AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
This paper focuses on validating the impact of the attacks and developing light-weight solutions that do not require significant changes to existing standards or extensive use of cryptography

802.11 denial-of-service attacks: real vulnerabilities and practical solutions

USENIX Security, pp.2-2, (2003)

Cited by: 858|Views170
EI
Full Text
Bibtex
Weibo

Abstract

The convenience of 802.11-based wireless access networks has led to widespread deployment in the consumer, industrial and military sectors. However, this use is predicated on an implicit assumption of confidentiality and availability. While the security flaws in 802.11's basic confidentially mechanisms have been widely publicized, the thr...More

Code:

Data:

0
Introduction
  • The combination of free spectrum, efficient channel coding and cheap interface hardware have made 802.11-based access networks extremely popular.
  • As the authors will show, vulnerabilities in the 802.11 MAC protocol allow an attacker to selectively or completely disrupt service to the network using relatively few packets and low power consumption.
  • By forging these management packets, an attacker can cause a client node to fall out of sync with the access point and fail to wake up at the appropriate times.
Highlights
  • The combination of free spectrum, efficient channel coding and cheap interface hardware have made 802.11-based access networks extremely popular
  • This paper focuses on validating the impact of the attacks and developing light-weight solutions that do not require significant changes to existing standards or extensive use of cryptography
  • In testing a wide variety of 802.11 Network Interface Cards we have found that most allow the generation of management frames necessary to exploit the identity attacks described earlier – typically using semi-documented or undocumented modes of operation, such as HostAP
  • In the adversarial case the attacking node could generate spoofed traffic designed to confuse the switch. This does not represent a significant new vulnerability – even without the delay on deauthentication/disassociation an attacker can spoof a packet from an mobile client in order to create this conflict
  • We generated a variety of packet streams with a range of large duration values – including continuous runs of request to send frames, clear to send frames, and ACK frames destined for APs, hosts and unallocated addresses
  • Each client-generated clear to send packet contains an implicit claim that it was sent in response to a legitimate request to send generated by an access point
Results
  • The maximum value for the NAV is 32767, or roughly 32 milliseconds on 802.11b networks, so in principal an attacker need only transmit approximately 30 times a second to jam all access to the channel.
  • All low-level functions – including frame transmission, scheduling, acknowledgement, and fragmentation – are implemented in firmware while the host is responsible for managing data transfer to and from the device.
  • If a data or association response frame is received from a target, the authors issue a spoofed deauthentication frame to the access point on behalf of the client.
  • The authors tested this implementation in a small 802.11 network composed of 7 machines: 1 attacker, 1 access point, 1 monitoring station, and 4 legitimate clients.
  • In contrast “dumb” access points have no explicit means of coordination and instead rely on the underlying layer-two distribution network to reroute packets as a mobile client’s MAC address appears at a new AP.
  • The mobile node may not receive data packets until it has sent one – allowing the switch to learn its new port – but that limitation applies regardless of the deauthentication timeout.
  • This does not represent a significant new vulnerability – even without the delay on deauthentication/disassociation an attacker can spoof a packet from an mobile client in order to create this conflict.
  • The authors generated a variety of packet streams with a range of large duration values – including continuous runs of RTS frames, CTS frames, and ACK frames destined for APs, hosts and unallocated addresses.
  • The authors implemented the virtual carrier-sense attack by modifying the ns [NS] 802.11 MAC layer implementation to allow arbitrary duration values to be sent periodically, 30 times a second, by the attacker.
Conclusion
  • The authors simulated attacks using ACK frames with large duration values, as well as the RTS/CTS sequence described earlier.
  • Each client-generated CTS packet contains an implicit claim that it was sent in response to a legitimate RTS generated by an access point.
  • The authors described software infrastructure for generating arbitrary 802.11 frames using commodity hardware and used this platform to implement versions of the deauthentication and virtual carriersense attacks.
Related work
  • A great deal of research has already been focused on 802.11 network security. Most of this work has focused on weaknesses in the wired equivalency protocol (WEP) intended to provide data privacy between 802.11 clients and access points. WEP relies on shared secret keys to support a challengeresponse authentication protocol and for encrypting data packets. In 2001, Fluhrer et al identified recurring weak keys in WEP, and showed how to use them to recover the secret key [FMS01]. Once the key is known, an attacker can both fully utilize network resources and monitor the traffic of other network nodes. In a recent paper, Stubblefield et al, demonstrate an implementation of this attack that was able to recover a 128-bit WEP key purely through passive monitoring [SIR02]. In addition, Borisov et al have identified vulnerabilities that allow WEP-protected frames to be modified, new frames to be injected, authentication frames to be spoofed and plain text to be recovered from encrypted frames – all without knowing the shared secret key [BGW01].
Funding
  • This work was funded by DARPA Grant N66001-011-8933 and NIST Grant 60NANB1D0118
Reference
  • [Abo02] Bernard Aboba. IEEE 802.1X PreAuthentication. Presentation to 802.11 WGi, July 2002.
    Google ScholarFindings
  • [ASJZ01] W.A. Arbaugh, N. Shankar, J.Wang, and K. Zhang. Your 802.11 Network has No Clothes. In First IEEE International Conference on Wireless LANs and Home Networks, Suntec City, Singapore, December 2001.
    Google ScholarLocate open access versionFindings
  • [BDSZ94] Vaduvur Bharghavan, Alan J. Demers, Scott Shenker, and Lixia Zhang. MACAW: A Media Access Protocol for Wireless LAN’s. In Proceedings of the ACM SIGCOMM Conference, London, UK, September 1994.
    Google ScholarLocate open access versionFindings
  • [BGW01] Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In Seventh Annual International Conference on Mobile Computing And Networking, Rome, Italy, July 2001.
    Google ScholarLocate open access versionFindings
  • Daniel B. Faria and David R. Cheriton. DoS and Authentication in Wireless Public Access Networks. In Proceedings of the First ACM Workshop on Wireless Security (WiSe’02), September 2002.
    Google ScholarLocate open access versionFindings
  • Reyk Floeter. Wireless Lan Security Framework: void11. http://www.wlsec.net/void11/, 2002.
    Findings
  • Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Lecture Notes in Computer Science, 2259, 2001.
    Google ScholarLocate open access versionFindings
  • Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos. Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks. In Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.
    Google ScholarLocate open access versionFindings
  • IEEE8021X. Port-based Network Access Control. IEEE Std 802.1x, 2001 Edition. IEEE Standard, June 2001.
    Google ScholarLocate open access versionFindings
  • Pradeep Kyasanur and Nitin Vaidya. Detection and Handling of MAC Layer Misbehavior in Wireless Networks. In to appearin Proceedings the International Conference on Dependable Sysmtes and Networks, San Francisco, CA, June 2003.
    Google ScholarLocate open access versionFindings
  • Mike Lynn and Robert Baird. Advanced 802.11 Attack. Black Hat Briefings, July 2002.
    Google ScholarFindings
  • Michael Lowry Lough. A Taxonomy of Computer Attacks with Applications to Wireless. PhD thesis, Virginia PolyTechnic Institute, April 2001.
    Google ScholarFindings
  • [Moo02] Tim Moore. Validating Disassociate Deauth Messages. Presentation to 802.11 WGi, September 2002.
    Google ScholarFindings
  • www.isi.edu/nsnam/ns/.
    Findings
  • Mike Schiffman. The Need for an 802.11 Wireless Toolkit. Black Hat Briefings, July 2002.
    Google ScholarFindings
  • Adam Stubblefield, John Ioannidis, and Aviel Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. In Proceedings of the 2002 Network and Distributed Systems Symposium, San Diego, CA, February 2002.
    Google ScholarLocate open access versionFindings
  • http://naughty.monkey.org/
    Findings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科