Embed Size (px)
DESCRIPTION
Xiuzhen Cheng [email protected]. Csci 388 Wireless and Mobile Security – MAC Layer Misbehavior, DoS. Outline. 802.11 MAC Management 802.11 DoS Attacks: Discussion and More Break (5 minutes) 802.11 MAC Layer Misbehavior Detection and Handling Discussion on DOMINO. - PowerPoint PPT Presentation
Citation preview
Xiuzhen ChengXiuzhen Cheng [email protected]
CsciCsci388388 Wireless and Mobile SecurityWireless and Mobile Security – – MAC Layer Misbehavior, DoSMAC Layer Misbehavior, DoS
Outline
802.11 MAC Management
802.11 DoS Attacks: Discussion and More
Break (5 minutes)
802.11 MAC Layer Misbehavior Detection and Handling
Discussion on DOMINO
IEEE 802.11 MAC Packet Structure
Packet Type: Management (00), Control (01), and Data (10)
Subtype: In control – RTS, CTS, ACK, etc
MAC frames can be transmitted between mobile stations, between mobile stations and an AP, and between APs over a DS
Address Interpretation
Frame Control (2)
Duration ID (2)
Address 1 (6)
Address 2 (6)
Address 3 (6)
Sequence Control (2)
Address 4 (6)
Data (0-2312)
CRC (4)
Protocol version Type Subtype To DS From DS More Frag Retry Power Mgmt More Data WEP Order
To DS From DS Addr 1 Addr 2 Addr 3 Addr 4
0 0 DA SA BSSID
0 1 DA BSSID SA
1 0 BSSID SA DA
1 1 RA TA DA SA
MAC Synchronization
In infrastructure network:The AP is responsible for generating beacons which contains a valid time stampIf the channel is in use,defer beacon transmission until it is free
MAC Synchronization – (cont.)
Ad hoc Network:Every station is responsible for generating its beaconAll stations compete for transmission of the beacon using a standard backoff algorithmAll others adjust their times according to the winning station
Power Management
Power states for a STA: awake - fully powered doze – low power, cannot transmit/receive
PM in Infrastructure Networks when enter doze mode, STAs inform AP AP buffers frames for STAs in doze mode AP sends beacons periodically
beacon contains time stamp + Traffic Indication Map (TIM)
STA wakes up to get the beacon(check TIM) if traffic is pending, stay awake until transmission complete
Power Management – (cont.)PM in Ad-hoc Networks
ATIM window traffic for stations in doze mode is announced during ATIM window all stations are awake during ATIM window
both ATIMs and DATA are acknowledged and use standard backoff algorithm.
What is a DoS Attack ?
Denying genuine users a particular serviceIn our context, preventing transmission of data to/from stations
Vulnerabilities in 802.11
Vulnerabilities in 802.11
Two kinds of vulnerabilities Identity vulnerabilities MAC vulnerabilities
Identity Vulnerabilities
Arise because of the implicit trust placed in the source addressNo verification of source’s identityCauses 2 kinds of attacks:
Deauthentication and Disassociation attacks Power saving mode attack
Deauthentication and Disassociation Attack
Authentication Mechanism Client sends authentication request to AP AP sends back response Client then sends association request AP responds accordingly
Problem: Explicit message for deauthentication sent in the clear, without being authenticated
by keying material. This message can be spoofed
Deauthentication and Disassociation Attack
The spoofed deauthentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoSClient must reauthenticate to resume communicationAttacker should be careful to spoof the deauthentication message only when a successful authentication has taken placeSimilar attack can be carried out by spoofing the disassociation message, since that message is also sent in the clear.From the attackers perspective, disassociation attack is less effective compared to deauthentication attack.
Power Saving Mode Attack (1)
Power Conservation Mechanism Client enters sleep mode intermittently AP buffers data during that time Either client awakens and sends a poll message to AP for pending data, or AP
broadcasts a periodic Traffic Indication Map (TIM) message conveying availability of pending data
AP delivers data and clears its buffer
Problem: Attacker can spoof either the poll message or TIM message, as these are sent
unauthenticated For the same reason, attackers can spoof the TSF packet to cause nodes out of
synchronization
Power Saving Mode Attack (2)
Big problem: Other management messages can also be spoofed, thereby making these attacks
more effective
Solution Simply, encrypt these messages like the data messages, using WEP. Works?
