Attack & Defense in Wireless Networks

Similar documents
6.9 Summary. 11/20/2013 Wireless and Mobile Networks (SSL) 6-1. Characteristics of selected wireless link standards a, g point-to-point

Wireless LAN. Access Point. Provides network connectivity over wireless media

ECE 4450:427/527 - Computer Networks Spring 2017

Wireless Networking based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Wireless and WiFi. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Last Lecture: Data Link Layer

EE 597: Wireless Networks (Spring 12)

Wireless Communication and Networking CMPT 371

Topic 2b Wireless MAC. Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

Wireless Local Area Networks. Networks: Wireless LANs 1

CSC 4900 Computer Networks: Wireless Networks

Lecture 23 Overview. Last Lecture. This Lecture. Next Lecture ADSL, ATM. Wireless Technologies (1) Source: chapters 6.2, 15

Shared Access Networks Wireless. 1/27/14 CS mywireless 1

MSIT 413: Wireless Technologies Week 8

Chapter 6 Wireless and Mobile Networks

Wireless technology Principles of Security

Wireless Networks. CSE 3461: Introduction to Computer Networking Reading: , Kurose and Ross

Wireless Local Area Networks (WLANs)) and Wireless Sensor Networks (WSNs) Computer Networks: Wireless Networks 1

Multiple Access Links and Protocols

MULTIPLE ACCESS PROTOCOLS 2. 1

Wireless and Mobile Networks 7-2

WiFi Networks: IEEE b Wireless LANs. Carey Williamson Department of Computer Science University of Calgary Winter 2018

CS 332 Computer Networks Wireless Networks

Multiple Access in Cellular and Systems

Overview : Computer Networking. Spectrum Use Comments. Spectrum Allocation in US Link layer challenges and WiFi WiFi

COMP 3331/9331: Computer Networks and Applications

Wireless Local Area Networks (WLANs) Part I

02/21/08 TDC Branch Offices. Headquarters SOHO. Hot Spots. Home. Wireless LAN. Customer Sites. Convention Centers. Hotel

Wireless Communication and Networking CMPT 371

Wireless Networking Basics. Ed Crowley

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Wireless Local Area Networks (WLANs) and Wireless Sensor Networks (WSNs) Primer. Computer Networks: Wireless LANs

Mobile and Sensor Systems

Medium Access Control. MAC protocols: design goals, challenges, contention-based and contention-free protocols

Getting Connected (Chapter 2 Part 4) Networking CS 3470, Section 1 Sarah Diesburg

Wireless Technologies

Wireless Networking. Chapter The McGraw-Hill Companies, Inc. All rights reserved

Wireless LAN -Architecture

Wireless LANs. The Protocol Stack The Physical Layer The MAC Sublayer Protocol The Frame Structure Services 802.

Computer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1

CMPE 257: Wireless and Mobile Networking

04/11/2011. Wireless LANs. CSE 3213 Fall November Overview

CS263: Wireless Communications and Sensor Networks

Lecture 4: Wireless MAC Overview. Hung-Yu Wei National Taiwan University

Institute of Electrical and Electronics Engineers (IEEE) IEEE standards

CS 43: Computer Networks. 27: Media Access Contd. December 3, 2018

Announcements / Wireless Networks and Applications Lecture 9: Wireless LANs Wireless. Regular Ethernet CSMA/CD.

Wireless and Mobile Networks Reading: Sections 2.8 and 4.2.5

ECE 435 Network Engineering Lecture 8

Guide to Wireless Communications, Third Edition. Objectives

Wireless Router at Home

Data Communication & Networks G Session 5 - Main Theme Wireless Networks. Dr. Jean-Claude Franchitti

Chapter 7. Basic Wireless Concepts and Configuration. Part I

CS 43: Computer Networks Media Access. Kevin Webb Swarthmore College November 30, 2017

Lecture 6. Reminder: Homework 2, Programming Project 2 due on Thursday. Questions? Tuesday, September 13 CS 475 Networks - Lecture 6 1

COMP 3331/9331: Computer Networks and Applications

Mohammad Hossein Manshaei 1393

CMPE 257: Wireless and Mobile Networking

Wireless Networks. CSE 3461: Introduction to Computer Networking Reading: , Kurose and Ross ( 6th ed.); , Kurose and Ross (7th ed.

