Attacks on WLAN Alessandro Redondi

Similar documents
Wireless Network Security Spring 2013

Wireless Network Security Spring 2014

Wireless Network Security Spring 2015

Wireless Networked Systems

MAC in /20/06

Wireless Network Security Spring 2012

Data Communications. Data Link Layer Protocols Wireless LANs

Lecture 16: QoS and "

CSE 461: Wireless Networks

Introduction to IEEE

Wireless LANs. ITS 413 Internet Technologies and Applications

Mobile & Wireless Networking. Lecture 7: Wireless LAN

CSCD 433 Network Programming Fall Lecture 7 Ethernet and Wireless

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Optional Point Coordination Function (PCF)

Multiple Access Links and Protocols

Medium Access Control (MAC) Protocols for Ad hoc Wireless Networks -IV

original standard a transmission at 5 GHz bit rate 54 Mbit/s b support for 5.5 and 11 Mbit/s e QoS

4.3 IEEE Physical Layer IEEE IEEE b IEEE a IEEE g IEEE n IEEE 802.

Mohamed Khedr.

Mobile Communications Chapter 7: Wireless LANs

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Medium Access Control. MAC protocols: design goals, challenges, contention-based and contention-free protocols

NETWORK SECURITY. Ch. 3: Network Attacks

15-441: Computer Networking. Wireless Networking

standard. Acknowledgement: Slides borrowed from Richard Y. Yale

Data and Computer Communications. Chapter 13 Wireless LANs

ICE 1332/0715 Mobile Computing (Summer, 2008)

ECE442 Communications Lecture 3. Wireless Local Area Networks

IEEE Wireless LANs

CS 348: Computer Networks. - WiFi (contd.); 16 th Aug Instructor: Sridhar Iyer IIT Bombay

IEEE WLANs (WiFi) Part II/III System Overview and MAC Layer

Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Computer Society

Introduction to Wireless Networking CS 490WN/ECE 401WN Winter Lecture 4: Wireless LANs and IEEE Part II

Computer Networks. Wireless LANs

IEEE Technical Tutorial. Introduction. IEEE Architecture

Unit 7 Media Access Control (MAC)

MAC. Fall Data Communications II 1

DOMINO: A System to Detect Greedy Behavior in IEEE Hotspots

Chapter 4. The Medium Access Control Sublayer. Points and Questions to Consider. Multiple Access Protocols. The Channel Allocation Problem.

Overview : Computer Networking. Spectrum Use Comments. Spectrum Allocation in US Link layer challenges and WiFi WiFi

Topic 4. Wireless LAN IEEE

Local Area Networks NETW 901

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

An energy-efficient MAC protocol for infrastructure WLAN based on modified PCF/ DCF access schemes using a bidirectional data packet exchange

3.1. Introduction to WLAN IEEE

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Nomadic Communications WLAN MAC Fundamentals

GETTING THE MOST OUT OF EVIL TWIN

ECE 435 Network Engineering Lecture 8

Outline. CS5984 Mobile Computing. IEEE 802 Architecture 1/7. IEEE 802 Architecture 2/7. IEEE 802 Architecture 3/7. Dr. Ayman Abdel-Hamid, CS5984

Lecture (08) Wireless Traffic Flow and AP Discovery

Department of Electrical and Computer Systems Engineering

Lesson 2-3: The IEEE x MAC Layer

IEEE Draft MAC PICS Proforma

Wireless Communications

Topic 2b Wireless MAC. Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

Wireless and Mobile Networks

Internet Protocol Stack

Caveat. Much of security-related stuff is mostly beyond my expertise. So coverage of this topic is very limited

Computer Communication III

Wireless Networking & Mobile Computing

ICE 1332/0715 Mobile Computing (Summer, 2008)

Final Exam: Mobile Networking (Part II of the course Réseaux et mobilité )

Wireless LAN -Architecture

SENSOR-MAC CASE STUDY

IEEE MAC Sublayer (Based on IEEE )

IEEE ah. sub 1GHz WLAN for IoT. What lies beneath Wi-Fi HaLow. Eduard Garcia-Villegas, Elena López-Aguilera Dept. of Network Engineering

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Mohammad Hossein Manshaei

Wireless and WiFi. Daniel Zappala. CS 460 Computer Networking Brigham Young University

WLAN (802.11) Nomadic Communications. Renato Lo Cigno - Tel: Dipartimento di Ingegneria e Scienza dell Informazione

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Chapter 6 Medium Access Control Protocols and Local Area Networks

04/11/2011. Wireless LANs. CSE 3213 Fall November Overview

Shared Access Networks Wireless. 1/27/14 CS mywireless 1

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

CMPE 257: Wireless and Mobile Networking

Wireless Protocols. Training materials for wireless trainers

Why Do Stars Twinkle... Why Do Stars Twinkle but Planets Do Not? 9. Fachtagung des ITG-FA 5.2 Zukunft der Netze, Stuttgart, Oct.

