DoS Attacks On Wireless Voice Over IP Systems

By Brendon Wesley

Supervisor- Noria Foukia

Abstract• As converged wireless networks become increasingly widespread, there is

an assumption that such systems now have strong confidentiality and reliability.

• While the flaws in WiFi confidentiality mechanisms namely ‘WEP’ have been highly documented, the concern of reliability has gone reasonably unnoticed.

• The reliability flaws in WiFi are still evident in the majority of today's WiFi devices.

• IEEE standard resolving this weakness will not be released until 2008.

• This paper Outlines various DoS attacks used on 802.11 networks and demonstrates a proof of concept implementation as to how effective they are against a VoIP call.

Quality of Service (QoS)

• Quality of service (QoS) is a general term that is used to describe a number of metrics that themselves describe a specific measure of performance in a network or service. The QoS of a system is determined by four main factors:

• Latency – 150ms one way delay• Jitter – time varying wireless channel• Packet loss – 3% maximum for VoIP• Bandwidth – Depends on security, codec's etc.

N.B - Paper Address other QoS considerations in the 802.11 specification. (MAC layer of 802.11)

Denial of service attacks

• A denial of service attack ( DoS) is used to overload the victims resources to an extent that it can no longer provide a service to authentic clients.

• wVoIP is extremely vulnerable to DoS attacks because access to the transmission medium is open to anybody with 802.11 hardware.

• Because real-time traffic such as VoIP and video conferencing media is intolerable of even small delays it is relatively easy to disrupt the service long enough to make it unacceptable for the users.

802.11 management frames

• 802.11a/b/g management frames are used to initiate, manage or discontinue communication between two clients ( in ad-hoc mode) or between client's and Access Points (infrastructure mode).

• They are not confidential! and not authenticated!

• Security mechanisms such as WEP, WPA and WPA2 currently provide security services only for data frames, leaving management frames in a readable and forgeable state. This is a major flaw!

State of Connection

• As specified by the Medium Access Control (MAC) and Physical Layer (PHY) Specifications in IEEE802.11. A client within a 802.11 infrastructure network may be in 1 of 3 states at a time.

1-Unauthenticated and Unassociated.

2-Authenticated and unassociated.

3-Authenticated and associated.

Types of 802.11 management frames

Authentication Frame

• Authentication provides a way for stations to identify themselves to an AP. It is then the AP’s job to decide if authentication will be granted to the client or not.

• Open system or shared key.

Authentication Attack.

• During the authentication process there are a number of packets that need to be exchanged between a client and the AP. A buffer is used to temporarily hold this information while authentication is taking place. Because the size of the buffer limits the number of authentication requests that the AP can process at any one time, it is possible to flood authentication frames to the AP with a pool of random MAC source addresses.

Deauthentication Frame

• If a client or AP wishes to exit the authenticated state, either party may transmit a deauthentication frame. This causes the device(s) to exit the authenticated-associated state and terminate all further communications. This frame is rather a notification of the clients or access points intention opposed to a request

De authentication attack

A de authentication frame will also disassociate the station. This is because a client cannot be associated without being authenticated as specified by one of the three rules above. This message can be used by an attacker masquerading as either the client or AP and send one of these frames by spoofing the Source Address of the device. The client or AP will immediately discontinue communication with the other.

Association request Frame

• After a client has successfully authenticated with one or more access points, it needs to associate with it in order to utilize its services. An association frame is sent to the AP specifying parameters such as supported data rates and more importantly the SSID of the AP.

Disassociation frame• A disassociation frame is used by a client or AP to effectively stop

communication. This frees up the resources used to maintain the communication. It gives the client the capacity to migrate to a neighboring AP in the same BSS with minimal delay.

Disassociation flooding attack

• The disassociation attack operates on a very similar principle to the deauthentication attack. In this case a disassociation frame is sent to the AP or client by an attacker (by spoofing the client and AP MAC addresses). This will make an AP believe that the client has sent a disassociation frame and wishes to disassociate. Client will attempt to maintain communication so will re-associate. The attacker will continuously send disassociation frames to the AP to keep it in the disassociated state.

My Implementation• Access Point: D-Link Airplus Xtreme G wireless router.

• Client 1: Compaq Laptop (windows XP) with Enterasys 802.11g wireless network adapter.

• Client 2: Compaq Laptop (Windows XP) with Linksys 802.11g USB wireless network adapter

• Attacker: Insite PC (Linux Kernel 2.6.16 Fedora Core 5)

• Sniffer: HP Laptop (Windows XP) running Ethereal and airodump-ng

Aireplay-ng

Ethereal Packet Capture

DoS attack

Deauthentication Flood effect on VoIP latency

0

100

200

300

400

500

600

700

800

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Seconds

Lat

ecn

y (m

s)

Series2

Series1

Protection For sensitive 802.11 management frames

• 802.11w (task group w) is an IEEE standard that is due for release in April 2008 to provide a degree of protection for 802.11 management frames.

• Extend the functionality of 802.11i (WPA2) to provide encryption and integrity not only for data frames but some types of management frames as well.

802.11 Management Frame

Recommendations• Utilise a timer when a station sends a deauthentication frame to the

access point. Within a certain time period if the station sends data frames to the AP then it will not deauthenticate the station and assume an attack has occurred.

• Week form of protection which is not practical to implement. Hard to modify firmware of devices!

• Contacted RoamAD (converged voice/data networks) how their commercial WiFi networks were protected. Very surprised to find that not many companies do much outside of the 802.11 spec.

• as lack of interoperability between systems and platforms, incompatible hardware, difficult upgrades of software and hardware.

• Wait until 802.11w!

What else is in the report?

• Security in VoIP

• Frequency jamming

• WiMax Management frames

• WiFi VoIP networks in new Zealand . A threat to 3G??

• What do commercial wLAN providers do to mitigate the affects of DoS attacks on VoIP in NZ?

• Bottleneck at crypto engine (IPsec)

Acknowledgments

• Noria Foukia (Supervisor)

• Cameron Kerr (Linux Guru)

• Da Deng (Acting H.O.D)