denial of service attacks against 802.11 wireless networks june 7 th, 2004 by: benjamin humble eric...

Denial of Service Attacks Against 802.11 Wireless

Networks

June 7th, 2004

By:Benjamin Humble

Eric Sundholm

ECE 478: Final Project

Denial of Service Attacks Against 802.11b Wireless NetworksBy: Benjamin Humble & Eric Sundholm June 7th, 2004

• Traditional Wireless Jamming– Definitions– Methods– Examples– Strengths– Weaknesses

• The 802.11b Vulnerability– The IEEE 802.11b Standard– Clear Channel Assessment (CCA) Algorithm– Flaw Uncovered– What’s wrong and why?

• Who’s At Risk?

• Solutions

Topics:

Traditional Wireless Jamming


• Jamming: To interfere with or prevent the clear reception of (broadcast signals) by electronic means1

• Passive Jamming: such as putting up buildings made of material that block out cell phone signals2

1www.dictionary.com2www.stargeek.com

Definitions:


• In almost every case, jamming causes a denial of service type attack to either server or client, sender or receiver.

• In a few isolated cases, the use of jamming equipment can be seen as a man-in-the-middle attack.1

1Anthony G Persaud, Anti-Jamming Receiver Designs and Techniques, www.public.iastate.edu

Methods:


• Some older analog methods (including radar jamming) are:

– Simply broadcasting noise into the system so that the original message is lost and unintelligible. This usually requires the noise to be at an equal amplitude level to the jammed signal.

– In the case of radar jamming it is possible to send back to the detector the same signal that was sent out. This would cause the receiver to believe that no target was found.1

– Similarly, instead of a no target situation, more or less targets than really exist can be sent back.1

1www.maclean-nj.com

Past Methods:


• More modern approaches include jamming of wireless computer communication

– The easiest form is to continually transmit useless data to the point where the servers become overloaded. This would cause a denial of service attack to all other clients.1

• Inputting noise into the system still works, and has a clever advantage with computer systems

– The inputted noise signal can be of lower amplitude (and therefore power) which can cause DBR (death by retry). This is when the signal to noise ratio becomes severely compromised and the receiver must constantly re-request that the message be sent. This could form an endless loop, hence DBR.1

1www.maclean-nj.com

Modern Methods:


• In a worst case scenario it is impossible to defend against a radio jamming attack.

– A clever attacker can simply jam all frequencies so that these listed advanced methods will not work1

• Spread spectrum systems• Frequency hopping spread spectrum

– The frequencies used for 802.11b and low bandwidth (< 20 Mbps) 802.11g standard operating ranges are2:

• Unlicensed 2.4 GHz band• Unlicensed 5.2 GHz band

1Anthony G Persaud, Anti-Jamming Receiver Designs and Techniques, www.public.iastate.edu2www.nwfusion.com

Modern Methods: (cont’d)


• It can be noted that many of the older methods can be adopted and tweaked to wreak havoc on modern computer systems. The automation of these systems can be their undoing, just like with the death by retry example.

Modern Methods: (cont’d)


• Radio operators have to listen for and identify common jamming signals so that they can be filtered out. Some of these common signals include1:

– Random Noise– Random Pulse– Stepped Tones– Wobbler– Random Keyed Modulated Continuous Wave– Tone– Rotary– Pulse– Spark– Recorded Sounds– Gulls– Sweep-Through

1www.tpub.com

Examples:


• Locating the Source: Many times, finding the source of the jamming signal must be done physically, and therefore is hard to locate the attacker.

• Detection: Most people have no idea if a jamming signal is in use. It simply appears as if there is no service. Such is the case with cell phones, or wireless networks.1

• Cost: Equipment cost is relatively cheap, when compared to brute force methods of other computer oriented security attacks.

