AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
This paper focuses on validating the impact of the attacks and developing light-weight solutions that do not require significant changes to existing standards or extensive use of cryptography
802.11 denial-of-service attacks: real vulnerabilities and practical solutions
USENIX Security, pp.2-2, (2003)
The convenience of 802.11-based wireless access networks has led to widespread deployment in the consumer, industrial and military sectors. However, this use is predicated on an implicit assumption of confidentiality and availability. While the security flaws in 802.11's basic confidentially mechanisms have been widely publicized, the thr...More
PPT (Upload PPT)
- The combination of free spectrum, efficient channel coding and cheap interface hardware have made 802.11-based access networks extremely popular.
- As the authors will show, vulnerabilities in the 802.11 MAC protocol allow an attacker to selectively or completely disrupt service to the network using relatively few packets and low power consumption.
- By forging these management packets, an attacker can cause a client node to fall out of sync with the access point and fail to wake up at the appropriate times.
- The combination of free spectrum, efficient channel coding and cheap interface hardware have made 802.11-based access networks extremely popular
- This paper focuses on validating the impact of the attacks and developing light-weight solutions that do not require significant changes to existing standards or extensive use of cryptography
- In testing a wide variety of 802.11 Network Interface Cards we have found that most allow the generation of management frames necessary to exploit the identity attacks described earlier – typically using semi-documented or undocumented modes of operation, such as HostAP
- In the adversarial case the attacking node could generate spoofed traffic designed to confuse the switch. This does not represent a significant new vulnerability – even without the delay on deauthentication/disassociation an attacker can spoof a packet from an mobile client in order to create this conflict
- We generated a variety of packet streams with a range of large duration values – including continuous runs of request to send frames, clear to send frames, and ACK frames destined for APs, hosts and unallocated addresses
- Each client-generated clear to send packet contains an implicit claim that it was sent in response to a legitimate request to send generated by an access point
- The maximum value for the NAV is 32767, or roughly 32 milliseconds on 802.11b networks, so in principal an attacker need only transmit approximately 30 times a second to jam all access to the channel.
- All low-level functions – including frame transmission, scheduling, acknowledgement, and fragmentation – are implemented in firmware while the host is responsible for managing data transfer to and from the device.
- If a data or association response frame is received from a target, the authors issue a spoofed deauthentication frame to the access point on behalf of the client.
- The authors tested this implementation in a small 802.11 network composed of 7 machines: 1 attacker, 1 access point, 1 monitoring station, and 4 legitimate clients.
- In contrast “dumb” access points have no explicit means of coordination and instead rely on the underlying layer-two distribution network to reroute packets as a mobile client’s MAC address appears at a new AP.
- The mobile node may not receive data packets until it has sent one – allowing the switch to learn its new port – but that limitation applies regardless of the deauthentication timeout.
- This does not represent a significant new vulnerability – even without the delay on deauthentication/disassociation an attacker can spoof a packet from an mobile client in order to create this conflict.
- The authors generated a variety of packet streams with a range of large duration values – including continuous runs of RTS frames, CTS frames, and ACK frames destined for APs, hosts and unallocated addresses.
- The authors implemented the virtual carrier-sense attack by modifying the ns [NS] 802.11 MAC layer implementation to allow arbitrary duration values to be sent periodically, 30 times a second, by the attacker.
- The authors simulated attacks using ACK frames with large duration values, as well as the RTS/CTS sequence described earlier.
- Each client-generated CTS packet contains an implicit claim that it was sent in response to a legitimate RTS generated by an access point.
- The authors described software infrastructure for generating arbitrary 802.11 frames using commodity hardware and used this platform to implement versions of the deauthentication and virtual carriersense attacks.
- A great deal of research has already been focused on 802.11 network security. Most of this work has focused on weaknesses in the wired equivalency protocol (WEP) intended to provide data privacy between 802.11 clients and access points. WEP relies on shared secret keys to support a challengeresponse authentication protocol and for encrypting data packets. In 2001, Fluhrer et al identified recurring weak keys in WEP, and showed how to use them to recover the secret key [FMS01]. Once the key is known, an attacker can both fully utilize network resources and monitor the traffic of other network nodes. In a recent paper, Stubblefield et al, demonstrate an implementation of this attack that was able to recover a 128-bit WEP key purely through passive monitoring [SIR02]. In addition, Borisov et al have identified vulnerabilities that allow WEP-protected frames to be modified, new frames to be injected, authentication frames to be spoofed and plain text to be recovered from encrypted frames – all without knowing the shared secret key [BGW01].
- This work was funded by DARPA Grant N66001-011-8933 and NIST Grant 60NANB1D0118
- [Abo02] Bernard Aboba. IEEE 802.1X PreAuthentication. Presentation to 802.11 WGi, July 2002.
- [ASJZ01] W.A. Arbaugh, N. Shankar, J.Wang, and K. Zhang. Your 802.11 Network has No Clothes. In First IEEE International Conference on Wireless LANs and Home Networks, Suntec City, Singapore, December 2001.
- [BDSZ94] Vaduvur Bharghavan, Alan J. Demers, Scott Shenker, and Lixia Zhang. MACAW: A Media Access Protocol for Wireless LAN’s. In Proceedings of the ACM SIGCOMM Conference, London, UK, September 1994.
- [BGW01] Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In Seventh Annual International Conference on Mobile Computing And Networking, Rome, Italy, July 2001.
- Daniel B. Faria and David R. Cheriton. DoS and Authentication in Wireless Public Access Networks. In Proceedings of the First ACM Workshop on Wireless Security (WiSe’02), September 2002.
- Reyk Floeter. Wireless Lan Security Framework: void11. http://www.wlsec.net/void11/, 2002.
- Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. Lecture Notes in Computer Science, 2259, 2001.
- Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos. Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks. In Proceedings of 2002 MILCOM Conference, Anaheim, CA, October 2002.
- IEEE8021X. Port-based Network Access Control. IEEE Std 802.1x, 2001 Edition. IEEE Standard, June 2001.
- Pradeep Kyasanur and Nitin Vaidya. Detection and Handling of MAC Layer Misbehavior in Wireless Networks. In to appearin Proceedings the International Conference on Dependable Sysmtes and Networks, San Francisco, CA, June 2003.
- Mike Lynn and Robert Baird. Advanced 802.11 Attack. Black Hat Briefings, July 2002.
- Michael Lowry Lough. A Taxonomy of Computer Attacks with Applications to Wireless. PhD thesis, Virginia PolyTechnic Institute, April 2001.
- [Moo02] Tim Moore. Validating Disassociate Deauth Messages. Presentation to 802.11 WGi, September 2002.
- Mike Schiffman. The Need for an 802.11 Wireless Toolkit. Black Hat Briefings, July 2002.
- Adam Stubblefield, John Ioannidis, and Aviel Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. In Proceedings of the 2002 Network and Distributed Systems Symposium, San Diego, CA, February 2002.