Attacks on WLAN Alessandro Redondi

Transcription

1 Attacks on WLAN Alessandro Redondi

2 Disclaimer Under the Criminal Italian Code, articles 340, 617, 617 bis: Up to 1 year of jail for interrupting public service 6 months to 4 years of jail for installing devices used for interrupting or intercepting communications 2

3 Classification of Attacks Passive Eavesdropping, sniffing Active Jamming Packet forgery, Frame Injection Man in the middle Rogue AP, AP Phishing, MAC spoofing Denial of service (AP or STA) Greedy behavior 3

4 Denial-of-service (DOS) attacks DOS attacks target network availability Prevent legitimate users from accessing the network is particularly vulnerable to such attacks due to the lack of a physical infrastructure Attackers exploit enhanced anonimity (difficulty in locating the source of the attack) 4

5 Identity vulnerabilities All frame contain the sender MAC address in the header Encryption methods work only on the payload No mechanisms for verifying the correctness of the self-reported identity exist! Consequently, an attacker may spoof (imitate) other nodes and request MAC-layer services on their behalf 5

6 Deauthentication attack management frames allows to explicit request deauthentication (type 0, subtype 0x0c) The deauthentication message is not authenticated! An attacker may pretend to be the AP or the STA and asking deauthentication to the other party Deauthentication means disassociation! It takes some time before STA associates again 6

7 Deauthentication attack 7

8 Deauthentication attack The deauth attack is very flexible: Deny access to individual clients Rate limit their acces Attacker needs to monitor the channel and send death only when a new authentication has taken place Attacker needs to make sure the target do not switch to another channel 8

9 Disassociation attack Attack is very similar to deauthentication, but less effective Clients may be authenticated with multiple AP but associated just to one. Deauthentication forces the victim to do more work to return to the associated state 9

10 Defense for Deauthentication attacks w MFP (Management Frame Protection) amendment adds WPA2 protection to Deauth and Disassoc frames to make them antispoofing (still not widely supported, but mandatory for ac certification) Simple alternative: Delay deauth request effect by 5-10 seconds If a data packet arrives from the client after the request, discard it (no legitimate client would do that) Problems if STA move to another AP 10

11 Power Saving Power conservation functions of present several vulnerabilities PS-Poll attack: attacker spoof victim AID and polls the access point for any pending traffic while victim is sleeping. AP empties the buffer and victim loses data Alternatively (more difficult to implement), an attacker may convince the victim that there is no pending data by spoofing the TIM 11

12 PS-Poll Attack 12

13 PS attack (2) A different attack tricks the AP into believing that the victim is in sleep mode. Attacker transmit on or more management frames to the AP with a spoofed source MAC address and the PS bit set. AP will start buffering data for STA instead of delivering it. STA will ignore TIM because it never really went to sleep 13

14 PS attack (2) 14

15 MAC Vulnerabilities A series of attacks exploit the CSMA/CA and virtual CS mechanisms No spoofing is required Since every node must wait at least an SIFS interval, an attacker may monopolize the channel by sending a short signal before the end of every SIFS period Method is expensive : with a SIFS of 20 microseconds, this requires the attacker to transmit 50k packets per second 15

16 Virtual Carrier Sensing Attack The RTS/CTS frames carry a Duration field to prevent (hidden) nodes to access the channel An attacker may therefore prevent all stations in RTS/CTS range to access the channel RTS attack is cheap and will be propagated by others. Max duration is 32 ms, so 30 RTS/second will jam access to the channel. 16

17 Mitigating NAV attack Much harder to defend against in practice than deauth attack One approach to mitigate its effects is to place a limit on the duration values accepted Low cap: duration of ACK/CTS frame + backoff. Usable after observing RTS or all management frames High cap: duration of largest data frame + backoff. Usable after ACK or CTS. 17

