natalie podrazik – cs 491v – [email protected] “802.11 denial-of-service attacks: real...
TRANSCRIPT
Natalie Podrazik – CS 491V – [email protected]
““802.11 Denial-of-Service 802.11 Denial-of-Service Attacks:Attacks:
Real Vulnerabilities and Real Vulnerabilities and Practical Solutions”Practical Solutions”
Natalie PodrazikApril 19, 2006
Natalie Podrazik – CS 491V – [email protected]
OverviewOverviewI. What is 802.11II. 802.11 Vulnerabilities
I. IdentityII. MAC Layer
III. ExperimentI. Tools and ModificationsII. Results
IV. ConclusionsV. Relevancy to E-Voting Project
Natalie Podrazik – CS 491V – [email protected]
What is 802.11?What is 802.11?• IEEE wireless internet standard
• 802.11b, 802.11a, 802.11g flavors
• Popular• Cheap• Easy to set up, maintain
• Operates on 2.4 GHz band
Natalie Podrazik – CS 491V – [email protected]
Client,Name:
ABCDEFGHIJKL
Access Point,Name:
AccessPoint00
How does 802.11 work?How does 802.11 work?
Authentication Request & Response
Association Request & Response
Data Payload
Acknowledgements
Deauthentication Request & Response
Natalie Podrazik – CS 491V – [email protected]
VulnerabilitiesVulnerabilities1. Identity
• Use of MAC frames with sender and receiver
2. MAC Layer• Use of MAC frames
to avoid collisions
Client,Name:
MNOPQRSTUVWX
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 100 s
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 100 s
Frame
Spoofing
Stalling
Hi, I’m ABCDEFGHIJKL...
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoof Attack 1:Spoof Attack 1:DeauthenticationDeauthenticationAuthentication Request & Response
Association Request & Response
Data Payload
Deauthentication Request
Client,Name:
ABCDEFGHIJKL
Attacker,Name:
MNOPQRSTUVWX
xDeauthentication Response
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Approaches to Approaches to DeauthenticationDeauthentication
• Spoof client or Access Point
To: AccessPoint00
From:ABCDEFGHIJKL
Msg: DEAUTH
To: AccessPoint00
From:ABCDEFGHIJKL
Msg: DEAUTH
MAC Frame
Attacker,Name:
MNOPQRSTUVWX
To: ABCDEFGHIJKL
From:AccessPoint00
Msg: DEAUTH
To: ABCDEFGHIJKL
From:AccessPoint00
Msg: DEAUTH
MAC Frame
Client,Name:
ABCDEFGHIJKL
Natalie Podrazik – CS 491V – [email protected]
Strength of Deauthentication Strength of Deauthentication AttackAttack
• Client must re-establish connection• Prevention of sending or receiving any
data• Possibilities
• Forbid or limit access to certain clients• Block entire access point
• More work for attacker• Clean attacks – new auths• No escape for client to other AP’s
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoof Attack 2:Spoof Attack 2:DisassociationDisassociation
Authentication Request & Response
Association Request & Response
Data Payload
Disassociation Request
Client,Name:
ABCDEFGHIJKL
Attacker,Name:
MNOPQRSTUVWX
xDeauthentication Response
Natalie Podrazik – CS 491V – [email protected]
Evaluation of Disassociation Evaluation of Disassociation AttackAttack
• Similar to deauthentication• Less efficient
• Deauthentication forces the client do to more work: re-establish authentication + association
• Disassociation only forces client to reestablish association, not authentication.
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoof Attack #3: Spoof Attack #3: While you were sleeping...While you were sleeping...
• Power-saving techniques allow clients to go to sleep
Client,Name:
ABCDEFGHIJKL
I’m going to sleep
Ok, I’ll take your
messages.
0 1 2 3 4 5 6 7
zzzzz
I’m awake. Any
messages?0 1 2 3 4 5 6 7
Natalie Podrazik – CS 491V – [email protected]
Access Point,Name:
AccessPoint00
Spoofing the Polling Spoofing the Polling MessageMessage
Client,Name:
ABCDEFGHIJKL
0 1 2 3 4 5 6 7
zzzzz I’m awake.
Any messages?
I’m ABCDEFGHIJK, and I’m awake.
Nope.
