802.11 Denial-of-Service Attacks Real Vulnerabilities

and Practical Solutions

John Bellardo and Stefan Savage

Department of Computer Science and Engineering

University of California, San Diego

Presented By Devon Callahan

Outline Introduction to 802.11and Motivation Related Work Vulnerabilities of 802.11 Practical Attacks and Defenses Experimental Results Conclusions Final Thoughts

Introduction

802.11 networks are everywhere Usually network clients are in a star

topology with the Access point 802.11 b and g are most popular With such high dependency on

802.11 are there vulnerabilities...

Related Work Most of the work has focused on the

confidentiality weakness in security of 802.11( WEP and

WPA) What about availability? Lough identified vulnerabilities of

MAC(disassociation, deauthentication, virtual carrier sensing) but did not validate

Related work (cont) Faria, and Cheriton identified problems

posed by Authentication DoS attacks and purpose new authentication framework (not very light weight)

AirJack, Omerta, void11, Radiate all wireless tools from early 2000's

Some general 802.11 DoS attacks based on resource consumption(frame rate control)

Vulnerabilities of 802.11 Denial of Service the act of denying

a computer user of a particular service

Typically flood a client with more traffic than it can handle

802.11 more vulnerable than 802.3 because of the shared medium 2.4Ghz

Denial of Service on Wireless

The attacker wants to disrupt and deny access to services by legitimate users

Two main types of DoS in 802.11 RF Attacks or Jamming the

wireless spectrum- disruption occurs when signal-to-noise ratio reaches certain level

Protocol based attacking- the higher layers of communication which are easier $$ (Identity and Media-access control)

Identity Vulnerabilities A result of the trust placed in a speaker’s

source address 802.11 nodes are identified at MAC layer by

unique address as wired nodes are. Frames are not authenticated, meaning an

attacker can change his MAC address and spoof other nodes (similar to what is done in ARP spoofing)

Leads to 3 kinds of attacks: Disassociation attack Deauthentication attack Power saving mode attack

Disassociation A client can authenticate with multiple

APs but associate with one in order to allow the correct AP to forward packets

Association frames are unauthenticated 802.11 provides a disassociation

message similar to the deauth message Vulnerability is spoofed message causing

the AP to disassociate the client

Disassociation Attack

Authentication Request

Authentication Response

Association Request

Association Response

Data

Data

Attacker Disassociation

Disassociation

AP

Deauthentication Attack Authentication Procedure

After selecting an AP for communication, clients must authenticate themselves to the AP with their MAC address

Part of Authentication framework is a message allowing clients to explicitly deauthenticate from the AP

Vulnerability An attacker can spoof the deauthentication

message causing the communication between AP and client to suspend, causing a DoS

Result Client must re-authenticate to resume

communication with AP

Deauthentication Attack

Authentication Request

Authentication Response

Association Request

Association Response

Data

Data

Attacker Deauthentication

Deauthentication

AP

Deauthentication Attack (Cont.)

By repeating attack, client can be kept from transmitting or receiving data indefinitely

Attack can be executed on individual client or all clients

Individual Clients Attacker spoofs clients address telling AP to

deauthenticate them All Clients

Attacker spoofs AP telling all clients to deauthenticate

Deauthentication or Disassociation?

Deauthentication requires a RTT of 2 in order to resume communication

Disassociation requires a RTT of 1 in order to resume communication

Because it requires less work for the attacker Deauthentication is the more effective attack

Power Saving in 802.11 Nodes “sleep” to conserve energy AP will buffer clients packets until

requested with a poll message TIM (traffic indication map) is a periodic

packet sent by AP to notify client of buffered data

Relies on sync of packets so client is awake when the TIM is sent

Attacks on Power Saving Attacker can spoof on behalf of AP the

TIM message Client could think there is no data

and go back to sleep Attacker forge management sync

packets Cause client to fall out of sync with

AP Attacker spoof on behalf of the client

AP sends data while client is sleeping

Media Access Vulnerabilities

Avoid collisions at all costs!!! Is the Attitude

CSMA/CA stands for Carrier Sense Multiple Access with Collision Avoidance

SIFS-time before preexisting frame exchange can occur(ACK)

Media Access Vulnerabilities(cont)

DIFS-time used for nodes initiating new traffic

Nodes will transmit randomly after the DIFS

Attacker can send signal before every SIFS slot to clog the channel

Requires 50,000 pps to shut down channel

More serious is RTS/CTS In order to avoid a “hidden

terminal”

Virtual Carrier Sense Mechanism needed in preventing collision

from two clients not hearing each other (hidden terminal problem)

RTS/CTS A client wanting to transmit a packet first

sends a RTS (Request to Send) RTS includes source, destination, and duration A client will respond with a CTS (Clear to Send)

packet

Frm Ctl

NAV VulnerabilityDuration Addr1 Addr2 Addr3 Seq Ctl Addr4 Data FCS

802.11 General Frame Format

2 6 6 6 66 0-2312 22

Virtual carrier sense allows a node to reserve the radio channel

Each frame contains a duration value Indicates # of microseconds channel is reserved Tracked per-node; Network Allocation Vector (NAV) Used by RTS/CTS

