Your SlideShare is downloading. ×
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
1127 wlan denial_wp_0811_v4
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

1127 wlan denial_wp_0811_v4

169

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
169
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. white paperPREVENTINGWIRELESS LANDENIAL OF SERVICEATTACKSA Guide to combating WLANDoS Vulnerabilities
  • 2. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKS Executive Summary Wireless communications that use a shared Radio Frequency (RF) medium are often vulnerable to Denial of Service (DoS) attacks. Wireless Local Area Networks (WLAN) based on the IEEE 802.11 standard are no exception. In addition to brute force Physical (PHY) layer jamming attacks, WLANs are susceptible to various Media Access Control (MAC) vulnerabilities that can lead to DoS. This paper provides an overview of various WLAN DoS scenarios and available countermeasures to detect and mitigate them. PAGE 2
  • 3. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKSWLAN Denial of Service OverviewWLANs use the 2.4 and 5 GHz license-free spectrum protocol to avoid collisions between different devicesfor communication. This spectrum is shared by other and allow fair sharing of the medium. WLAN Denial ofwireless devices and protocols such as cordless phones, Service can be intentional (by an attacker in the vicinity)microwave ovens, Bluetooth devices, etc. These devices or unintentional (neighboring devices interfering withand protocols often do not coexist well together and each other) as illustratedcan create mutual interference when co-located and in Figure 1.operating concurrently. WLANs use the IEEE 802.11 UNINTENTIONAL (e.g. microwave ovens) PHYSICAL LAYER (1) INTENTIONAL (e.g. RF Jammers) WLAN DoS ATTACKS UNINTENTIONAL (e.g. neighboring Wi-Fi) MAC LAYER (1) INTENTIONAL (e.g. WLAN-Jack, void11)Figure 1: Denial of Service scenarios for WLANsPhysical Layer VulnerabilitiesWLAN devices sense the RF medium to determine if the scheme where they are always radiating energy on achannel is free before transmitting their own packets. given RF channel. If these devices are operating in theThe protocol is referred to as Carrier Sense Multiple vicinity of a WLAN, they can effectively shut down allAccess with Collision Avoidance (CSMA/CA). In CSMA, WLAN communication because devices will defer theira device wishing to transmit has to first listen to the transmissions until they sense that the medium is idle.channel for a predetermined amount of time so as tocheck for any activity on the channel. If the channel is Malicious RF jammers are also freely available on theidle, the device is allowed to transmit. If the channel internet. These devices are illegal and are specificallyis busy, the device has to defer its transmission. designed to disrupt wireless communications. Figure 2Collision Avoidance schemes tend to be less “greedy” shows a handheld, quad-band, cellular and 2.4 GHz bandwhen it comes to grabbing the channel and back off jammer that uses a 6.0V NiMH battery pack with antransmission for random intervals if they sense activity. approximate battery life of one hour. The device has aIn essence, WLANs are designed to “play nice” on the total output power of 1200 mW (a typical WLAN accessshared communication medium. point normally operates at 100 mW). Such a device Figure 2: A wireless jammer can effectively block WLAN communication within a for 2.4 GHz and cell phoneBy contrast, devices such as microwave ovens simply 30 meter radius. Very high power jammers capable of (source: Global Gadget UK Ltd.)spew energy in the 2.4 GHz band when they are radiating 200 W of power, effective over a 1 km, arepowered up. Other devices such as wireless video also available in the black market.cameras might use a continuous wave modulation PAGE 3
  • 4. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKSMAC Layer VulnerabilitiesThe 802.11 MAC is particularly vulnerable to DoS. The A spoofed disassociation frame also produced the samecurrent standard protects only data frames and leaves end result – disassociating the client from the AP. Avarious control and management frames subject to deauthetication attack is slightly more effective thanmanipulation by an attacker. Since the ratification of the disassociation since the client has to firstIEEE 802.11i standard in 2004, WLANs have been able re-authenticate and then re-associate, i.e. do more workto provide strong authentication of wireless devices to re-establish the wireless connection.and encryption of data traffic. The 802.11i standarduses the IEEE 802.1X Extensible Authentication Protocol Power Save Exploits(EAP) to guarantee that only authorized devices gain Another DoS attack in WLANs exploits the poweraccess