deepthi ratnayake
TRANSCRIPT
An improved authentication modelfor IEEE 802.11 to preventProbe Request DoS Attacks.
Deepthi Ratnayake([email protected])
LMU PG Student Conference
12th Nov 2010
Topics
Introduction
Aim
Design Flaws
Experiment Test Bed
Results
Existing Countermeasures
Future Research
Introduction
What is IEEE 802.11?
What is Probe Request & Response ?
SecurityPolicyAgreement
Supplicant (STA)
Unauthenticated,Unassociated, 8021.1X
Blocked
Authenticator (AP)
Unauthenticated,Unassociated, 8021.1X
Blocked
1 - Beacon
1 - Probe Request
2 - Probe Response
3 - Authentication Request
4 - Authentication Response
6 - Association Response
5 - Association Request
Authenticated,Associated, 8021.1X
Blocked, SecurityParameters
Authenticated,Associated,
8021.1X Blocked,Security Parameters
Authentication Phase of IEEE 802.11
Introduction
What is a PRF Attack ? designed to manipulate 802.11 design flaws
Sends a flood of PR frames using MAC spoofing torepresent a large number of nodes scanning thewireless network
So what happens? Serious performance degradation or prevent
legitimate users from accessing networkresources (DoS). DoS attacks are the mostcommon
Aim
To find an effective method to: recognise rogue Probe Request frames,
and prevent an AP from triggering a ProbeResponse.
Length -Bytes
2 2 6 6 6 2 6 Variable Variable 4
FieldFrame
ControlDuration
IDDA SA BSSID
SequenceControl
SSIDSupported
RatesEstended
Supported RatesFCS
MAC HEADER FRAME BODY CRC
Length -Bits
2 2 4 1 1 1 1 1 1 1 1
Field Protocol Version TypeSub
TypeTo DS From DS More Frag Retry
PowerManagement
MoreData
WEP Reserved
FRAME CONTROL
Design Flaws
each request message sent by a STAmust be responded with a responsemessage sent by the AP.
Probe Request/Response frames areunprotected.
Test Bed
BSS
Test1-PC (User)Windows XP
Intel(R) PRO/Wireless LAN 2100 3B MiniPCI Adapter
MAC: Intel_5b:dd:b3
Test3-PC (Attacker)BackTrack4 (Linux)
MAC: Intel_a5:23:37
Test-AP (Access Point)MAC: Netgrar_42:cf:c0
Test2-PC (User)Windows Vista
Intel® PRO/Wireless 2200BGWireless Connection
MAC: Intel_39:c9:33
Sniffing & Injecting work !
Existing Countermeasures
Cryptography Encryption
long-term secret key
Client Puzzle
MAC Frame Fields Analysis of Sequence Number field.
Change Re-try limit
Response Delay
NIC Profiling & Signal Finger Printing
AI Models
The future research
Keep a “Safe List” of known attributes andgive priority to “Safe List”.
Pattern Recognition of “Transactions” andfilter peculiar Probe Requests.
Summary
What is IEEE 802.11?
What is Probe Request & Response ?
What is a Probe Request Flooding Attack ?
So what happens?
Aim
Design Flaws
Experiment
Existing Countermeasures
Future Research
References
Bicakci, K. and Tavli, B. (2009) Denial-of-Service attacks and countermeasures in IEEE802.11 wireless networks, Computer Standards and Interfaces 31(5), pp931-941, [Online]Available at http://www.sciencedirect.com [Accessed: 3rd October 2009].
Faria, D.B. and Cheriton, D.R. (2006) Detecting identity-based attacks in wireless networksusing signal prints, Proceedings of the 5th ACM workshop on Wireless security, Los Angeles,California [Online] Available at http://0-delivery.acm.org [Accessed: 30 November 2009].
Liu, C. and Yu, J. (2008) Rogue access point based DoS attacks against 802.11 WLANs,Fourth Advanced International Conference on Telecommunications, AICT '08., 8(13),pp271-276, [Online] Available at: http://0-ieeexplore.ieee.org [Accessed: 10 October2008].
Malekzadeh, M. et al. (2007) Security improvement for management frames in IEEE 802.11wireless networks, International Journal of Computer Science and Network Security, IJCSNS7(6) [Online] Available at: http://citeseerx.ist.psu.edu [Accessed: 2 February 2010].
Martinovic, I. et al. (2008) Wireless client puzzles in IEEE 802.11 networks: security bywireless. In Proceedings of the First ACM Conference on Wireless Network Security, WiSec'08, New York [Online] Available at: http://0-doi.acm.org [Accessed: 31 March 2010].