0 1 2 3 4 5 6 7x
Attacker,Name:
MNOPQRSTUVWX
Natalie Podrazik – CS 491V – [email protected]
TIM PacketsTIM Packets• Traffic Indication Map• Spoof broadcast of TIM
Access Point,Name:
AccessPoint00
Client,Name:
ABCDEFGHIJKL
0 1 2 3 4 5 6 7
zzzzz
TIM
No pendingmessages for
ABCDEFGHIJKL
Natalie Podrazik – CS 491V – [email protected]
TimingTiming
• Waking up timing relies on:• Period of TIM packets• Timestamp broadcast from access point
• Both are sent in the clear• Attack:
• Get client out of sync• Wake up at the wrong times
Natalie Podrazik – CS 491V – [email protected]
MAC VulnerabilitiesMAC Vulnerabilities• Access to MAC divided into windows
• Short InterFrame Space (SIFS)• For already connected exchanges
• Distributed Coordination Function InterFrame Space (DIFS)• To initiate new frames
• Sender specifies which window• No immediate ACK = collision
• Random exponential backoff algorithm
To: AccessPoint00
From: ABCDEFGHIJKL
Window: DIFS
To: AccessPoint00
From: ABCDEFGHIJKL
Window: DIFS
MAC Frame
Natalie Podrazik – CS 491V – [email protected]
MAC Attack #1: Waiting to MAC Attack #1: Waiting to TransmitTransmit
• Every transmitting node has to wait at least 1 SIFS interval
• Attack: send short message before end of each SIFS interval
• Unlikely: SIFS period = 20 s, many packets per second to send
1 SIFS interval (20 s)
Backoff
Natalie Podrazik – CS 491V – [email protected]
MAC Attack #2: MAC Attack #2: DurationDuration
• Every 802.11 frame has a duration field• How many s the channel will be
reserved
• Used to setup Network Allocation Vector (NAV)
• Nodes can only transmit when NAV == 0
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 32767 s
To: AccessPoint00
From:MNOPQRSTUVWX
Duration: 32767 s
MAC Frame
Natalie Podrazik – CS 491V – [email protected]
Duration AttacksDuration Attacks• Possible to use almost any frame to
control NAV• ACK• RTS (Request To Send) / CTS (Clear To
Send)
• Attacker uses little resources• Transmit ~30 times / second to jam
channel• Little power used• Use of a directional antennae
Natalie Podrazik – CS 491V – [email protected]
ExperimentExperiment• Challenge:
• Modifying MAC frames to spoof sender address
• Generating any old control frames
• Solution:• Tweak “Buffer Access Path”
firmware and Aux-Port• Intervenes between NIC’s
passing of packets to hardware
• Attacks via OTS hardware
Natalie Podrazik – CS 491V – [email protected]
AttackerAttacker• iPAQ H3600 with Dlink DWL-650 card• Linux• Weighs 375 g (~12oz)• Easily fits in a coat pocket
• Listening application• Clients identified by MAC addresses• DNS-resolver used
Natalie Podrazik – CS 491V – [email protected]
ExperimentsExperiments
Client(Windows
XP)Access Point
(Linux HostAP)
Attacker
Client(Linux
Thinkpad)
Client(MacOS
X)
Client(Linux iPaq)
Monitoring Station
Natalie Podrazik – CS 491V – [email protected]
Attack #1: Deauth Attack #1: Deauth Against OneAgainst One
Access Point(Linux HostAP)
Attacker
Client(Linux
Thinkpad)
Client(MacOS
X)
Client(Linux iPaq)
Monitoring Station
Natalie Podrazik – CS 491V – [email protected]
Single Client AttackSingle Client Attack• Transfer immediately halted• Attack lasted for < 10 sec• Rate of transfer wasn’t up to par for more
than a minute Recovery
Natalie Podrazik – CS 491V – [email protected]
Attack #2: Deauth Attack #2: Deauth Against AllAgainst All
Access Point(Linux HostAP)
Client(Linux
Thinkpad)
Client(MacOS
X)
Client(Linux iPaq)
Monitoring Station
Attacker
Natalie Podrazik – CS 491V – [email protected]
Attack Against All Attack Against All ClientsClients
• Windows XP can still send a little bit• Packets not from that session – underlying UDP
packets from another XP service
Natalie Podrazik – CS 491V – [email protected]
Access Point
Monitoring Station
Attacker
MAC AttackMAC Attack
• Plays by timing rules but sets large durations• Sends packets out 30 times per second• Ignores all duration values from any other node
18 client nodes in
this experiment
Natalie Podrazik – CS 491V – [email protected]
Results of MAC AttackResults of MAC Attack
• Channel is completely blocked for the duration of the attack
• Similar results with ACK and RTS/CTS frames
Natalie Podrazik – CS 491V – [email protected]
Defenses to MAC AttackDefenses to MAC Attack• Cap on duration values
• Sending 90 packets per second brought network down
Natalie Podrazik – CS 491V – [email protected]
Overall Overall RecommendationsRecommendations
• Authentication of 802.11 control packets
• Limiting the size of ACK frames
• Individual nodes’ duration threshold
• Situational Awareness
Natalie Podrazik – CS 491V – [email protected]
New and RelevantNew and Relevant
• Modifying frames at data link layer through OTS hardware
• Strength of attacks• Ease of attack• Scale of attack• Resources needed• Capabilities of modern cell phones
Natalie Podrazik – CS 491V – [email protected]
Mobile DevicesMobile Devices
iPAQ H6315Pocket PC
F1000G LinkSysWIP300
8215Smartphone
T-Mobile M/DA
Verizon XV6700
Natalie Podrazik – CS 491V – [email protected]
AVS WINvoteAVS WINvote
Natalie Podrazik – CS 491V – [email protected]
Works CitedWorks Cited1. “Access Point". Wikipedia. Last updated: 13 April 2006. Date of Access: 18 April 2006:
http://en.wikipedia.org/wiki/Access_Point
2. Bellardo, John, and Stefan Savage. "802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions" in the Proceedings of the USENIX Security Symposium, August 2003.
3. Friedl, Steve. "Network Guru's Guide to 802.11b Wireless Networing." U Unixwiz.net. Date of Access: 18 April 2006: http://mvp.unixwiz.net/techtips/wireless-guide.html
4. "HP iPAQ Pocket PC Information Center System Specifications". Pocket PC Central. Date of Access: 18 April 2006: http://pocketpccentral.net/ipaq6300.htm
5. "Media Access Control". Wikipedia. Last updated: 12 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Media_Access_Control
6. "Mobile Device Reviews". BrightHand. Date of Access: 18 April 2006: http://www.brighthand.com \
7. "UT-STARCOM F1000G System Specifications". UTstarcom. Date of Access: 18 April 2006: http://www.utstar.com/Solutions/Handsets/WiFi/
8. "Wi-Fi". Wikipedia. Last updated: 18 April 2006. Date of Access: 18 April 2006: http://en.wikipedia.org/wiki/Wi-Fi