to the wireless network and uses the Advanced saving mechanism in the standard. Mobile WLANEncryption Standard (AES) to guarantee confidentiality clients are allowed to enter a sleep state during whichand integrity of the data communications between their WLAN radio is disabled to conserve batteryauthenticated devices. IEEE 802.11i is the basis for the life. When an associated client is in a sleep state,WPA2 (Wi-Fi Protected Access 2) industry standard. the AP buffers any traffic destined for the client. TheA major limitation in the 802.11i standard is that no client wakes up periodically and polls the AP for anyprotection is available for management or control buffered traffic, which the AP delivers and subsequentlyframes that establish connections and, in general, discards. An attacker can send a spoofed power saveaffect the behavior of WLANs. Tools such as “wlan poll message, while the client is still sleeping, causingjack”, “hunter-killer” and “void11” exploit the lack of the AP to transmit and discard any buffered traffic. It ismanagement and control frame protection to mount DoS also possible to trick the client into thinking that thereattacks in WLANs. are no buffered frames. Bufferred frames at the AP are advertised in a Traffic Indication Map (TIM). An attackerManagement Frame Exploits can spoof a TIM, convincing the client that there is noOne of the most popular WLAN DoS attacks is based buffered traffic, causing the client to immediately goon spoofed deauthentication and disassociation back to the sleep state, resulting in the frames for theframes as depicted in Figure 3. These management client eventually getting dropped.frames, like other 802.11 management frames, are notauthenticated. As such, an attacker can spoof the MACaddress of an AP and send a deauthenticationframe to a client, or vice versa. The attacker canperiodically scan all channels and transmit spoofeddeauthentication messages to valid clients, SPOOFED APterminating their connection. Deauthentication is not DEAUTHENTICATION CLIENTa request, it is a notification. When the station hears & DISASSOCIATIONa deauthentication frame, it had no cryptographic FRAMESmechanism to determine whether the frame actuallycame from the AP. It terminates its wireless session andmay attempt to reauthenticate. The attacker can keeptransmitting deauthentication frames preventing anydata communication from happening between the APand station, despite the authentication and encryption ATTACKERthat exists for data traffic, resulting in a successful DoS Figure 3: DoS attack using spoofed deauthentication and/orattack. Using the same basic principle, an attacker can disassociation messagesspoof the source of other management or control framesthat result in DoS. PAGE 4
  • 5. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKSMedia Access Control Vulnerabilities Further, by spoofing the duration field with very largeAThe 802.11 MAC is designed for collision avoidance values, the attacker can convince legitimate stationsand fair sharing of the RF medium. The fundamental that the medium is busy and prevent them from gainingassumption behind fair sharing, of course, is that access. Several control frames such as Clear to Senddevices are following the protocol. The basic protocol (CTS) that are not authenticated can be used withrequires 802.11 devices to contend for the channel spoofed duration field values to completely block theduring a contention window of time as illustrated in channel on multiple frequencies with a single radio.Figure 4. Devices wait for a random backoff period,before sensing the medium and initiating transmission. Unintentional DoSOnce a device has initiated a transmission, other There are several instances when WLANs experiencedevices wait for the channel to be free before DoS or degraded performance because of neighboringtransmitting. A typical MAC frame includes a duration WLAN traffic. Similar to the unintentional interferencefield that tells other devices the length of time (including from non-WLAN sources, this type of interferenceacknowledgement, ACK) for which the medium will be happens when co-located WLANs are operating on thebusy. This facilitates virtual carrier sensing in addition same channel. For example, a client might be hearingto physical carrier sensing. APs and stations keep track transmission from a neighboring AP and backing offof transmission durations of other devices they hear to transmissions to avoid collisions. This can lead todetermine when the next transmit opportunity will arise. reduced throughput and increased transmission latency.An attacker can easily circumvent the protocol andmonopolize the channel. By initiating transmissionswithout waiting for the mandated time during thecontention window, the attacker can gain repeatedaccess to the channel before a legitimate device does. CONTENTION CONTENTION WINDOW WINDOW DATA ACK CHANNEL RESERVED CHANNEL MONOPOLIZED BY ATTACKER LEGITIMATELY FRAME FRAMEFigure 4: 802.11 MAC protocol PAGE 5