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Data and Computer Communications. Chapter 13 Wireless LANs

Medium Access Control

Ethernet. Lecture 6. Outline. Ethernet - Physical Properties. Ethernet - Physical Properties. Ethernet

Link Layer: Retransmissions

Module 6: Wireless Mobile Networks

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

Analysis of IEEE e for QoS Support in Wireless LANs

Data Communications. Data Link Layer Protocols Wireless LANs

Multiple Access Links and Protocols

Local Area Networks NETW 901

CSCI-1680 Wireless Chen Avin

Wireless LANs and Ad-hoc networks. IFI Master - Ubinet G. Urvoy-Keller

Strengthening Unlicensed Band Wireless Backhaul

standard. Acknowledgement: Slides borrowed from Richard Y. Yale

Naveen Kumar. 1 Wi-Fi Technology

Outline / Wireless Networks and Applications Lecture 9: Wireless LANs Aloha and 802 Wireless. Regular Ethernet CSMA/CD

Public Wireless LAN Service.

WNC-0300USB. 11g Wireless USB Adapter USER MANUAL

Wireless and Mobile Networks

1. INTRODUCTION. Wi-Fi 1

INTRODUCTION TO WIRELESS LAN, MAC PROTOCOLS and INTERFERENCE. Choong Seon Hong, KHU

CSCD 433 Network Programming Fall Lecture 7 Ethernet and Wireless

Wireless LANs: outline. wireless and WiFi security: WEP, i, WPA, WPA2. networking security wireless ad-hoc and mesh networks

Wireless# Guide to Wireless Communications. Objectives

3.1. Introduction to WLAN IEEE

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

Chapter 10: Wireless LAN & VLANs

IEEE Wireless LANs Part I: Basics

Advanced Computer Networks WLAN

Wireless LANs. ITS 413 Internet Technologies and Applications

Wireless Internet Routing. Review of Wireless Networking (with Routing in Mind)

IEEE Wireless LAN draft Standard

M06:Wireless and Mobile Networks. Corinna Schmitt

WIRELESS-NETWORK TECHNOLOGIES/PROTOCOLS

CEN 538 Wireless LAN & MAN Networks

Rahman 1. Application

Home Area Networks. Outline

15-441: Computer Networking. Wireless Networking

Medium Access Control Sublayer Chapter 4

Transcription:

Attack & Defense in Wireless Networks John M. Shea April 22, 2008

Overview Wireless networks fundamentals vulnerabilities WING testbed Demonstration of Denial-of-Service Attack and Defense

Classification: Topology Infrastructure: communication controlled by base station (cellular), access point (WiFi), master (Bluetooth) Ad hoc: nodes communicate directly with peers (currently used for tactical radio networks) Mesh: hybrid of above (option for WiMax wireless municipal area network)

Classification: Frequency Band Licensed: cellular phone, TV, radio, satellite Unlicensed: wireless LAN, bluetooth, cordless phones unlicensed wireless networks use the Industrial, Scientific and Medical (ISM) bands 902 928 MHz (centre frequency 915 MHz) 2.400 2.500 GHz (centre frequency 2.450 GHz) 5.725 5.875 GHz (centre frequency 5.800 GHz)... low spectral mask (limit on power spectral density) to reduce interference

IEEE 802.11 a/b/g/n The IEEE 802.11 a/b/g/n standards are for wireless local are networks (WLANs) Commonly referred to as WiFi 802.11 b/g operates in 2.4 GHz ISM band 802.11 a operates in 5.8 GHz ISM band 802.11 n (draft) operates in either 2.4 GHz or 5.8 GHz bands