Wireless Local Area Networks. Networks: Wireless LANs 1

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

MSIT 413: Wireless Technologies Week 8

Mobile and Sensor Systems. Lecture 3: Infrastructure, Ad-hoc and Delay Tolerant Mobile Networks Dr Cecilia Mascolo

Wireless Local Area Networks (WLANs)) and Wireless Sensor Networks (WSNs) Computer Networks: Wireless Networks 1

IEEE WLAN (802.11) Copyright. Nomadic Communications

Last Lecture: Data Link Layer

Wireless MACs: MACAW/802.11

Wireless Networks. CSE 3461: Introduction to Computer Networking Reading: , Kurose and Ross

ABHELSINKI UNIVERSITY OF TECHNOLOGY

CHAPTER 8: LAN Standards

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Wireless Communication and Networking CMPT 371

Wireless IDS Challenges and Vulnerabilities. Joshua Wright Senior Security Researcher Aruba Networks

Guide to Wireless Communications, Third Edition. Objectives

Configuring Layer2 Security

Wireless and Mobile Networks 7-2

The Pennsylvania State University The Graduate School Department of Computer Science and Engineering

CSCI Spring Final Exam Solution

Endpoint Security - what-if analysis 1

Transcription:

Attacks on WLAN Alessandro Redondi

Disclaimer Under the Criminal Italian Code, articles 340, 617, 617 bis: Up to 1 year of jail for interrupting public service 6 months to 4 years of jail for installing devices used for interrupting or intercepting communications 2

Classification of Attacks Passive Eavesdropping, sniffing Active Jamming Packet forgery, Frame Injection Man in the middle Rogue AP, AP Phishing, MAC spoofing Denial of service (AP or STA) Greedy behavior 3

Denial-of-service (DOS) attacks DOS attacks target network availability Prevent legitimate users from accessing the network 802.11 is particularly vulnerable to such attacks due to the lack of a physical infrastructure Attackers exploit enhanced anonimity (difficulty in locating the source of the attack) 4

802.11 Identity vulnerabilities All 802.11 frame contain the sender MAC address in the header Encryption methods work only on the payload No mechanisms for verifying the correctness of the self-reported identity exist! Consequently, an attacker may spoof (imitate) other nodes and request MAC-layer services on their behalf 5

Deauthentication attack 802.11 management frames allows to explicit request deauthentication (type 0, subtype 0x0c) The deauthentication message is not authenticated! An attacker may pretend to be the AP or the STA and asking deauthentication to the other party Deauthentication means disassociation! It takes some time before STA associates again 6

Deauthentication attack 7

Deauthentication attack The deauth attack is very flexible: Deny access to individual clients Rate limit their acces Attacker needs to monitor the channel and send death only when a new authentication has taken place Attacker needs to make sure the target do not switch to another channel 8

Disassociation attack Attack is very similar to deauthentication, but less effective Clients may be authenticated with multiple AP but associated just to one. Deauthentication forces the victim to do more work to return to the associated state 9

Defense for Deauthentication attacks 802.11w MFP (Management Frame Protection) amendment adds WPA2 protection to Deauth and Disassoc frames to make them antispoofing (still not widely supported, but mandatory for 802.11ac certification) Simple alternative: Delay deauth request effect by 5-10 seconds If a data packet arrives from the client after the request, discard it (no legitimate client would do that) Problems if STA move to another AP 10

Power Saving Power conservation functions of 802.11 present several vulnerabilities PS-Poll attack: attacker spoof victim AID and polls the access point for any pending traffic while victim is sleeping. AP empties the buffer and victim loses data Alternatively (more difficult to implement), an attacker may convince the victim that there is no pending data by spoofing the TIM 11

PS-Poll Attack 12

PS attack (2) A different attack tricks the AP into believing that the victim is in sleep mode. Attacker transmit on or more management frames to the AP with a spoofed source MAC address and the PS bit set. AP will start buffering data for STA instead of delivering it. STA will ignore TIM because it never really went to sleep 13

PS attack (2) 14

802.11 MAC Vulnerabilities A series of attacks exploit the CSMA/CA and virtual CS mechanisms No spoofing is required Since every node must wait at least an SIFS interval, an attacker may monopolize the channel by sending a short signal before the end of every SIFS period Method is expensive : with a SIFS of 20 microseconds, this requires the attacker to transmit 50k packets per second 15

Virtual Carrier Sensing Attack The RTS/CTS frames carry a Duration field to prevent (hidden) nodes to access the channel An attacker may therefore prevent all stations in RTS/CTS range to access the channel RTS attack is cheap and will be propagated by others. Max duration is 32 ms, so 30 RTS/second will jam access to the channel. 16

