以隨機位元認證機制抵禦802.11無線網路阻絶式攻擊

(1)

國

立

交

通

大

學

理學院網路學習學程

碩

士

論

文

以隨機位元認證機制抵禦 802.11 無線網路阻絶

式攻擊

Using Random Bit Authentication to Defend IEEE 802.11 DoS

Attacks

研究生：簡先得

指導教授：蔡文能

(2)

以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

Using Random Bit Authentication to Defend IEEE 802.11 DoS

Attacks

研究生：簡先得 Student：Hsien-Te Chien

指導教授：蔡文能 Advisor：Wen-Nung Tsai

國立交通大學

理學院網路學習學程

碩士論文

A Thesis

Submitted to Degree Program of E-Learning College of Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Master

in

Degree Program of E-Learning

May 2006

Hsinchu, Taiwan, Republic of China

(3)

授權書

(博碩士論文) 本授權書所授權之論文為本人在國立交通大學(學院)網路學習研究所九十四學年度第二學期取得碩士學位之論文。論文名稱：以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊 1.□同意 □不同意本人具有著作財產權之論文全文資料，授予行政院國家科學委員會科學技術資料中心、國家圖書館及本人畢業學校圖書館，得不限地域、時間與次數以微縮、光碟或數位化等各種方式重製後散布發行或上載網路。本論文為本人向經濟部智慧財產局申請專利的附件之一，請將全文資料延後兩年後再公開。(請註明文號: ) 2.□同意 □不同意本人具有著作財產權之論文全文資料，授予教育部指定送繳之圖書館及本人畢業學校圖書館，為學術研究之目的以各種方法重製，或為上述目的再授權他人以各種方法重製，不限地域與時間，惟每人以一份為限。上述授權內容均無須訂立讓與及授權契約書。依本授權之發行權為非專屬性發行權利。依本授權所為之收錄、重製、發行及學術研發利用均為無償。上述同意與不同意之欄位若未鉤選，本人同意視同授權。指導教授姓名：研究生簽名：學號：（親筆正楷）（務必填寫）日期：民國年月日 1.本授權書請以黑筆撰寫並影印裝訂於書名頁之次頁。 2.授權第一項者，所繳的論文本將由註冊組彙總寄交國科會科學技術資料中心。 3.本授權書已於民國 85 年 4 月 10 日送請內政部著作權委員會（現為經濟部智慧財產局）修正定稿。 4.本案依據教育部國家圖書館 85.4.19 台(85)圖編字第 712 號函辦理。

(4)

國立交通大學

論文口試委員會審定書

本校理學院網路學習學程碩士班簡先得君

所提論文以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

Using Random Bit Authentication to Defend IEEE

802.11 DoS Attacks

合於碩士資格標準，業經本委員會評審認可。

口試委員: 周勝鄰莊祚敏蔡文能指導教授: 蔡文能班主任: 莊祚敏

中華民國九十五年五月三十日

(5)

以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

學生：簡先得

指導教授：蔡文能

國立交通大學網路學習學程碩士在職專班

摘要

IEEE802.11(a,b,g)無線網路方便佈建的方式與便宜的價格，已使 802.11(a,b,g) 無線網路普遍的建置在家庭、學校、民間企業、政府機構及公共場所。然而無線電波的特性，使無線網路與傳統的有線網路，多了許多安全性的考量。 WEP 是 802.11(a,b,g)無線網路的安全性機制，早被證實存在許多弱點且容易被破解，WPA 及 802.11i 是 802.11(a,b,g)無線網路安全性的加強版。802.11i 改善了 802.11(a,b,g)無線網路資料傳送的完整性(integraty)及可信性(confidentiality)，但在可用性(availability)卻沒有嚴謹的考量與設計，因此使得 802.11 系列的無線網路，容易遭受阻絶性攻擊(Denial of Service attack)。

本研究即利用 802.11 在 MAC 層的封包標頭結構，以共有金鑰的假設下，在認證（(de)authentication）及連結（(dis)association）封包中，以隨機方式加入 3 到 4 個位元，作為無線網路存取點（AP）和工作端（STA）的雙方溝通的認證機制，配合 MAC 層封包標頭中的 Sequence Counter 欄位連續數質的特性，設計有效過濾偽造的阻絶式攻擊封包的機制。

本研究設計的抵禦無線網路阻絶式攻擊機制，經實作與模擬實驗後證明我們所設計的隨機位元認證機制，能有效的抵禦 802.11 無線網路阻絶式攻擊。

(6)

Using Random Bit Authentication to Defend IEEE 802.11 DoS

Attacks

Student: Hsien-Te hien

Advisor: Wen-Nung Tsai

Degree Program of E-Learning College of Science

National Chiao-Tung University

ABSTRACT

IEEE 802.11 network is prevailing, but the security issue is an important concern. WEP is the security mechanism in 802.11 specification. It has been proved that WEP is vulnerable and easy to be cracked. 802.11i is the enhanced version of security for 802.11 networks. The 802.11i focuses on integrity and confidentiality of transmitting data. The availability of 802.11 network is not considered properly. The management frames of 802.11 are not protected by any key based authentication. It causes the 802.11 network vulnerable to Denial of Service attacks.