Nodes only allowed to xmit if NAV reaches 0

Simple NAV Attack:Forge packets with large

Duration

AccessPoint

Node 1 Node 2

Attacker

Duration=32000 Duration=3200

0

Access Point and Node 2 can’t xmit(but Node 1 can)

Extending NAV Attack w/RTS

AccessPoint

Node 1 Node 2

Attacker

Duration=32000RTS

Duration=31000CTS Duration=31000

CTS

Duration=31000CTS

AP and both nodes barredfrom transmitting

Practical Attacks and Defenses Authors were able to

implement these attacks with current software and hardware

IPAQ running Linux with DLINK PCMCIA card

Built app that monitors wireless channels for AP and clients

Once identified by MAC a DNS resolver and dsnif are used to obtain better identifiers(userids)

How to Generate Arbitrary 802.11 Frames?

Key idea: AUX/Debug Port allows Raw access to NIC

SRAM

1. Download frame to NIC

2. Find frame in SRAM3. Request transmission4. Wait until firmware

modifies frame5. Rewrite frame via AUX

port

Host Interface to NIC

BAP

AUX Port

SRAM

Xmit Q

Xmitprocess

Virtualized firmware interface

Physical resources

Radio Modem Interface

Simulating the NAV attack So how bad would the attack be? Simulated NAV attack using NS2

18 Users 1 Access Point 1 Attacker

30 attack frames per second 32.767 ms duration per attack frame

NAV Attack Simulation

050

100150200250300350

10 16 22 28 34 40 46 52 58 64 70 76 82 88 94

Simulated Seconds

Packets

Attacker - Users

Practical NAV Defense Legitimate duration values are

relatively small Determine maximum reasonable

NAV values for all frames Each node enforces this limit < .5 ms for all frames except ACK and

CTS ~3 ms for ACK and CTS

Reran the simulation after adding defense to the simulator

Simulated NAV Defense

050

100150200250300350

10 16 22 28 34 40 46 52 58 64 70 76 82 88 94Simulated Seconds

Packets

Attacker - Users

Why the NAV attack doesn’t work

Surprise: many vendors do not implement the 802.11 spec correctly

Duration field not respected by other nodes

Excerpt from a NAV Attack Trace

Time (s) Source Destination Duration (ms) Type

1.294020 :e7:00:15:01 32.767 802.11 CTS

1.295192 :93:ea:e7:0f :93:ea:ab:df 0.258 TCP Data

1.296540 :93:ea:e7:0f 0 802.11 Ack

1.297869 :93:ea:ab:df :93:ea:e7:0f 0.258 TCP Data

1.2952 - 1.2940= 1.2 ms

Deauth Attack Results

0100200300400500600700800

1 11 21 31 41 51 61 71 81 91 101 112 122 132 141 151Time (s)

Packets

Attacker Win XP Linux Thinkpad Linux iPaq MacOS

Practical Deauth Defense Based on the observed behavior that

legitimate nodes do not deauthenticate themselves and then send data

Delay honoring Deauthentication request Small interval (5-10 seconds) If no other frames received from source then

honor request If source sends other frames then discard request

Requires no protocol changes and is backwards compatible with existing hardware

Deauthentication Defense Results

0100200300400500600700

1 5 9 13 17 21 25 29 33 37 41 45Time (s)

Packets

Attacker Win XP Linux Thinkpad Linux iPaq MacOS

More Robust Defense

Defense in Depth

Attacker Deauthentication Num 4

AP

Data

Num 1

Num 2

Num 3

Data

Num 4

Num 5

RSS -35 dBm

RSS -36 dBm

RSS -35 dBm

RSS -18 dBm

MAC 00-14-A4-2D-BE-1D

RSS -34 dBm

MAC 00-14-A4-2D-BE-1D

Num 1 -35 dBm

Num 2 -36 dBm

Num 3 -35 dBm

Num 4 -18 dBm Num 4 -34 dBm

Identity theft (MAC spoofing)

occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges

Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network.

Man-in-the-middle attacks attacker entices computers to log

into a computer which is set up as a soft AP

hacker connects to a real access point through another wireless card

The hacker can then sniff the traffic

Caffe Latte attack Way to defeat WEP By using a process that targets the

Windows wireless stack, it is possible to obtain the WEP key from a remote client

By sending a flood of encrypted ARP requests

Attacker uses the ARP responses to obtain the WEP key in less than 6 minutes

Conclusion Deauthentication attack is most

immediate concern

Denial of Service Attacks in 802.11 are very plausible with existing equipment

Although this research paper was published in 2003 the threat remains for 802.11 networks

THANK YOU!

Questions?