Classification: Medium Access Medium access is how the system resources are allocated to the users Frequency Division (analog cellular for users, cellular and WLAN for base stations/access points) Time Division (GSM digital cellular) Code Division (CDMA digital cellular, cdma2000, WCDMA) Space Division reuse frequencies over space (cellular), use directional antennas (cellular)

Medium Access In cellular networks, mobile stations synchronize their clocks closely with the base stations In wireless LANs, this is not the case Frequency division is used to allocate channel among access points

WiFi Channels at 2.4 GHz US 2.4 GHz ISM band divided into 11 overlapping channels: From http://www.moonblinkwifi.com/2point4freq.cfm

Medium Access Distributed protocol (DCF) to allocate time among users Protocol based on carrier-sense multiple access with collision avoidance (CSMA/CA) carrier sense => check if channel is busy before accessing it (same as Ethernet) collision avoidance => use control packets to reserve channel for duration of transmission Ethernet is CSMA/CD, where CD=collision detection. CD is not possible for wireless because radios cannot simultaneously transmit and receive on same channel

!"#"$"%&'())*+,&-+.&/(0())*+,&)1(&234 CSMA/CA $%&'()*+*,-,./(0(-01,2(3)04*('5011(67208*(85*,)(9&:(;,85(85*(,.3<)408,<.()*+*,-*2(,.(85*(=6)08,<.(3,*12(3<)(01 3)04*'(;5*)*(85*(.*;(9&:(-016*(,'(/)*08*)(850.(85*(+6))*.8(9&:(-016*>(*?+*78(85*(9&:('5011(.<8(@*(67208*2 ;5*)*(85*(A&(,'(*B601(8<(85*()*+*,-,./($%&C'(D&E(022)*''F(G7<.()*+*,78(<3(0(H$IH<11(3)04*>(0($%&('501 67208*(,8'(9&:('*88,./'(0'(077)<7),08*(6.2*)(85*(2080()08*('*1*+8,<.()61*'(6',./(0(26)08,<.(-016*(*B601(8<(85* 8,4*>(,.(4,+)<'*+<.2'>()*B6,)*2(8<(8)0.'4,8(<.*(&EJ(3)04*(716'(<.*($KL$(,.8*)-01>(@68(<.1M(;5*.(85*(.*; Sending a packet requires up to 4 different types of transmissions 9&:( -016*(,'( /)*08*)( 850.( 85*( +6))*.8( 9&:( -016*F( K3( 85*( +01+6108*2( 26)08,<.(,.+162*'( 0( 3)0+8,<.0 4,+)<'*+<.2>(8508(-016*(,'()<6.2*2(67(85*(.*?8(5,/5*)(,.8*/*)F(:0),<6'(022,8,<.01(+<.2,8,<.'(40M('*8(<)()*'* 85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F Each transmission unit is called a frame L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+*,-* 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$(;0' 022)*''*2VF Full CSMA/CA looks like this: RTS = Request to Send ACK=acknowledgment CTS=Clear To Send

85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+*,- 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$(; 022)*''*2VF CSMA/CA If CTS is not received or ACK is not received, transmitter assumes loss due to collision with other transmissions Backoff timer is started to try to prevent future collisions :*,;/(&!<=>?@'A5@'A.-)-A35B&-+.&234&0())*+, &( $%&( 8508( 6'*2(,.3<)408,<.( 3)<4( 0.( A%$( 3)04*( 0'( 85*( 4<'8( )*+*.8( @0','( 8<( 67208*(,8'( 9&:( '*88,./( 7*)4,88*2(8<()*'*8(,8'(9&:(,3(.<(HQRIAW$%&A%F,.2,+08,<.(,'(2*8*+8*2(3)<4(85*(HQR(26),./(0(7*),<2(;,85 26)08,<.( <3( U!( ( 0$KL$%,4*V( X( UE%$Y%,4*V( X( 0HQRIAWI$%&A%I=*10M( X( U!( ( 0$1<8%,4*V('80)8,./( 08( 85 HQRIAWS9=F,.2,+08,<.( +<))*'7<.2,./( 8<( 85*( 2*8*+8,<.( <3( 85*( A%$( 3)04*F( %5*( ZE%$Y%,4*[( '5011( @