  • 6. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKSWLAN Denial of Service CountermeasuresA 24x7 Wireless Intrusion Prevention System (WIPS) canbe used to effectively detect a DoS attack. However,mitigating DoS attacks, particularly intentional onesinitiated by a sophisticated attacker, can be verydifficult and in most cases may not be possible. Aneffective overall WLAN DoS mitigation strategydepends on being able to (i) Detect an attack accuratelyin real-time, (ii) Determine the physical location of theattacker and notify appropriate personnel, (iii) AttemptWIPS mitigation and/or physically neutralize theattacker, and, (iv) Provide forensic analysis capabilities.DoS DetectionA WIPS system should be capable of detecting bothPHY and MAC layer DoS attacks. Motorola AirDefense Figure 5: AirDefense Services Platform detecting physical layer DoS attacksServices Platform provides the most comprehensiveLayer 1 & Layer 2 WLAN DoS detection capabilitiesavailable in the industry. The Motorola AirDefenseServices Platform system is capable of detecting 17 DoS Mitigationdifferent DoS attacks using attack signatures (e.g., Most DoS attacks cannot be mitigated. Unintentionalwlan-jack, fata-jack, hunter-killer, etc.) as well as attacks, such as interference from neighboring WLANsprotocol anomaly analysis (e.g., EAP floods, CTS floods, or co-located devices such as microwave ovens, can bedeauthentication/disassociation, virtual carrier exploits, mitigated by changing the channel plan for the WLAN.etc.). Further, unlike competitive solutions, AirDefense The Motorola WLAN includes SmartRF algorithms thatServices Platform is capable of detecting non-WLAN can automatically determine the optimum channelssources of interference that could be causing intentional based on changing real-time conditions. Motorolaor accidental DoS. Figure 5 depicts the spectrum AirDefense Services Platform DoS alarms can beanalysis capability of AirDefense Services Platform leveraged by WLAN management systems to trigger athat can be leveraged effectively to detect Layer 1 DoS reconfiguration of the operating channels to minimizeattacks and classify the type of source. interference.Location Tracking However, a determined attacker can always disruptOnce a DoS attack is detected, it is paramout to a WLAN. Some WIPS vendors misleadingly assertdetermine the physical location of the source or that they can “prevent” DoS attacks. One vendor inattacker. For example, the attacker could be in the particular claims that they can use their sensors toparking lot of an office. By generating an alarm in effectively prevent the attacker from gaining accessreal-time and pin-pointing the location of the attacker, to the channel, while allowing authorized devices tosecurity guards can be dispatched to neutralize the communicate, by using a mechanism similar to thatperpetrator. AirDefense Services Platform can not only described in Figure 4. The vendor claims that they candetect an attack but also determine the location of the spoof duration fields in their transmissions and reservesource using signal strength triangulation. Using the the channel for authorized devices while denying themhighly flexible and configurable notification mechanisms, to the attacker. It is based on the flawed assumptionappropriate personnel present at the site of the attack that the attacker is playing in accordance with thecan be notified in real-time. 802.11 rules and will listen to them! The attacker can simply ignore the channel reservation attempted by PAGE 6
  • 7. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKSspoofed frames from the WIPS sensor and continue Forensic Analysisto transmit numerous deauthentication frames. The Real-time DoS attack detection is important. However,authorized devices need to hear just one to end the the ability to analyze minute-by-minute wirelesswireless session. Further, the attacker can always behavior with a historical perspective is indispensablemount a physical layer attack that is totally immune to for detecting sophisticated and persistent WLANthe proposed technique. By attempting to orchestrate attacks. AirDefense Services Platform allowstransmit opportunities for valid devices in a proprietary organizations to trace any suspicious device bymanner, the vendor’s system will result in significant rewinding and reviewing minute-by-minute recordsperformance degradation when traffic load increases of connectivity and communication with the WLAN,with virtually no real DoS mitigation benefits. thereby facilitating forensic investigations. WirelessThe IEEE 802.11 community has recently ratified the activity is logged and data is stored in a tamper-proof802.11w standard that will provide authentication and way to ensure a full audit trail is maintained. AirDefenseencryption protection to several 802.11 management Enterprise maintains 325 different statistics for everyframes. Motorola WLAN infrastructure supports wireless device, every minute, and is capable of storing802.11w. The primary advantage of 802.11w is that this data for months. By analyzing patterns over ait can prevent DoS attacks that exploit spoofing of period of time, even subtle DoS scenarios can bemanagement frames. An 802.11w compliant station will unearthed. Sophisticated capabilities such as historicalbe able to distinguish whether the deauthentication location tacking can be utilized to determine theframe in Figure 3 came from the AP it is connected to physical whereabouts of the attacker, over time, and(if the AP also supports 802.11w) or was spoofed by can be vital in nabbing the culprit.the attacker masquerading as the AP. It will ignore thespoofed deauthentication frame and prevent the DoSattack from being successful. Similarly, the authenticityand integrity of other commonly spoofed managementframes is provided by the 802.11w standard. Thefundamental mechanism that Layer 2 DoS attacksexploit in WLANs is the lack of authentication ofmanagement and control frames. Unfortunately, whilethe 802.11w standard offers protection from DoSattacks that exploit spoofed management frames (suchas deauthentication or disassociation), it offers noprotection from similar attacks that use spoofed controlframes, media access blocking or RF jamming methods.The only guaranteed mechanism to neutralize anintentional DoS attack is to find and eliminate theattacker. For that, the WIPS needs to be able to Figure 6: Advanced Forensics for investigating WLANaccurately detect both Layer 1 and Layer 2 DoS, locate DoS attacksthe source as well as provide flexible notificationmechanisms that integrate with the enterprise’sphysical security infrastructure to capture andneutralize the attacker. PAGE 7
  • 8. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKSConclusionsWireless DoS attacks can be initiated at the physical or by the revision. Some vendors inaccurately claim toMAC layer and can cripple a WLAN. While intentional be able to “prevent” DoS attacks. These claims areDoS attacks cause the most damage, unintentional dubious since RF jamming attacks as well as MAC basedinterference can also be deleterious. Physical layer DoS attacks initiated by a determined attacker cannot trulyattacks are caused by RF jammers that prevent WLAN be prevented. A successful mitigation strategy involvesdevices from communicating. MAC layer DoS attacks being able to accurately detect, locate and physicallyexploit the lack of management and control frame neutralize the attacker. Granular historical forensicprotection, along with media access vulnerabilities in data is extremely useful in detecting and locatingthe 802.11 protocol. Management frame protection has sophisticated attacks. AirDefense Enterprise providesbeen recently incorporated into the standard through the most comprehensive DoS detection and mitigationthe 802.11w-2009 amendment. However, control frame capabilities for WLAN deployments.protection and RF jamming attacks are not addressed Motorola airdefense enterprise capabilities WLAN DoS Attacks Detect locate mitigate forensicsPhysical Intentional a a Limited alayer Unintentional a a a aMAC Intentional a a Limited aLayer Unintentional a a a a
  • 9. white paperPREVENTING WIRELESS LAN DENIAL OF SERVICE ATACKS MOTOROLA WIRELESS NETWORK SOLUTIONS Motorola delivers seamless connectivity that puts real-time information in the hands of users, giving customers the agility the need to grow their business or better protect and serve the public. Working seamlessly together with its world-class devices, Motorola’s unrivaled wireless network solutions include indoor WLAN, outdoor wireless mesh, point- to-multipoint networks and voice over WLAN solutions. Combined with powerful software for wireless network design, security, management and troubleshooting, Motorola’s solutions deliver trusted networking and anywhere access to organizations across the globe. To learn more about our solutions, visit our Web page at www.motorola.com/wms For news and comments on the industry, join the conversation at wirelessnetworkpulse.com PAGE 9
  • 10. Motorola Solutions, Inc.East Algonquin Road Schaumburg, Illinois 60196, U.S.A. 800-367-2346motorolasolutions.comMOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLCand are used under license. All other trademarks are the property of their respective owners. © 2011 Motorola Solutions, Inc. All rights reserved. RO-00-00000

×