Presentation is loading. Please wait.

Presentation is loading. Please wait.

Natalie Podrazik – CS 491V – “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April.

Published byAnne Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "Natalie Podrazik – CS 491V – “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April."— Presentation transcript:

1 Natalie Podrazik – CS 491V – natalie2@umbc.edu “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April 19, 2006 natalie2@umbc.edu

2 Natalie Podrazik – CS 491V – natalie2@umbc.edu Overview I.What is 802.11 II.802.11 Vulnerabilities I.Identity II.MAC Layer III.Experiment I.Tools and Modifications II.Results IV.Conclusions V.Relevancy to E-Voting Project

3 Natalie Podrazik – CS 491V – natalie2@umbc.edu What is 802.11? IEEE wireless internet standard 802.11b, 802.11a, 802.11g flavors Popular Cheap Easy to set up, maintain Operates on 2.4 GHz band

4 Natalie Podrazik – CS 491V – natalie2@umbc.edu Client, Name: ABCDEFGHIJKL Access Point, Name: AccessPoint00 How does 802.11 work? Authentication Request & Response Association Request & Response Data Payload Acknowledgements Deauthentication Request & Response

5 Natalie Podrazik – CS 491V – natalie2@umbc.edu Vulnerabilities 1. Identity Use of MAC frames with sender and receiver 2. MAC Layer Use of MAC frames to avoid collisions Client, Name: MNOPQRSTUVWX To: AccessPoint00 From: MNOPQRSTUVWX Duration: 100  s Frame Spoofing Stalling Hi, I’m ABCDEFGHIJKL...

6 Natalie Podrazik – CS 491V – natalie2@umbc.edu Access Point, Name: AccessPoint00 Spoof Attack 1: Deauthentication Authentication Request & Response Association Request & Response Data Payload Deauthentication Request Client, Name: ABCDEFGHIJKL Attacker, Name: MNOPQRSTUVWX x Deauthentication Response

7 Natalie Podrazik – CS 491V – natalie2@umbc.edu Access Point, Name: AccessPoint00 Approaches to Deauthentication Spoof client or Access Point To: AccessPoint00 From: ABCDEFGHIJKL Msg: DEAUTH MAC Frame Attacker, Name: MNOPQRSTUVWX To: ABCDEFGHIJKL From: AccessPoint00 Msg: DEAUTH MAC Frame Client, Name: ABCDEFGHIJKL

8 Natalie Podrazik – CS 491V – natalie2@umbc.edu Strength of Deauthentication Attack Client must re-establish connection Prevention of sending or receiving any data Possibilities Forbid or limit access to certain clients Block entire access point More work for attacker Clean attacks – new auths No escape for client to other AP’s

9 Natalie Podrazik – CS 491V – natalie2@umbc.edu Access Point, Name: AccessPoint00 Spoof Attack 2: Disassociation Authentication Request & Response Association Request & Response Data Payload Disassociation Request Client, Name: ABCDEFGHIJKL Attacker, Name: MNOPQRSTUVWX x Deauthentication Response

10 Natalie Podrazik – CS 491V – natalie2@umbc.edu Evaluation of Disassociation Attack Similar to deauthentication Less efficient Deauthentication forces the client do to more work: re-establish authentication + association Disassociation only forces client to reestablish association, not authentication.

11 Natalie Podrazik – CS 491V – natalie2@umbc.edu Access Point, Name: AccessPoint00 Spoof Attack #3: While you were sleeping... Power-saving techniques allow clients to go to sleep Client, Name: ABCDEFGHIJKL I’m going to sleep Ok, I’ll take your messages. 0 1 2 3 4 5 6 7 zzzz z I’m awake. Any messages? 0 1 2 3 4 5 6 7

12 Natalie Podrazik – CS 491V – natalie2@umbc.edu Access Point, Name: AccessPoint00 Spoofing the Polling Message Client, Name: ABCDEFGHIJKL 0 1 2 3 4 5 6 7 zzzz z I’m awake. Any messages? I’m ABCDEFGHIJ K, and I’m awake. Nope. 0 1 2 3 4 5 6 7 x Attacker, Name: MNOPQRSTUVWX

13 Natalie Podrazik – CS 491V – natalie2@umbc.edu TIM Packets Traffic Indication Map Spoof broadcast of TIM Access Point, Name: AccessPoint00 Client, Name: ABCDEFGHIJKL 0 1 2 3 4 5 6 7 zzzz z TIM No pending messages for ABCDEFGHIJKL

14 Natalie Podrazik – CS 491V – natalie2@umbc.edu Timing Waking up timing relies on: Period of TIM packets Timestamp broadcast from access point Both are sent in the clear Attack: Get client out of sync Wake up at the wrong times