WiFi Vulnerabilities Interference ISM bands are unlicensed many users: microwave ovens cordless phones bluetooth headsets Nearby access points need to be on different nonoverlapping channels Only 3 non-overlapping channels available: 1, 6, 11

WiFi Vulnerabilities Avoiding interference can be hard: Not all base stations advertise their presence (broadcast their SSID) these won t show up on the list your computer displays Use channel monitors (kismet, kismac, netstumbler, istumbler) to detect traffic on all channels Interference from cordless phones can be very intermittent (some phones use frequency hopping)

WiFi Vulnerabilities Controlling access Password-based methods WEP = Wired Equivalent Privacy badly broken, easily hackable even when configured correctly made worse by manufacturers not implementing properly do not use unless you have legacy devices that do not support newer techniques

WiFi Vulnerabilities Controlling access Password-based methods WPA/WPA2 = Wireless Protected Access based on IEEE 802.11i standard much, much harder to hack

WiFi Vulnerabilities Controlling access Hardware access lists Allow only devices with certain hardware (MAC) IDs to access network Most wireless cards allow the MAC address to be changed in software So, this is easy to defeat by an attacker with a little knowledge

!""" #$%&'()*++,)((- WiFi Vulnerabilities!"#"$"%&'())*+,&-+.&/(0())*+,&)1(&234 Denial-of-Service (DoS) attacks Jamming (intentional interference) can be used to shut down wireless communications A smart jammer can shut down communications with minimum energy expenditure Consider the basic protocol:./01.&123&4"56/7/.!512&16"1&2"58/69#:#7"0!;!0&6"<=!6"4"2 $%&'()*+*,-,./(0(-01,2(3)04*('5011(67208*(85*,)(9&:(;,85(85*(,.3<)408,<.()*+*,-*2(,.(85*(=6)08,<.(3,*12(3< 3)04*'(;5*)*(85*(.*;(9&:(-016*(,'(/)*08*)(850.(85*(+6))*.8(9&:(-016*>(*?+*78(85*(9&:('5011(.<8(@*(6720 ;5*)*(85*(A&(,'(*B601(8<(85*()*+*,-,./($%&C'(D&E(022)*''F(G7<.()*+*,78(<3(0(H$IH<11(3)04*>(0($%&(' 67208*(,8'(9&:('*88,./'(0'(077)<7),08*(6.2*)(85*(2080()08*('*1*+8,<.()61*'(6',./(0(26)08,<.(-016*(*B601(8< 8,4*>(,.(4,+)<'*+<.2'>()*B6,)*2(8<(8)0.'4,8(<.*(&EJ(3)04*(716'(<.*($KL$(,.8*)-01>(@68(<.1M(;5*.(85*(. 9&:( -016*(,'( /)*08*)( 850.( 85*( +6))*.8( 9&:( -016*F( K3( 85*( +01+6108*2( 26)08,<.(,.+162*'( 0( 3)0+8,< 4,+)<'*+<.2>(8508(-016*(,'()<6.2*2(67(85*(.*?8(5,/5*)(,.8*/*)F(:0),<6'(022,8,<.01(+<.2,8,<.'(40M('*8(<)() 85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+* 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$( 022)*''*2VF