18 Mitigating NAV attack (2) Observing duration field: In ACK Frame, reservation valid only if the data frame is fragmented. In case fragmentation is not used, ignore the duration. Data Frame, similar to above RTS frame, valid in a RTS-CTS-Data sequence. Respect until Data should be observed. If not observed, ignore it. CTS frame: either bogus or the observing node is hidden terminal. Not enough information. 18

19 Other Attacks Autoimmune disorder: non conform messages sent to AP cause the AP to send broadcast deauth messages BlockACK attacks in e, DoS effects of 10 seconds with a single message Channel Switch attack: force STA to move to a channel not used by AP ATIM attack: for ad-hoc mode, forge ATIM to force STA to wake up and deplete their battery 19

20 Attack against Access Points In infrastructure mode, the AP is a single point of failure Attacking the AP rather than a particular STA causes the entire network to crash Observation: any management frame sent by STA to the AP triggers an elaboration with consequent consumption of computational/transmission resources 20

21 Flooding attacks Probe Request Flood (PRF): sending a burst of probe request with different MAC addresses force the AP to answer to all of them. Authentication Request Flood (ARF): similarly to PRF, plus the AP has to allocate memory to keep information about each new (fake) STA Association Request Flood (ASRF): even if the STA is not authenticated, some AP will reply with a Disassociation or Deauthentication frame 21

22 Flooding attacks 22

23 Greedy behavior attacks works under the assumption that all nodes (STA and AP) follow the standard guidelines This should provide fair resources to all users However, a STA can deliberately misuses the MAC protocol to gain bandwidth at the expense of other stations 23

24 Uplink attack #1 A station selectively interferes with frames sent by other stations Attacker observes the RTS frame of the victim and interferes with the CTS frame. The CW of the victim doubles Attacker observes the DATA frame of the victim and interferes with the ACK frame. The CW of the victim doubles In both cases, the attacker increases its chance to access the channel. 24

25 Uplink attack #2 Manipulating protocol parameters Transmit after SIFS but before DIFS Increase the duration field Reduce the backoff time by setting a smaller CWmax In both cases, the attacker increases its chance to access the channel. 25

26 Downlink attack Actually based on TCP congestion control between the victim and an endpoint S Observe that TCP is used in the majority of the cases as transport protocol over Jamming a TCP-ACK from the victim to the AP makes S decreases the sending rate so that the attacker bandwidth increases. 26

27 Detection of greedy attacks An AP can detect greedy stations and prevent them to use the WLAN: In uplink attack #1 the attacker will have a number of retransmitted frames lower than other stations In uplink attack #2 the AP may monitor idle periods after each ACK and distinguish stations that transit before a DIFS 27

28 Attacks in s Mesh Networks s does not provide any incentives for stations to cooperate Therefore, it is vulnerable to insider attacks in which a mesh point hopes to increase its QoS at the expense of others This attacks are known as selfish attacks Some of the attacks are similar to greedy attacks (jamming other stations frames or modifying protocol parameters) 28

29 HWMP Selfish attacks The attacker mesh point tries to modify path selection and reroute traffic beyond itself (less traffic to forward, more capacity for own traffic) This can be achieved by modifying PREQ before forwarding (e.g. highly increasing the hop count or metric) or by dropping PREQ or RANN frames to/from the mesh gateway 29

30 HWMP Selfish attacks The attacker mesh point tries to modify path selection and reroute traffic beyond itself (less traffic to forward, more capacity for own traffic) This can be achieved with Route Diversion, by modifying PREQ before forwarding (e.g. highly increasing the hop count or metric) Alternatively, Route Disruption osbtained by dropping PREP or RANN frames to/from the mesh gateway 30

31 Route diversion / disruption Route Diversion Route Disruption 31

32 Tools Aircrack-ng: main goal is to check security by cracking WEP and WPA. Supports frame injection and Deauth attacks Tools based on Python Scapy (packet forgery tool for Python) Bad guys repositories

33 Friendly Jamming Novel field of study Main idea: a device (the AP) monitor traffic and detect attack frames. When detecting such frames, the friendly jammer emits interference so that the victim cannot decode the attack frame Tool available here: 33