWNA Guide to Wireless LANs, Second Edition
MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.

MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.
K. Salah 1 Chapter 15 Wireless LANs. K. Salah 2 Figure 15.1 BSSs IEEE Specification for Wireless LAN: IEEE 802.11, which covers the physical and data.

K. Salah 1 Chapter 15 Wireless LANs. K. Salah 2 Figure 15.1 BSSs IEEE Specification for Wireless LAN: IEEE , which covers the physical and data.
IEEE 802.11 Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE 802.11 defines two MAC sublayers Distributed coordination function (DCF) Point coordination.

IEEE Wireless LAN Standard. Medium Access Control-CSMA/CA IEEE defines two MAC sublayers Distributed coordination function (DCF) Point coordination.
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John BellardoStefan Savage Presented by: Hal Lindsey.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John BellardoStefan Savage Presented by: Hal Lindsey.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions

Similar presentations

Ads by Google