Natalie Podrazik – CS 491V – [email protected] “802.11 Denial-of-Service Attacks: Real...

Natalie Podrazik – CS 491V – [email protected]

““802.11 Denial-of-Service 802.11 Denial-of-Service Attacks:Attacks:

Real Vulnerabilities and Real Vulnerabilities and Practical Solutions”Practical Solutions”

Natalie PodrazikApril 19, 2006

[email protected]


OverviewOverviewI. What is 802.11II. 802.11 Vulnerabilities

I. IdentityII. MAC Layer

III. ExperimentI. Tools and ModificationsII. Results

IV. ConclusionsV. Relevancy to E-Voting Project


What is 802.11?What is 802.11?• IEEE wireless internet standard

• 802.11b, 802.11a, 802.11g flavors

• Popular• Cheap• Easy to set up, maintain

• Operates on 2.4 GHz band


Client,Name:

ABCDEFGHIJKL

Access Point,Name:

AccessPoint00

How does 802.11 work?How does 802.11 work?

Authentication Request & Response

Association Request & Response

Data Payload

Acknowledgements

Deauthentication Request & Response


VulnerabilitiesVulnerabilities1. Identity

• Use of MAC frames with sender and receiver

2. MAC Layer• Use of MAC frames

to avoid collisions

Client,Name:

MNOPQRSTUVWX

To: AccessPoint00

From:MNOPQRSTUVWX

Duration: 100 s

To: AccessPoint00

From:MNOPQRSTUVWX

Duration: 100 s

Frame

Spoofing

Stalling

Hi, I’m ABCDEFGHIJKL...


Access Point,Name:

AccessPoint00

Spoof Attack 1:Spoof Attack 1:DeauthenticationDeauthenticationAuthentication Request & Response


Data Payload

Deauthentication Request

Client,Name:

ABCDEFGHIJKL

Attacker,Name:

MNOPQRSTUVWX

xDeauthentication Response


Access Point,Name:

AccessPoint00

Approaches to Approaches to DeauthenticationDeauthentication

• Spoof client or Access Point

To: AccessPoint00

From:ABCDEFGHIJKL

Msg: DEAUTH

To: AccessPoint00

From:ABCDEFGHIJKL

Msg: DEAUTH

MAC Frame

Attacker,Name:

MNOPQRSTUVWX

To: ABCDEFGHIJKL

From:AccessPoint00

Msg: DEAUTH

To: ABCDEFGHIJKL

From:AccessPoint00

Msg: DEAUTH

MAC Frame

Client,Name:

ABCDEFGHIJKL


Strength of Deauthentication Strength of Deauthentication AttackAttack

• Client must re-establish connection• Prevention of sending or receiving any

data• Possibilities

• Forbid or limit access to certain clients• Block entire access point

• More work for attacker• Clean attacks – new auths• No escape for client to other AP’s


Access Point,Name:

AccessPoint00

Spoof Attack 2:Spoof Attack 2:DisassociationDisassociation

Authentication Request & Response


Data Payload

Disassociation Request

Client,Name:

ABCDEFGHIJKL

Attacker,Name:

MNOPQRSTUVWX

xDeauthentication Response


Evaluation of Disassociation Evaluation of Disassociation AttackAttack

• Similar to deauthentication• Less efficient

• Deauthentication forces the client do to more work: re-establish authentication + association

• Disassociation only forces client to reestablish association, not authentication.


Access Point,Name:

AccessPoint00

Spoof Attack #3: Spoof Attack #3: While you were sleeping...While you were sleeping...

• Power-saving techniques allow clients to go to sleep

Client,Name:

ABCDEFGHIJKL

I’m going to sleep

Ok, I’ll take your

messages.

0 1 2 3 4 5 6 7

zzzzz

I’m awake. Any

messages?0 1 2 3 4 5 6 7


Access Point,Name:

AccessPoint00

Spoofing the Polling Spoofing the Polling MessageMessage

Client,Name:

ABCDEFGHIJKL

0 1 2 3 4 5 6 7

zzzzz I’m awake.

Any messages?

I’m ABCDEFGHIJK, and I’m awake.

Nope.

0 1 2 3 4 5 6 7x

Attacker,Name:

MNOPQRSTUVWX


TIM PacketsTIM Packets• Traffic Indication Map• Spoof broadcast of TIM

Access Point,Name:

AccessPoint00

Client,Name:

ABCDEFGHIJKL

0 1 2 3 4 5 6 7

zzzzz

TIM

No pendingmessages for

ABCDEFGHIJKL


TimingTiming

• Waking up timing relies on:• Period of TIM packets• Timestamp broadcast from access point

• Both are sent in the clear• Attack:

• Get client out of sync• Wake up at the wrong times


MAC VulnerabilitiesMAC Vulnerabilities• Access to MAC divided into windows

• Short InterFrame Space (SIFS)• For already connected exchanges

• Distributed Coordination Function InterFrame Space (DIFS)• To initiate new frames