!""" #$%&'()*++,)((- WiFi Vulnerabilities./01.&123&4"56/7/.!512&16"1&2"58/69#:#7"0!;!0&6"<=!6"4"!"#"$"%&'())*+,&-+.&/(0())*+,&)1(&234 Denial-of-service attacks $%&'()*+*,-,./(0(-01,2(3)04*('5011(67208*(85*,)(9&:(;,85(85*(,.3<)408,<.()*+*,-*2(,.(85*(=6)08,<.(3,*12(3< 3)04*'(;5*)*(85*(.*;(9&:(-016*(,'(/)*08*)(850.(85*(+6))*.8(9&:(-016*>(*?+*78(85*(9&:('5011(.<8(@*(672 ;5*)*(85*(A&(,'(*B601(8<(85*()*+*,-,./($%&C'(D&E(022)*''F(G7<.()*+*,78(<3(0(H$IH<11(3)04*>(0($%&( 67208*(,8'(9&:('*88,./'(0'(077)<7),08*(6.2*)(85*(2080()08*('*1*+8,<.()61*'(6',./(0(26)08,<.(-016*(*B601(8< 8,4*>(,.(4,+)<'*+<.2'>()*B6,)*2(8<(8)0.'4,8(<.*(&EJ(3)04*(716'(<.*($KL$(,.8*)-01>(@68(<.1M(;5*.(85*( 9&:( -016*(,'( /)*08*)( 850.( 85*( +6))*.8( 9&:( -016*F( K3( 85*( +01+6108*2( 26)08,<.(,.+162*'( 0( 3)0+8, 4,+)<'*+<.2>(8508(-016*(,'()<6.2*2(67(85*(.*?8(5,/5*)(,.8*/*)F(:0),<6'(022,8,<.01(+<.2,8,<.'(40M('*8(<)( 85*(9&:>(0'(2*'+),@*2(,.(NFOF!F!F(P5*.(85*(9&:(,'()*'*8>(0(HQRIEE&AS$S%F)*B6*'8('5011(@*(,''6*2F Smart jammer attacks the ACK to fool transmitter into thinking packet was not successful Full transmission time & energy is wasted L,/6)* NIT(,.2,+08*'(85*(9&:(3<)($%&'(8508(40M()*+*,-*(85*(A%$(3)04*>(;5,1*(<85*)($%&'(40M(<.1M()*+ 85*(E%$(3)04*>()*'618,./(,.(85*(1<;*)(9&:(@0)(0'('5<;.(U;,85(85*(*?+*78,<.(<3(85*($%&(8<(;5,+5(85*(A%$ 022)*''*2VF Transmitter will think collision occured and increase backoff window

WING Testbed Linux/WiFi Machines 10 Fujitsu Lifebook Laptops 20 NETGEAR WGT634U 108 Mbps Wireless Media Routers

Linux/WiFi Machines WING Testbed 15 ZipIt Wireless Instant Messengers http://www.schrankmonster.de/content/binary/zipit-wireless-im-silver.jpg http://karosium.com/index.php?/categories/2-my-hardware-projects

WING Testbed Laptops and routers use Atheros chipsets allow good control of hardware Software development based on open source drivers MadWiFi/Ath5k Perl/TK for user interaction and graphical display

Demo: Capture Current Signal Levels Kernel module that allows access to hardware physical-layer received signal strength indicator (RSSI) Monitor.pl program allows complete control and inspection of capture

Example: Full Protocol in Operation Reduced RTS threshold on my home router Captured during email download -30 Received Signal Strength, Channel 7-40 -50 RTS CTS DATA ACK RTS CTS DATA ACK RTS CTS DATA ACK -60-70 -80 COLLISION -90-100 BACKOFF -110-120 -130-140 -150-160 -170 10.2 10.4 10.6 10.8 11 11.2 11.4 11.6 11.8 12 12.2 12.4 RSSI Data Time (ms)

Defenses Against DoS Attacks Can use the same degrees of freedom that are available for multiple access to defend against DoS attacks: Frequency: change channels to avoid jammer Time: change protocol to prevent jammer from being able to attack so selectively (for instance, attach ACKs to Data packets) Space: use directional antennas to communicate around jammer Coding: spread signal over wider frequency band or add additional error protection

Demo: Defense Against DoS Attacks in Wireless Networks Use cordless phone as jammer (transmits in Channel 1) 2 Linux laptops set to switch channels if they lose too many packets

One More Demo: Multi-path Fading Wireless channels can vary rapidly with small changes in position because of multi-path fading multiple copies of transmitted signal bounce off objects and add together in channel copies can add constructively or destructively

Current & Future Work Implementing smart DoS jammer Implementing better channel-switching techniques Add directional antennas and implement spatial jamming avoidance Develop and implement new protocols to avoid jamming

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback