802.

11 Denial-of-Service Attacks:
Real Vulnerabilities & Practical Solutions

Luat Vu
Alexander Alexandrov
802.11 Advantages

 Free spectrum
 Efficient channel coding
 Cheap interface hardware
 Easy to extend a network
 Easy to deploy
802.11 Problems

 Attractive targets for potential attacks

 Flexible for an attacker to decide where
and when to launch and attack.
 Difficult to locate the source of
transmissions
 Not easy to detect well-planned attacks
 Vulnerabilities in the 802.11 MAC
protocols
WEP

 Wired Equivalency Protocol

 Provide data privacy between 802.11
clients and access points
 Rely on shared secret keys
 Use challenge-response authentication
protocol
 Data packets are encrypted when
transferred
WEP Vulnerabilities
 Recurring weak keys
 Secret key can be recovered
 Under attack, network resources can be
fully utilized and an attacker can monitor
the traffic of other networks
 WEP-protected frames can be modified,
new frames can be injected, authentication
frames can be spoofed all without knowing
the shared secret key
802.11 MAC protocol
 Designed to address problems specific to
wireless networks
 Have abilities to discover networks, join and
leave networks, and coordinate access
 Deauthentication/disassociation
 Virtual carrier sense attacks
 Authentication DoS attacks
 Need new protocol to overcome current security
problems
802.11 Frame Types
 Management Frames
Authentication Frames
Deauthentication Frames
Association request Frames
Association response Frames
Reassociation request Frames
Reassociation response Frames
Disassociation Frames
Beacon Frames
Probe Request Frames
Probe Response Frames
802.11 Frame Types

 Data Frames
 Control Frames
Request to Send (RTS) Frame
Clear to Send (CTS) Frame
Acknowledgement (ACK) Frame
Deauthentication

 A client must first authenticate itself to the

AP before further communication
 Clients and AP use messages to explicitly
request deauthentication from each other
 This message can be spoofed by an
attacker because it is not authenticated by
any key material
Deauthentication
Deauthentication

 An attacker has a great flexibility in

attacking
 An attacker can pretend to be AP or the
client
 An attacker may elect to deny access to
individual clients, or even rate-limit their
access
Disassocation
 A client may be authenticated with multiple APs
at once
 802.11 standard provides a special association
message to allow the client and AP to agree
which AP will forward packets
 802.11 provides a disassociation message if
association frames are unauthenticated
 An attacker can exploit this vulnerability to
launch the deauthentication attack
Power Saving
 To conserve energy, clients are allowed to enter
a sleep state
 The client has to announces its intention to the
AP before going to a sleep state
 AP will buffer any inbound traffic for the node
 When the client wakes up, it will poll the AP for
any pending traffic
 By spoofing the polling message on behalf of the
client, an attacker can cause the AP to discard
the client’s packets while it is asleep
Media Access Vulnerabilities
 Short Interframe Space (SIFS)
 Distributed Coordination Function Interframe
Space (DIFS)
 Before any frame can be sent, the sending radio
must observe a quiet medium for one of the
defined window periods
 SIFS window is used for frames as part of
preexisting frame exchange
 DIFS window is used for nodes wishing to
initiate a new frame exchange
Media Access Vulnerabilities
 To avoid all nodes transmitting
immediately after the DIFS expires, the
time after the DIFS is subdivided into slots
 Each time slot is picked randomly and with
equal probability by a node to start
transmitting
 If a collision occurs, a sender uses a
random exponential backoff algorithm
before retransmitting
Media Access Vulnerabilities
Media Access Vulnerabilities

 A SIFS period is 20 microsecond

 An attacker can monopolize the channel
by sending a short signal before the end of
every SIFS period
 This attack is highly affective but consider
lots of efforts.
Media Access Vulnerabilities

 Duration field – another serious

vulnerability.
 Duration field is used to indicate the
number of microseconds that the channel
is reserved.
 Is used to implemented Network Allocation
Vector (NAV)
 NAV is used in RTS/CLS handsake
802.11 Attack Infrastructure

 It seems all 802.11 NIC are inherently able

to generate arbitrary frames
 In practice devices implement key MAC
functions in firmware to moderate access
 Could use undocumented modes of
operation such as HostAP and HostBSS
 Choice Microsystems AUX Port used for
debugging
802.11 Attack Infrastructure
802.11 Deauthentication Attack

 Deauthentication Attack Implementation

 1 attacker, 1 access point, 1 monitoring
station, 4 legitimate clients
 Deauthentication Attack Solution

 All 4 clients gave up connecting

 Could be solved by authentication-expensive
 Practical solution – queue the requests for 5-
10 seconds – if no subsequent traffic – drop
the connection – simply modify firmware
 Solves the problem however introduces a
new one
Problems with this solution..

 When a mobile client roams, which AP to

receive packets destined the client ?
 An adversary can keep a connection open
to the old AP by continuously sending
packets
 Intelligent and dumb infrastructures
 Easy to solve for intelligent, more
problematic for dumb infrastructures
802.11 Virtual Carrier-sense attack

 Virtual carrier-sense attack

 Current 802.11 devices do not follow
properly the specification
NS-2 Attack Simulation

 Assuming this bug will be fixed, simulate

the attack in ns-2
 18 static client nodes, 1 static attacker
node sending arbitrary duration values 30
times a second
 Channel is completely blocked – much
harder to defend compared to
deauthentication attack
Simulation Results

 Solution – low and high caps on CTS

duration time
Still not perfect…

 By increasing the attacker’s frequency to

90 packets per second, the network could
still be shut down
Virtual Carrier-sense attack solution
 Solution – abandon portions of the
standard 802.11 MAC functionality
 Four key frames that contain duration
values – ACK, data, RTS, CTS
 Stop fragmentation – no need for ACK and
data duration values.
 RTS-CTS-data valid sequence
 Lone CTS – unsolicited or observing node
is a hidden terminal – solution each node
independently ignores lone CTS packets
Still suboptimal…

 Still not perfect – at threshold 30%, the

attacker can still lower the available
bandwidth by 1/3.
 Best solution – explicit authentication to
802.11 control packets.
 Requires fresh cryptographically signed
copy of the originating RTS
 Significant alteration to 802.11 standards,
benefit/cost ratio not clear
Related Work – Launching and Detecting
Jamming Attacks in 802.11
 Jamming – emitting radio frequencies that
do not follow 802.11 MAC protocol
 Measured by PSR and PDR
 Four attacking models – constant,
deceptive, random, reactive jammer
Effectiveness of Jamming Attacks
Basic Statistics for Detecting Jamming

 Signal Strength
 Can be either Basic Average or Signal
Strength Spectral Discrimination – unreliable
Basic Statistics for Detecting Jamming

 Carrier Sensing Time

 However have to differentiate between
congestion and jamming
 With PDR of 75% 60 ms determined to be
optimal threshold for 99% confidence
 Still detect only constant and deceptive jammers
 Packet Delivery Ratio – effective for all jammers,
still cannot differentiate between jamming and
other network dynamics like sending running out
of battery power
Conclusions

 Wireless networks popular due to

convenience however confidentiality and
availability critical
 Arbitrary 802.11 frames can be easily sent
using commodity hardware
 Deauthentication attacks effective, virtual
carrier-sense attacks will be.
 Simple stop-gap solutions can be applied
with low overhead on existing hardware.
Thank you !

 Any questions ?