15 Natalie Podrazik – CS 491V – natalie2@umbc.edu MAC Vulnerabilities Access to MAC divided into windows Short InterFrame Space (SIFS) For already connected exchanges Distributed Coordination Function InterFrame Space (DIFS) To initiate new frames Sender specifies which window No immediate ACK = collision Random exponential backoff algorithm To: AccessPoint00 From: ABCDEFGHIJKL Window: DIFS To: AccessPoint00 From: ABCDEFGHIJKL Window: DIFS MAC Frame

16 Natalie Podrazik – CS 491V – natalie2@umbc.edu MAC Attack #1: Waiting to Transmit Every transmitting node has to wait at least 1 SIFS interval Attack: send short message before end of each SIFS interval Unlikely: SIFS period = 20  s, many packets per second to send 1 SIFS interval (20  s) Backoff

17 Natalie Podrazik – CS 491V – natalie2@umbc.edu MAC Attack #2: Duration Every 802.11 frame has a duration field How many  s the channel will be reserved Used to setup Network Allocation Vector (NAV) Nodes can only transmit when NAV == 0 To: AccessPoint00 From: MNOPQRSTUVWX Duration: 32767  s MAC Frame

18 Natalie Podrazik – CS 491V – natalie2@umbc.edu Duration Attacks Possible to use almost any frame to control NAV ACK RTS (Request To Send) / CTS (Clear To Send) Attacker uses little resources Transmit ~30 times / second to jam channel Little power used Use of a directional antennae

19 Natalie Podrazik – CS 491V – natalie2@umbc.edu Experiment Challenge: Modifying MAC frames to spoof sender address Generating any old control frames Solution: Tweak “Buffer Access Path” firmware and Aux-Port Intervenes between NIC’s passing of packets to hardware Attacks via OTS hardware

20 Natalie Podrazik – CS 491V – natalie2@umbc.edu Attacker iPAQ H3600 with Dlink DWL-650 card Linux Weighs 375 g (~12oz) Easily fits in a coat pocket Listening application Clients identified by MAC addresses DNS-resolver used

21 Natalie Podrazik – CS 491V – natalie2@umbc.edu Experiments Client (Windows XP) Access Point (Linux HostAP) Attacker Client (Linux Thinkpad) Client (MacOS X) Client (Linux iPaq) Monitoring Station

22 Natalie Podrazik – CS 491V – natalie2@umbc.edu Attack #1: Deauth Against One Access Point (Linux HostAP) Attacker Client (Linux Thinkpad) Client (MacOS X) Client (Linux iPaq) Monitoring Station

23 Natalie Podrazik – CS 491V – natalie2@umbc.edu Single Client Attack Transfer immediately halted Attack lasted for < 10 sec Rate of transfer wasn’t up to par for more than a minute Recovery

24 Natalie Podrazik – CS 491V – natalie2@umbc.edu Attack #2: Deauth Against All Access Point (Linux HostAP) Client (Linux Thinkpad) Client (MacOS X) Client (Linux iPaq) Monitoring Station Attacker

25 Natalie Podrazik – CS 491V – natalie2@umbc.edu Attack Against All Clients Windows XP can still send a little bit Packets not from that session – underlying UDP packets from another XP service

26 Natalie Podrazik – CS 491V – natalie2@umbc.edu Access Point Monitoring Station Attacker MAC Attack Plays by timing rules but sets large durations Sends packets out 30 times per second Ignores all duration values from any other node 18 client nodes in this experiment

27 Natalie Podrazik – CS 491V – natalie2@umbc.edu Results of MAC Attack Channel is completely blocked for the duration of the attack Similar results with ACK and RTS/CTS frames

28 Natalie Podrazik – CS 491V – natalie2@umbc.edu Defenses to MAC Attack Cap on duration values Sending 90 packets per second brought network down

29 Natalie Podrazik – CS 491V – natalie2@umbc.edu Overall Recommendations Authentication of 802.11 control packets Limiting the size of ACK frames Individual nodes’ duration threshold Situational Awareness

30 Natalie Podrazik – CS 491V – natalie2@umbc.edu New and Relevant Modifying frames at data link layer through OTS hardware Strength of attacks Ease of attack Scale of attack Resources needed Capabilities of modern cell phones

31 Natalie Podrazik – CS 491V – natalie2@umbc.edu Mobile Devices iPAQ H6315 Pocket PC F1000G LinkSys WIP300 8215 Smartphone T-Mobile M/DA Verizon XV6700

32 Natalie Podrazik – CS 491V – natalie2@umbc.edu AVS WINvote

33 Natalie Podrazik – CS 491V – natalie2@umbc.edu Works Cited 1.“Access Point". Wikipedia. Last updated: 13 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Access_Point http://en.wikipedia.org/wiki/Access_Point 2.Bellardo, John, and Stefan Savage. "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August 2003. 3.Friedl, Steve. "Network Guru's Guide to 802.11b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: http://mvp.unixwiz.net/techtips/wireless-guide.htmlhttp://mvp.unixwiz.net/techtips/wireless-guide.html 4."HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: http://pocketpccentral.net/ipaq6300.htmhttp://pocketpccentral.net/ipaq6300.htm 5."Media Access Control". Wikipedia. Last updated: 12 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Media_Access_Control http://en.wikipedia.org/wiki/Media_Access_Control 6."Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: http://www.brighthand.com \http://www.brighthand.com 7."UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: http://www.utstar.com/Solutions/Handsets/WiFi/ http://www.utstar.com/Solutions/Handsets/WiFi/ 8."Wi-Fi". Wikipedia. Last updated: 18 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Wi-Fi

Download ppt "Natalie Podrazik – CS 491V – “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April."

Similar presentations

Medium Access Control Onno W. Purbo

Medium Access Control Onno W. Purbo
Lecture 5: IEEE 802. 11 Wireless LANs (Cont.). Mobile Communication Technology according to IEEE (examples) Local wireless networks WLAN 802.11 802.11a.

Lecture 5: IEEE Wireless LANs (Cont.). Mobile Communication Technology according to IEEE (examples) Local wireless networks WLAN a.
802.11 – Wireless PHY and MAC Stallings 502-507. Types of 802.11 802.11 Infrared 802.11 FHSS (frequency hopping spread spectrum) 802.11 DSSS (direct sequence.

– Wireless PHY and MAC Stallings Types of Infrared FHSS (frequency hopping spread spectrum) DSSS (direct sequence.
© Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS591 – Wireless & Network Security.

© Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS591 – Wireless & Network Security.
Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic 802.11.

Comp 361, Spring 20056:Basic Wireless 1 Chapter 6: Basic Wireless (last updated 02/05/05) r A quick intro to CDMA r Basic
Module C- Part 1 WLAN Performance Aspects

Module C- Part 1 WLAN Performance Aspects
IEEE 802.11b Wireless LANs Carey Williamson Department of Computer Science University of Calgary.

IEEE b Wireless LANs Carey Williamson Department of Computer Science University of Calgary.
1 Power Management in IEEE 802.11 Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.

1 Power Management in IEEE Yu-Chee 1. Possible Access Sequences for a STA in PS Mode 2. PS in Infrastructure Network 3. PS in Ad.
John Bellardo Stefan Savage Presented by: Hal Lindsey

John Bellardo Stefan Savage Presented by: Hal Lindsey
1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.

1 CSE401n:Computer Networks Lecture 16 Wireless Link & LANs WS: ch-14 KR: 5.7.
CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE 802.11 Media Access Control and Network Layer Standards 1.

CWNA Guide to Wireless LANs, Second Edition Chapter Five IEEE Media Access Control and Network Layer Standards 1.
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
20 – Collision Avoidance, 802.11 6: Wireless and Mobile Networks6-1.

20 – Collision Avoidance, : Wireless and Mobile Networks6-1.
1 Introduction to Wireless Networks Michalis Faloutsos.

1 Introduction to Wireless Networks Michalis Faloutsos.
1 Elements of a wireless network network infrastructure wireless hosts r laptop, PDA, IP phone r run applications r may be stationary (non- mobile) or.

1 Elements of a wireless network network infrastructure wireless hosts r laptop, PDA, IP phone r run applications r may be stationary (non- mobile) or.
Rensselaer Polytechnic Institute © Shivkumar Kalvanaraman & © Biplab Sikdar1 ECSE-4730: Computer Communication Networks (CCN) Chapter 5: The Data Link.

Rensselaer Polytechnic Institute © Shivkumar Kalvanaraman & © Biplab Sikdar1 ECSE-4730: Computer Communication Networks (CCN) Chapter 5: The Data Link.
5-1 Data Link Layer r Wireless Networks m Wi-Fi (Wireless LAN) Example Problems m RTS/CTS.

5-1 Data Link Layer r Wireless Networks m Wi-Fi (Wireless LAN) Example Problems m RTS/CTS.
5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.

5-1 Data Link Layer r What is Data Link Layer? r Wireless Networks m Wi-Fi (Wireless LAN) r Comparison with Ethernet.
Semester 1 2011-2012 EEE449 Computer Networks The Data Link Layer Part 2: Media Access Control En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex,

Semester EEE449 Computer Networks The Data Link Layer Part 2: Media Access Control En. Mohd Nazri Mahmud MPhil (Cambridge, UK) BEng (Essex,
8/7/20151 Mobile Computing COE 446 Wireless Multiple Access Tarek Sheltami KFUPM CCSE COE hthttp://faculty.kfupm.edu.sa/coe/tarek/coe446.htm Principles.

8/7/20151 Mobile Computing COE 446 Wireless Multiple Access Tarek Sheltami KFUPM CCSE COE hthttp://faculty.kfupm.edu.sa/coe/tarek/coe446.htm Principles.

Similar presentations

Ads by Google