Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions

Similar presentations


Presentation on theme: "Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions"— Presentation transcript:

1 802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions
John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Presented By Devon Callahan

2 Outline Introduction to 802.11and Motivation Related Work
Vulnerabilities of Practical Attacks and Defenses Experimental Results Conclusions Final Thoughts

3 Introduction 802.11 networks are everywhere
Usually network clients are in a star topology with the Access point b and g are most popular With such high dependency on are there vulnerabilities...

4 Related Work Most of the work has focused on the confidentiality
weakness in security of ( WEP and WPA) What about availability? Lough identified vulnerabilities of MAC(disassociation, deauthentication, virtual carrier sensing) but did not validate

5 Related work (cont) Faria, and Cheriton identified problems posed by Authentication DoS attacks and purpose new authentication framework (not very light weight) AirJack, Omerta, void11, Radiate all wireless tools from early 2000's Some general DoS attacks based on resource consumption(frame rate control)

6 Vulnerabilities of Denial of Service the act of denying a computer user of a particular service Typically flood a client with more traffic than it can handle more vulnerable than because of the shared medium 2.4Ghz

7 Denial of Service on Wireless
The attacker wants to disrupt and deny access to services by legitimate users Two main types of DoS in RF Attacks or Jamming the wireless spectrum- disruption occurs when signal-to-noise ratio reaches certain level Protocol based attacking- the higher layers of communication which are easier $$ (Identity and Media-access control)

8 Identity Vulnerabilities
A result of the trust placed in a speaker’s source address nodes are identified at MAC layer by unique address as wired nodes are. Frames are not authenticated, meaning an attacker can change his MAC address and spoof other nodes (similar to what is done in ARP spoofing) Leads to 3 kinds of attacks: Disassociation attack Deauthentication attack Power saving mode attack

9 Disassociation A client can authenticate with multiple APs but associate with one in order to allow the correct AP to forward packets Association frames are unauthenticated provides a disassociation message similar to the deauth message Vulnerability is spoofed message causing the AP to disassociate the client

10 Disassociation Attack
AP Authentication Request Authentication Response Association Request Association Response Data Data Attacker Disassociation Disassociation

11 Deauthentication Attack
Authentication Procedure After selecting an AP for communication, clients must authenticate themselves to the AP with their MAC address Part of Authentication framework is a message allowing clients to explicitly deauthenticate from the AP Vulnerability An attacker can spoof the deauthentication message causing the communication between AP and client to suspend, causing a DoS Result Client must re-authenticate to resume communication with AP

12 Deauthentication Attack
AP Authentication Request Authentication Response Association Request Association Response Data Data Attacker Deauthentication Deauthentication

13 Deauthentication Attack (Cont.)
By repeating attack, client can be kept from transmitting or receiving data indefinitely Attack can be executed on individual client or all clients Individual Clients Attacker spoofs clients address telling AP to deauthenticate them All Clients Attacker spoofs AP telling all clients to deauthenticate

14 Deauthentication or Disassociation?
Deauthentication requires a RTT of 2 in order to resume communication Disassociation requires a RTT of 1 in order to resume communication Because it requires less work for the attacker Deauthentication is the more effective attack

15 Power Saving in 802.11 Nodes “sleep” to conserve energy
AP will buffer clients packets until requested with a poll message TIM (traffic indication map) is a periodic packet sent by AP to notify client of buffered data Relies on sync of packets so client is awake when the TIM is sent

16 Attacks on Power Saving
Attacker can spoof on behalf of AP the TIM message Client could think there is no data and go back to sleep Attacker forge management sync packets Cause client to fall out of sync with AP Attacker spoof on behalf of the client AP sends data while client is sleeping

17 Media Access Vulnerabilities
Avoid collisions at all costs!!! Is the Attitude CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance SIFS-time before preexisting frame exchange can occur(ACK)

18 Media Access Vulnerabilities(cont)
DIFS-time used for nodes initiating new traffic Nodes will transmit randomly after the DIFS Attacker can send signal before every SIFS slot to clog the channel Requires 50,000 pps to shut down channel