2www.stargeek.com

Strengths:


• Limited use: Jamming is limited since most attacks can only be used as denial of service attacks

• Power: In most cases the power needed to overcome and jam a signal is too great to be practical. Exceptions to this, however include:

– Satellite jamming: Transmitted signal strength degrades as a function of distance squared. Therefore, an attacker that is much closer to the receiver than the satellite does not have to use the same power output to match the original satellite transmission.

– 802.11 CCA exploitation: To be discussed in later slides

• Range: Range is usually limited by the power of the attacker’s transmitter

Weaknesses:

The 802.11 Vulnerability


• Established in 1997 by the Institute of Electrical and Electronics Engineers (IEEE)1

• Quickly became the most commonly used standard for wireless communication

• Only available connection to a wireless network in 99.9% of all cases2

• Remains the most commonly used wireless protocol despite the development of more advanced and more secure standards

The IEEE 802.11b Standard:

1 www.ieee.com2 maccentral.macworld.com


• Algorithm used by 802.11 networks to determine if a radio frequency (RF) channel is free for use1

• Performed by a Direct Sequence Spread Spectrum (DSSS) physical layer2

• Prevents transmission of data by either client or access point (AP) until a channel becomes free

Clear Channel Assessment (CCA):

1 www.kb.cert.org2 www.auscert.org.au


• Flaw reported May 13th, 2004 by associate professor Mark Looi at Queensland University of Technology’s (QUT) Information Security Research Centre1

• Discovered by professor Looi’s graduate students Christian Wullems, Kevin Tham and Jason Smith while investigating mechanisms for protecting wireless devices from hacking

• US-CERT Vulnerability Note2 VU#106678

IEEE 802.11b Flaw Uncovered:

1 maccentral.macworld.com2 www.kb.cert.org


• A specially crafted RF signal can cause the CCA algorithm to believe there are no free channels

• This type of signal is sometimes called “jabber”

• Attack prevents any wireless communication to or from any client or access point within range of the jamming

• Unlike traditional jamming, exploiting the CCA flaw requires no more power than normal operation for a wireless device

• Attack can be implemented by a modified $35 network card and laptop or even a wireless enabled PDA1

What’s Wrong and Why?

1 maccentral.macworld.com


• Due to low-power nature of the attack, locating the attacker is nearly impossible (though locating the access point(s) affected is simple)

• Wireless communication will be disrupted as long as the attack remains underway

• Capable of shutting down all wireless transmissions within a 1km radius in 5 to 8 seconds1

What’s Wrong and Why? (cont’d)

1 maccentral.macworld.com


• All IEEE 802.11, 802.11b, and low bandwidth (< 20 Mbps) 802.11g wireless networks are vulnerable

• This accounts for 99.9% of all wireless computer networks1

• IEEE 802.11a and high bandwidth only ( > 20 Mbps) 802.11g wireless networks do not use the same CCA algorithm and therefore are not vulnerable

• Flaw is not network implementation specific, it is inherent to the IEEE standard2

Who’s at Risk?



• Attack operates at the hardware level, therefore WEP, WPA, WLAN security measures have no effect

• In some countries, wireless networks are used to control infrastructures such as railways, energy transmission and other utilities1

• Any network that is not completely physically isolated (middle of the desert, Faraday cage etc…) is vulnerable to this attack

Who’s at Risk? (cont’d)



NONE

Solutions:


• The flaw is inherent to the IEEE 802.11 standard and its use of the Clear Channel Assessment algorithm

• There are no known solutions for preventing this attack on a vulnerable system

• The best option for preventing this type of attack is to use a wireless standard that is not vulnerable (i.e. 802.11a or 802.11g)

• In general, it is impossible to completely protect a wireless network from denial of service attacks based on radio frequency (RF) jamming

Solutions: (cont’d)


Questions or Comments?

•Benjamin Humble ([email protected])

•Eric Sundholm ([email protected])

Questions?

denial of service attacks against 802.11 wireless networks june 7 th, 2004 by: benjamin humble eric...

Documents