Mitigating NAV attack Much harder to defend against in practice than deauth attack One approach to mitigate its effects is to place a limit on the duration values accepted Low cap: duration of ACK/CTS frame + backoff. Usable after observing RTS or all management frames High cap: duration of largest data frame + backoff. Usable after ACK or CTS. 17

Mitigating NAV attack (2) Observing duration field: In ACK Frame, reservation valid only if the data frame is fragmented. In case fragmentation is not used, ignore the duration. Data Frame, similar to above RTS frame, valid in a RTS-CTS-Data sequence. Respect until Data should be observed. If not observed, ignore it. CTS frame: either bogus or the observing node is hidden terminal. Not enough information. 18

Other Attacks Autoimmune disorder: non conform messages sent to AP cause the AP to send broadcast deauth messages BlockACK attacks in 802.11e, DoS effects of 10 seconds with a single message Channel Switch attack: force STA to move to a channel not used by AP ATIM attack: for ad-hoc mode, forge ATIM to force STA to wake up and deplete their battery 19

Attack against Access Points In infrastructure mode, the AP is a single point of failure Attacking the AP rather than a particular STA causes the entire network to crash Observation: any management frame sent by STA to the AP triggers an elaboration with consequent consumption of computational/transmission resources 20

Flooding attacks Probe Request Flood (PRF): sending a burst of probe request with different MAC addresses force the AP to answer to all of them. Authentication Request Flood (ARF): similarly to PRF, plus the AP has to allocate memory to keep information about each new (fake) STA Association Request Flood (ASRF): even if the STA is not authenticated, some AP will reply with a Disassociation or Deauthentication frame 21

Flooding attacks 22

Greedy behavior attacks 802.11 works under the assumption that all nodes (STA and AP) follow the standard guidelines This should provide fair resources to all users However, a STA can deliberately misuses the MAC protocol to gain bandwidth at the expense of other stations 23

Uplink attack #1 A station selectively interferes with frames sent by other stations Attacker observes the RTS frame of the victim and interferes with the CTS frame. The CW of the victim doubles Attacker observes the DATA frame of the victim and interferes with the ACK frame. The CW of the victim doubles In both cases, the attacker increases its chance to access the channel. 24

Uplink attack #2 Manipulating protocol parameters Transmit after SIFS but before DIFS Increase the duration field Reduce the backoff time by setting a smaller CWmax In both cases, the attacker increases its chance to access the channel. 25

Downlink attack Actually based on TCP congestion control between the victim and an endpoint S Observe that TCP is used in the majority of the cases as transport protocol over 802.11 Jamming a TCP-ACK from the victim to the AP makes S decreases the sending rate so that the attacker bandwidth increases. 26

Detection of greedy attacks An AP can detect greedy stations and prevent them to use the WLAN: In uplink attack #1 the attacker will have a number of retransmitted frames lower than other stations In uplink attack #2 the AP may monitor idle periods after each ACK and distinguish stations that transit before a DIFS 27

Attacks in 802.11s Mesh Networks 802.11s does not provide any incentives for stations to cooperate Therefore, it is vulnerable to insider attacks in which a mesh point hopes to increase its QoS at the expense of others This attacks are known as selfish attacks Some of the attacks are similar to greedy attacks (jamming other stations frames or modifying protocol parameters) 28

HWMP Selfish attacks The attacker mesh point tries to modify path selection and reroute traffic beyond itself (less traffic to forward, more capacity for own traffic) This can be achieved by modifying PREQ before forwarding (e.g. highly increasing the hop count or metric) or by dropping PREQ or RANN frames to/from the mesh gateway 29

HWMP Selfish attacks The attacker mesh point tries to modify path selection and reroute traffic beyond itself (less traffic to forward, more capacity for own traffic) This can be achieved with Route Diversion, by modifying PREQ before forwarding (e.g. highly increasing the hop count or metric) Alternatively, Route Disruption osbtained by dropping PREP or RANN frames to/from the mesh gateway 30

Route diversion / disruption Route Diversion Route Disruption 31

Tools Aircrack-ng: main goal is to check security by cracking WEP and WPA. Supports frame injection and Deauth attacks Tools based on Python Scapy (packet forgery tool for Python) https://github.com/veerendra2/wifi-deauth-attack https://github.com/danmcinerney/wifijamme Bad guys repositories https://github.com/wi-fi-analyzer/wifi-arsenal https://github.com/v1s1t0r1sh3r3/airgeddon 32

Friendly Jamming Novel field of study Main idea: a device (the AP) monitor traffic and detect attack frames. When detecting such frames, the friendly jammer emits interference so that the victim cannot decode the attack frame Tool available here: http://netweb.ing.unibs.it/~openfwwf/friendlyjammer/ 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback