Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.11 Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC

Published byMorgan Stockdale Modified over 10 years ago

Similar presentations

Presentation on theme: "802.11 Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC"— Presentation transcript:

1 802.11 Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC ndthuc@fit.hcmus.edu.vn

2 Introduction wireless LAN01010101 10010101 Wired LAN Wireless LAN Laptop Laptop Access Point Mobile Pocket PC Palm Internet

3 01010101 10010101 Introduction wireless securityAuthentication Privacy Integrity Availability

4 Availability 4 Defending against Dising attacks Determining hot-IPs

5 Dising attacks on 802.11 networks: Introduction In the current IEEE 802.11 standards, whenever a wireless station wants to leave the network, it sends a deauthentication or disassociation frame to the access point. These two frames, however, are sent unencrypted and are not authenticated by the access point. Therefore, an attacker can launch a DoS attack by spoofing these messages and thus disabling the communication between these wireless devices and their access point.

6 Dising attacks on 802.11 networks: Farewell attacks To break the communication between STAs and their AP, an attacker can simply send out a spoofed deauthentication or disassociation frame. There are a number of tool that enable an attacker to spoof the source MAC address of any device, such as: Spoof-MAC, Airsnarf, Mac Changer. Note that attacker spoofs a deauthentication or a disassociation frame of AP with broadcast destination MAC address, the effectively all STAs associated to the AP will be disconnected. The Farewell attack is simple but can cause serious damage, because the attacker can stop the communication using only limited resources without requiring any special technical skill. Bellardo et al. implement the attacks and show that this attack is simple and effective. J. Bellardo and S. Savage. 802.11 Denial-of-Service attacks: real vulnerabilities and pratical solutions. In Proceedings of the 12 th conference on USENIX Security Symposium, pages 18-25, Washington, DC, 2003.

7 Dising attacks on 802.11 networks: Some of Defending Solutions Approach: eliminating the deauthentication and disassociation frames, or enqueueing them for a fix interval of time (for instance, 10 seconds) Issues: there may be a period of time where a STA associates with multiple APs concurrently, which may cause routing/handoff problems Approach: using Reverse Address Resolution Protocol (RARP) to detect spoofed frames Issues: the attackers may spoof the IP address of the client to break the RARP. Approach: detecting spoofed frames based on frame sequence number Issues: the attacker may sniff the frames sent by the client to predict the sequence number of the next frame. Approach: developing a lightweight authentication protocol for management frames, such as using 1 bit for authentication. Issues: errors in wireless medium may break the authentication, and the probability of an attacker to guess the authentication bit correctly is high (50%)

8 Dising attacks on 802.11 networks: letter-envelop protocol The protocol works based on a one-way function f(.): given y = f(x), it is computationally infeasible to compute x; However, given x, it is easy to compute N. The Letter-envelop protocol is as follows: 1. Initially, STA randomly generates x 1, then computes y 1 = f(x 1 ). Similarly, AP generates x 2 and computes y 2 = f(x 2 ). 2. During the authentication process between STA and AP, STA sends y 1 to the AP, and AP sends y 2 to the STA. 3.When the STA wants to disconnect from the AP, it sends either the deauthentication or the disassociation frame to the AP, together x 1 to the AP. If f(x 1 ) = y 1 then the frame is authenticated and will be procceed accordingly. Otherwise, the frame is rejected. 4.Similarly, if the AP wants to disconnect from the STA, it sends the disassociation/deauthentication frame together x 2. The STA disconnects itself from the AP if f(x 2 )=y 2.

9 Dising attacks on 802.11 networks: letter-envelop protocol STA AP Connection process STA AP Connection process STA AP Connection process Authentication Association Generate x 1 y 1 = f(x 1 ) y 1 y 2 y 2 =f(x 2 ) is already computed Ass. request Generate x 1 Compute y 1 =f(x 1 ) y 1 Data exchange Generate x i Compute y i =f(x i ) y 2 (a) Original Association (b) Modified Association (c) Modified Association (special case) Thuc D. Nguyen, Duc H. M. Nguyen, Bao N. Tran,Hai Vu, Neeraj Mittal, A lightweight solution for defending against de- authentication/disassociation attacks on 802.11 networks, In IEEE 17th International Conference on Computer Communication and Networks (ICCCN), St. Thomas, US Virgin Islands, August 2008

10 Dising attacks on 802.11 networks: implementation of letter-envelop protocol Thuc D. Nguyen, Duc H. M. Nguyen, Bao N. Tran,Hai Vu, Neeraj Mittal, A lightweight solution for defending against de-authentication/disassociation attacks on 802.11 networks, In IEEE 17th International Conference on Computer Communication and Networks (ICCCN), St. Thomas, US Virgin Islands, August 2008

11 Dising attacks on 802.11 networks: implementation of letter-envelop protocol The configuration of our system is as follows: One PC (CPU: Intel Celeron 3GHz, RAM: 1GB, HDD: 80GB) functioning as an AP. One PC (CPU: Intel Celeron 1.73GHz, RAM: 512MB, HDD: 80GB) functioning as a legitimate STA. this STA continuously sends ICMP ping packets to the AP to check the connection with the AP. One PC (CPU: Intel Core Duo 1.6GHz, RAM: 512MB, HDD: 80GB) running CommView for Wifi to launch the Farewell attack. We continuously send deauthentication and disassociation frames with spoof MAC address of the STA (to the AP) and of the AP (to the STA) at rate 10 frames/second. If AP can detect the frame to be a spoofed frame, they will ignore the frame and will not disconnect the STA. otherwise it will disconnect the STA and clear information related to that STA in the memory. The result of the experiments show that our solution is completely effective against the Farewell attack, none of the attacks is successful.

12 Availability 12 Defending against Dising attacks Determining hot-IPs

13 Computing heavy hittes Cormode and Muthukrishnan consider the following problem of determining hot items" or "heavy- hitters. in a given sequence of items from [n], an item is considered hot" if it occurs > m=(d + 1) times; where d is a given constant. Note that there can be at most d hot items. G. Cormode and S. Muthukrishnan. What's hot and what's not: tracking most frequent items dynamically. ACM Trans. Database Syst., 30(1):249{278, 2005.

14 Algorithm of Cormode-Muthukrishnan Cormode and Muthukrishnan proposed an algorithm based on Non-Adaptive Group Test (NAGT) that computes all the hot items as long as the input satises the following small tail property: all of the non-hot items occur at most m=(d + 1) times. Let M be a d- disjunct t n matrix. For each test i [t], maintain a counter c i. When an item j [n] arrives (leaves respectively), increment (decrement respectively) all the counters c i such that M ij = 1. The algorithm also maintains the total number of items m seen so far.

15 Disjunct-matrix A binary t N matrix is said to be d- disjunct if the union (or Boolean sum) of any d columns does not contain any other column.

16 Determining hot-IPs Let n be number of IP address and d be maximum number of IPs which can been attacked. Given a sequence of IPs, the problem is to find those IPs which occur most frequently. This is formalized as finding all IPs whose frequency exceeds a specified fraction of the total number of IPs. This problem can been solved by using group test method

17 Algorithm Let M be d-disjunct t n matrix C := (c 1,…,c t ) N t R:=(r 1,…,r t ) {-,+} t IP [n]*: sequence of IPs. For j=1 to t do c j =0 For each i IP, for j=1 to t do if m ij =1 then c j ++ For j=1 to t do If c j >d then r j =+ Else r j =-

18 Example

19 Determining hot-IPs Given R {-,+}t Find hot-IPs With each r i =- do for i=1 to n do if (m ij )=1 Then IP:=IP\{j} Return IP

20 Example

Download ppt "802.11 Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC"

Similar presentations

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
Security Issues In Mobile IP

Security Issues In Mobile IP
Computer Networking Components Chad DuBose ~ Assignment #3 ~ LTEC 4550.020.

Computer Networking Components Chad DuBose ~ Assignment #3 ~ LTEC
ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.

ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Data Link Layer B. Konkoth. PDU  Protocol Data Unit  A unit of data which is specified in a protocol of a given layer  Layer 5, 6, 7 – Data  Layer.

Data Link Layer B. Konkoth. PDU  Protocol Data Unit  A unit of data which is specified in a protocol of a given layer  Layer 5, 6, 7 – Data  Layer.
Doc.: IEEE 802.11-07/2441r2 Submission SA Teardown Protection for 802.11w Date: 2007-11-05.

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
IP Routing: an Introduction. Quiz 0-31 32-63 64-95 96-127 128-159 160-191 192-223 224-255.

IP Routing: an Introduction. Quiz
IEEE Wireless LAN Standard

IEEE Wireless LAN Standard

Similar presentations

Ads by Google