19 More serious is RTS/CTS
In order to avoid a “hidden terminal”

20 Virtual Carrier Sense Mechanism needed in preventing collision from two clients not hearing each other (hidden terminal problem) RTS/CTS A client wanting to transmit a packet first sends a RTS (Request to Send) RTS includes source, destination, and duration A client will respond with a CTS (Clear to Send) packet

21 NAV Vulnerability 2 2 6 6 6 6 6 0-2312 2 Frm Ctl Duration Addr1 Addr2 Addr3 Seq Ctl Addr4 Data FCS General Frame Format Virtual carrier sense allows a node to reserve the radio channel Each frame contains a duration value Indicates # of microseconds channel is reserved Tracked per-node; Network Allocation Vector (NAV) Used by RTS/CTS Nodes only allowed to xmit if NAV reaches 0

22 Simple NAV Attack: Forge packets with large Duration
Attacker Access Point and Node 2 can’t xmit (but Node 1 can) Duration=32000 Access Point Node 1 Node 2

23 Extending NAV Attack w/RTS
AP and both nodes barred from transmitting Attacker Duration=32000 RTS Duration=31000 CTS Access Point Node 1 Node 2

24 Practical Attacks and Defenses
Authors were able to implement these attacks with current software and hardware IPAQ running Linux with DLINK PCMCIA card Built app that monitors wireless channels for AP and clients Once identified by MAC a DNS resolver and dsnif are used to obtain better identifiers(userids)

25 How to Generate Arbitrary 802.11 Frames?
Host Interface to NIC Key idea: AUX/Debug Port allows Raw access to NIC SRAM Download frame to NIC Find frame in SRAM Request transmission Wait until firmware modifies frame Rewrite frame via AUX port AUX Port Xmit Q SRAM BAP Xmit process Physical resources Virtualized firmware interface Radio Modem Interface

26 Simulating the NAV attack
So how bad would the attack be? Simulated NAV attack using NS2 18 Users 1 Access Point 1 Attacker 30 attack frames per second ms duration per attack frame

27 NAV Attack Simulation

28 Practical NAV Defense Legitimate duration values are relatively small
Determine maximum reasonable NAV values for all frames Each node enforces this limit < .5 ms for all frames except ACK and CTS ~3 ms for ACK and CTS Reran the simulation after adding defense to the simulator

29 Simulated NAV Defense

30 Why the NAV attack doesn’t work
Surprise: many vendors do not implement the spec correctly Duration field not respected by other nodes Time (s) Source Destination Duration (ms) Type :e7:00:15:01 32.767 CTS :93:ea:e7:0f :93:ea:ab:df 0.258 TCP Data Ack = 1.2 ms Excerpt from a NAV Attack Trace

31 Deauth Attack Results

32 Practical Deauth Defense
Based on the observed behavior that legitimate nodes do not deauthenticate themselves and then send data Delay honoring Deauthentication request Small interval (5-10 seconds) If no other frames received from source then honor request If source sends other frames then discard request Requires no protocol changes and is backwards compatible with existing hardware

33 Deauthentication Defense Results

34 More Robust Defense

35 Defense in Depth MAC 00-14-A4-2D-BE-1D Num 1 -35 dBm MAC
AP Data Num 3 -35 dBm Num 4 -18 dBm Num 4 -34 dBm Num 1 RSS -35 dBm Num 2 RSS -36 dBm Num 3 RSS -35 dBm Attacker Deauthentication Num 4 RSS -18 dBm Data Num 4 RSS -34 dBm Num 5

36 Identity theft (MAC spoofing)
occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network.

37 Man-in-the-middle attacks
attacker entices computers to log into a computer which is set up as a soft AP hacker connects to a real access point through another wireless card The hacker can then sniff the traffic

38 Caffe Latte attack Way to defeat WEP
By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client By sending a flood of encrypted ARP requests Attacker uses the ARP responses to obtain the WEP key in less than 6 minutes

39 Conclusion Deauthentication attack is most immediate concern
Denial of Service Attacks in are very plausible with existing equipment Although this research paper was published in 2003 the threat remains for networks

40 THANK YOU! Questions?


Download ppt "Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions"

Similar presentations


Ads by Google