• Sender specifies which window• No immediate ACK = collision

• Random exponential backoff algorithm

To: AccessPoint00

From: ABCDEFGHIJKL

Window: DIFS

To: AccessPoint00

From: ABCDEFGHIJKL

Window: DIFS

MAC Frame


MAC Attack #1: Waiting to MAC Attack #1: Waiting to TransmitTransmit

• Every transmitting node has to wait at least 1 SIFS interval

• Attack: send short message before end of each SIFS interval

• Unlikely: SIFS period = 20 s, many packets per second to send

1 SIFS interval (20 s)

Backoff


MAC Attack #2: MAC Attack #2: DurationDuration

• Every 802.11 frame has a duration field• How many s the channel will be

reserved

• Used to setup Network Allocation Vector (NAV)

• Nodes can only transmit when NAV == 0

To: AccessPoint00

From:MNOPQRSTUVWX

Duration: 32767 s

To: AccessPoint00

From:MNOPQRSTUVWX

Duration: 32767 s

MAC Frame


Duration AttacksDuration Attacks• Possible to use almost any frame to

control NAV• ACK• RTS (Request To Send) / CTS (Clear To

Send)

• Attacker uses little resources• Transmit ~30 times / second to jam

channel• Little power used• Use of a directional antennae


ExperimentExperiment• Challenge:

• Modifying MAC frames to spoof sender address

• Generating any old control frames

• Solution:• Tweak “Buffer Access Path”

firmware and Aux-Port• Intervenes between NIC’s

passing of packets to hardware

• Attacks via OTS hardware


AttackerAttacker• iPAQ H3600 with Dlink DWL-650 card• Linux• Weighs 375 g (~12oz)• Easily fits in a coat pocket

• Listening application• Clients identified by MAC addresses• DNS-resolver used


ExperimentsExperiments

Client(Windows

XP)Access Point

(Linux HostAP)

Attacker

Client(Linux

Thinkpad)

Client(MacOS

X)

Client(Linux iPaq)

Monitoring Station


Attack #1: Deauth Attack #1: Deauth Against OneAgainst One

Access Point(Linux HostAP)

Attacker

Client(Linux

Thinkpad)

Client(MacOS

X)

Client(Linux iPaq)

Monitoring Station


Single Client AttackSingle Client Attack• Transfer immediately halted• Attack lasted for < 10 sec• Rate of transfer wasn’t up to par for more

than a minute Recovery


Attack #2: Deauth Attack #2: Deauth Against AllAgainst All

Access Point(Linux HostAP)

Client(Linux

Thinkpad)

Client(MacOS

X)

Client(Linux iPaq)

Monitoring Station

Attacker


Attack Against All Attack Against All ClientsClients

• Windows XP can still send a little bit• Packets not from that session – underlying UDP

packets from another XP service


Access Point

Monitoring Station

Attacker

MAC AttackMAC Attack

• Plays by timing rules but sets large durations• Sends packets out 30 times per second• Ignores all duration values from any other node

18 client nodes in

this experiment


Results of MAC AttackResults of MAC Attack

• Channel is completely blocked for the duration of the attack

• Similar results with ACK and RTS/CTS frames


Defenses to MAC AttackDefenses to MAC Attack• Cap on duration values

• Sending 90 packets per second brought network down


Overall Overall RecommendationsRecommendations

• Authentication of 802.11 control packets

• Limiting the size of ACK frames

• Individual nodes’ duration threshold

• Situational Awareness


New and RelevantNew and Relevant

• Modifying frames at data link layer through OTS hardware

• Strength of attacks• Ease of attack• Scale of attack• Resources needed• Capabilities of modern cell phones


Mobile DevicesMobile Devices

iPAQ H6315Pocket PC

F1000G LinkSysWIP300

8215Smartphone

T-Mobile M/DA

Verizon XV6700


AVS WINvoteAVS WINvote


Works CitedWorks Cited1. “Access Point". Wikipedia. Last updated: 13 April 2006. Date of Access: 18 April 2006:

http://en.wikipedia.org/wiki/Access_Point

2. Bellardo, John, and Stefan Savage. "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August 2003.

3. Friedl, Steve. "Network Guru's Guide to 802.11b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: http://mvp.unixwiz.net/techtips/wireless-guide.html

4. "HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: http://pocketpccentral.net/ipaq6300.htm

5. "Media Access Control". Wikipedia. Last updated: 12 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Media_Access_Control

6. "Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: http://www.brighthand.com \

7. "UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: http://www.utstar.com/Solutions/Handsets/WiFi/

8. "Wi-Fi". Wikipedia. Last updated: 18 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Wi-Fi

Natalie Podrazik – CS 491V – [email protected] “802.11 Denial-of-Service Attacks: Real...

Documents

Transcript of Natalie Podrazik – CS 491V – [email protected] “802.11 Denial-of-Service Attacks: Real...