MAC VulnerabilitiesArise because of the collision avoidance mechanism of the 802.11 MAC layer
Carrier sense is down in two layersCause two kinds of attacks:
Time window attack Virtual carrier sense attack
Time Window attack802.11 MAC defines time windows to prioritize access to the channel
Two time windows - Short interframe space (SIFS) for existing frame exchange and Distributed interframe space (DIFS) for new frame exchange with SIFS<DIFS
Every STA has to wait at least SIFS before transmitting
Therefore, the attacker can completely monopolize the channel by sending a signal before the end of every SIFS interval
However, there is a problem with the attack Resource intensive – Since SIFS is 28 µs (802.11b), the attacker
will have to send a signal approx. 37,000 times per second
Virtual Carrier Sense AttackCarrier Sensing Mechanism
To prevent collisions, station sends a short Request-to-Send (RTS) message
RTS contains a Duration field specifying the time for which the sender requires the channel
Receiver responds with Confirm-to-Send (CTS) if it is ready to receive data
CTS contains the updated Duration field Other stations within the range set their Network Allocation Vector
(NAV) such that they do not transmit for the time specified in the Duration field
Duration field is present in all 802.11 frames, so any frame can be used to carry out this attack
Virtual Carrier Sense Attack
Problems The attacker can set Duration field to high values (maximum 32767), preventing
channel access to others Assuming attacker sets maximum value, he has to transmit only 30 times per
second, therefore, easy for the attacker Attack RTS is more efficient since it will always be replied by a well-behaved
receiver!
Practical Perspective
Practical Perspective
DoS attacks are theoretically possible, but what about actual practice ?Bad News !It is feasible to carry out these attacks with commodity hardware with little tweaking
Management frames necessary to exploit the identity attacks can be generated.Exploit the AUX port for carrier sense attacks.
Deauthentication attack - Empirical Results
Deauthentication attack – Proposed Solutions
Solution 1: Authenticate management framesBut there are two problems with this solution:
Not feasible using software upgrade A standardized authentication framework requires, can take time Not feasible to upgrade all STAs across all networks
Solution 2: Defer deauthentication Manipulate the firmware to delay deauthentication after receiving the message. If AP
receives a data message after this, then the deauth request was spoofed
Advantages of solution 2: Low overhead Modification only limited to the APs, which is feasible
More Potential Attacks introduced?
Solution 2 – Empirical Results
Virtual carrier sense attack – Empirical Results
Virtual carrier sense attack – Proposed Solution
Put a cap on the value of the maximum duration on received framesIf a station receives a frame with duration more than the cap value, truncate the duration to the cap value
Solution to Virtual CS attack – Empirical Results
Virtual carrier sense attack – Proposed Solution
Put a cap on the value of the maximum duration on received framesIf a station receives a frame with duration more than the cap value, truncate the duration to the cap valueCan be further improved by selectively adhering to the specified duration value in:
Data and ACK frames – These frames will have a high duration value only if they are a part of a fragmented packet exchange. Since, fragmentation is almost never used, duration specified in these frames can be ignored
RTS frame – A station that receives an RTS frame will also receive the data frame. 802.11 std specifies the exact times for the subsequent CTS and data frames. So the duration value of RTS is respected till the following data frame is received/not received
CTS frame – Either the observed CTS is unsolicited or the observing node is a hidden terminal. If this CTS is addressed to a valid in-range station, the valid station can nullify this by sending a zero duration null function frame.If this CTS is addressed to an out of range station, one foolproof defense is to introduce authenticated CTS frames, containing cryptographically signed copy of the preceding RTS. But there are overhead and feasibility issues with this
Conclusions
802.11 WLANs suffer from many vulnerabilities threatening the availability of serviceSecure and extended authentication mechanisms can helpChanges to the MAC layer protocol also required, may track and punish malicious nodes
Take a Break
Will study the detection and handling MAC layer misbehavior by P. Kyasanur and N.H. Vaidya.
P. Kyasanur and N.H. Vaidya, Detection and Handling of MAC Layer Misbehavior in wireless Networks, In Dependable Systems and Networks, June 2003.
Will Discuss the detection of Greedy Behavior in 802.11 hotspots after the break1. M. Raya, J. P. Hubaux,, and I. Aad DOMINO: A System to Detect
Greedy Behavior in IEEE 802.11 Hotspots, Proceedings of the Second International Conference on Mobile Systems, Applications, and Services, Boston, June 2004
Paper 1
P. Kyasanur and N.H. Vaidya, Detection and Handling of MAC Layer Misbehavior in wireless Networks, In Dependable Systems and Networks, June 2003.
Problem Definition
Wireless
channel
Access Point
A B
Infrastructure-based Network
C D
Ad hoc Network
Nodes may violate Medium Access Control rules
IEEE 802.11 overview
Distributed Coordination Function (DCF) - MandatoryWidely used for channel access
DCF is a Carrier Sense Multiple Access/ Collision Avoidance (CSMA/CA) protocol
CSMA/CA
Carrier sense Don’t transmit when channel is busy
Collision avoidanceDefer transmission for random time after channel goes idle
Backoff Example
Choose backoff value B in range [0,CW] CW is the Contention Window
Count down backoff by 1 every idle slot
wait
Transmit
Transmit
wait
B2=10
B1=20
B2=10
B1=0
S1
S2
CW=31
B1=15
B2=25
Data Transmission
Reserve channel with RTS/CTS exchange
Sender S
Receiver R
B=10DATA
ACK
S BA R
RTS
RTS
CTS
CTS
Possible Misbehavior
Backoff selected from different distributionSelect a small constant backoff always
Transmit
wait
B1 = 1
B2 = 20
Transmit
wait
B2 = 19
B1 = 1Misbehaving node
Well-behaved node
Goals of proposed scheme
Diagnose node misbehaviorCatch misbehaving nodes
Discourage misbehavior with MAC layer schemePunish misbehaving nodes
Related work at other layers
Many proposals for securing network layer
Designing protocols resilient to misbehavior[Savage99, Nisan99, Buttyan01]
Explicitly detect and penalize misbehavior[Marti00, Zhang00, Buchegger02, Hu02]
Related work at MAC Layer
Game-theoretic solutions proposed for selfish misbehavior at MAC layer
[Konorski01, MacKenzie01, Konorski02]
Game-theoretic approach+ Protocols resilient to misbehavior - Assumptions not always valid - Performance may not be good
Misbehaving node can gain more bandwidthUse payment schemes, charging per packet
Misbehaving node can achieve lower delaySend burst of packets ignoring MAC rulesAverage delay is less with same cost
Solution Approaches
Payment based schemes not sufficient
Proposed Approach
Receivers detect sender misbehaviorAssume receivers are well-behaved (can be relaxed)
Receiver does not know exact backoff value chosen by sender
Wireless Channel introduces uncertainties
Wireless channel
Access Point
A
Use long-term statistics
Observe backoffs chosen by sender over multiple packets
Backoff values not from expected distribution Misbehavior
Selecting right observation interval difficult
Alternate Approach
Receiver provides backoff values to senderSend in current transmission backoff value for next transmission
Receiver can then accurately observe sender behavior
Uncertainty of sender’s backoff eliminated
Modifications to 802.11
1. R provides backoff B to S in ACK and/or in DATA B selected from [0,CWmin]
DATA
Sender S
Receiver R
CTS
ACK(
B)RTS
2. S uses B for backoff
RTS
B
Protocol steps
1. Detect deviations: Receiver observes one transmission from the sender
2. Penalize deviations: Penalty is added, if the sender appears to have deviated
3. Diagnose misbehavior: Based on last W observations, diagnose misbehavior
Detecting deviations
Receiver counts number of idle slots Bobsr
Condition for detecting deviations:
Bobsr < B 0 < <= 1
Sender S
Receiver R
ACK(
B) RTS
Backoff
Bobsr
Penalizing Misbehavior
When Bobsr < B, penalty P added
P proportional to B– Bobsr
ACK(
B+P
)
CTS DATA
Total backoff assigned = B + P
Bobsr
Sender SReceiver R
ACK(
B) RTS
Actual backoff < B
Penalty Scheme issues
With penalty, sender has to misbehave more for the same throughput gain
Misbehaving sender has two optionsIgnore assigned penalty Easier to detectFollow assigned penalty No throughput gain
Diagnosing Misbehavior
Total deviation for last W packets usedDeviation per packet is B – Bobsr
If total deviation > THRESH then sender is designated as misbehaving
Higher layers/ administrator can be informed of misbehavior
Simulation Results
Using ns-2 simulator
Misbehavior modeled by parameter – “Percentage of Misbehavior (PM)”
PM = 0% well-behavedLarger PM greater misbehavior
Results for one receiver, multiple senders with single misbehaving sender
Simulation Setup
Misbehaving Node
Results – Diagnosis Accuracy
0
10
20
30
40
50
60
70
80
90
100
100959080706050403020100
Correct Diagnosis
Misdiagnosis
Percentage of Misbehavior (of misbehaving node)
Per
cent
age
Misbehaving node throughput
0
100
200
300
400
500
600
700
800
900
100959080706050403020100
802.11
Proposed Scheme
Percentage of Misbehavior
Thro
ughp
ut (K
bps
per n
ode)
Avg. with penalty
Avg. with 802.11
Throughput – no misbehavior
0
100
200
300
400
500
600
700
800
900
1000
1 2 4 8 16 32 64
Proposed Scheme
802.11
Number of sender nodes
Thro
ughp
ut (K
bps
per n
ode)
Simulation Observations
Diagnosis accuracy is high Diagnosis accuracy depends on channel conditionsPersistent misbehavior detected with high accuracy
Adding penalty negates throughput advantageCan discourage misbehavior
Additional details in paper
Mechanisms to address protocol response after packet collisions
Extensions for catching certain receiver misbehavior
Preliminary ideas for addressing collusion
Conclusion
MAC layer misbehavior can severely affect throughput of well-behaved nodes
We present simple modifications to IEEE 802.11 to detect/penalize misbehavior
Open issues:Collusion detectionIntegrate diagnosis scheme with higher layers
Paper 2
M. Raya, J. P. Hubaux,, and I. Aad DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots, Proceedings of the Second International Conference on Mobile Systems, Applications, and Services, Boston, June 2004
Question
Well-behaved node Well-behaved node
The access point is trusted
The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth
How do we prevent greedy behavior at the MAC layer in WiFi hotspots ?
Question
Well-behaved node Cheater
The access point is trusted
Preventing greedy behavior at the MAC layer in WiFi hotspots
IEEE 802.11 MAC – Brief reminder
• IEEE 802.11 is the MAC protocol used in WiFi• By default, it is the one used in wireless multi-hop networks
Greedy Behavior 1/4: Oversized NAV
Greedy Behavior 2/4: Transmit before DIFS
Greedy Behavior 3/4: Scramble others’ frames
Greedy Behavior 4/4: Pick a shorter backoff
Implementation of this cheating technique: 3 lines of code!
Misbehavior Metrics
ThroughputDepending on applicationsAffected by many factorsAffected by the performance of higher layers
BackoffNot perfect but relatively easier to computeBackoff time and the waiting time of a low rate source can’t be distinguishedHard to compute sender’s backoffHidden terminal problem
Proposed solution: DOMINODOMINO: System for Detection Of greedy behaviour in the MAC layer of WiFi public NetwOrks (Raya, Hubaux, Aad, Mobisys 2004)
Idea: monitor the traffic and detect deviations by comparing average values of observed usersDetection tests: statistical comparison of the observed protocol behaviourFeatures:
Full standard complianceNeeds to be implemented only at the Access PointSimple and efficient
The operator decides the amount of evidence required before taking action (in order e.g. to prevent false positives)
Other solution: Kyasanur + Vaidya, DSN 2003 (but not protocol compliant)
Detection Tests of DOMINO
Consecutive backoff
Actual backoff
Maximum backoff: the maximum should be close to CWmin - 1
Backoff manipulation
Comparison of the idle time after the last ACK with DIFS
Transmission before DIFS
Comparison of the declared and actual NAV values
Oversized NAV
Number of retransmissionsFrame scrambling
Detection testCheating method
Simulation of cheating and detection
Cheating technique: Backoff manipulation
Traffic:
Constant Bit Rate / UDP traffic
FTP / TCP traffic
misbehavior coefficient (m): cheater chooses
its backoff as (1 - m) x CWmin
Simulation environment: ns-2
Cheater
Simulation results
• Each point corresponds to 100 simulations• Confidence intervals: 95%
Implementation of the demo prototype
Equipment
Adapters based on the Atheros
AR5212 chipset
MADWIFI driver
Misbehavior: backoff
Overwrite the values CWmin and
CWmax (in driver)
Monitoring
The driver in MONITOR mode
prism2 frame header
AP DOMINO
Cheater Well-behaved
Conclusion
There exist greedy techniques against hotspotsSome of these techniques are straightforwardAuthors have proposed, implemented and patented a simple solution, DOMINO, to prevent them (http://domino.epfl.ch)The same problem in self-organized wireless systems is still unsolved. Can it be solved?
Game-theoretic study:M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux"On Cheating in CSMA/CA Networks" Technical report No. IC/2004/27, July 2004
Many problems still need to be solved in this field
Questions
The measurements of actual backoff and consecutive backoff by the AP are not clearly addressed in the paper (to me ^_^). Who can give a better explanation?
Why consecutive backoff does not work with UDP traffic?
Further exploration is encouraged in this topic.
Howeworks