We designed a so called random bit authentication mechanism to defend Denial of Service attacks against 802.11 networks. We replace some unused bits in the MAC header of the 802.11 management frames with some authentication bits. The AP and STA can authenticate each other according to these authentication bits. We also exploited the characteristic of Sequence Number field in MAC header of the 802.11 frames to design an effective mechanism to filter out attacking frames.

In our implementation and experiments, it shows that our two-phase filtering mechanism is effective and lightweight to defend IEEE 802.11 Denial of Service attacks.

(7)

誌謝

本研究論文能夠完成，最先要感謝的是我的指導教授－蔡文能老師。常常在研究或實驗中，腸枯思竭的時候，老師都能於關鍵問題上，猶如畫龍點睛般的指引。在學習過程中，體會老師嚴謹的治學精神與態度。實驗完成撰寫論文時，老師時時的鼓勵，使我不敢懈怠的努力寫作，才使本論文得按步就班的付梓。以學生觀察，老師幾乎就是以校為家，致力於教學與研究工作。在小組論文研討中，常常和老師研討到深夜，老師的專業與敬業的精神，令人佩服。工研院電通所副所長周勝鄰博士與網路學習專班主任莊祚敏博士，在口試時的指導，也啟迪學生不少重要的觀念，在此一併致謝。也感謝同研討室的明傑兄、威德兄、文彬兄與典龍學弟，大家雖各有家庭及事業，還能共聚一堂，彼此學習與提攜，是不可多得的經驗。當然最當感謝的是靜怡，使我在家庭與二個 Baby 的照顧上無後顧之憂。每週或每隔週至少一次的往返台中與新竹間的奔波，如此歷經四年，如果沒有內人的鼓勵與支持，這學業難以完成。對於家中的二個小 Baby 也有些歉意，為了完成論文寫作，假期間常常無法陪她們一同出遊，這小小的遺憾也只待日後慢慢的來彌補。

(8)

List of Tables

Table 1 probe, authentication and association request flooding attacks

against APs [14]. ...24

Table 2 Athentication frame body [2] ... 36

Table 3 Deauthentication and disassociation frame body [2] ... 36

Table 4 Deauthentication and disassociation reason code [2]...37

Table 5 Association request and response frame body [2] ...37

Table 6 Reassociation request and response frame body [2] ... 38

Table 7 Implemental equipment hardware model and software ...46

Table 8 Average duration of normal FTP sessions ...51

Table 9 Duration under consideration of bandwidth consumption of Deauth & Disassoc flooding attacks...52

Table 10 Duration under consideration of bandwidth consumption in association flooding attacks ...52

Table 11 Relation of random bit authentication number and Deauth & Disassoc flooding attacks... 53

Table 12 Relation of filtering out the SND of subsequent SN and the FTP duration under Deauth flooding attacks. ...59

Table 13 Filter out sequential SN to defend Deauth / Disassoc attack ...63

Table 14 Two-phase filter to defend Deauth / Disassoc attack ...65

Table 15 FTP duration under Deauth and Disassoc flooding attacks on shared key authentication mode ...68

(11)

List of Figures

Figure 1 Shared Key authentication scheme ...10

Figure 2 Relationship between state variables and services [2]... 11

Figure 3 RSNA Establishment Procedures [6]...15

Figure 4 Graphical depiction of the Deauth and Disassoc attacks [13] ... 21

Figure 5 RSNA Establishment Procedures [6]...26

Figure 6 802.11 / 802.1X state machine. Amended from [21][24] ...27

Figure 7 Adaption of frame format to the Kui’s proposed protocol [20]...32

Figure 8 Overview of Kui’s proposed protocol [20]...32

Figure 9 General management frame format and the fields to be used to insert random authen bits [2] ...34

Figure 10 Unused bits of the frame control field in the management frame [2] ...35

Figure 11 Authentication Algorithm Number fixed field [2]...36

Figure 12 Authentication Transaction Sequence Number fixed field [2] ...36

Figure 13 Capability Information fixed field [2] ...38

Figure 14 Sequence control field [2]...38

Figure 15 Example of the bit stream shard by both of the communicating nodes while N = 3 ...40

Figure 16 Scenario of random bit authentication for Authen & Assoc procedures ... 41

Figure 17 Scenario of attacks of using Random bit authentication for Authen. & Assoc procedures ...42

Figure 18 Bit9, Bit12, Bit13 and Bit15 were set to 1 successfully. ...43

Figure 19 Implementation Scenario ...45

Figure 20 Graph of normal FTP session ...51

Figure 21 Figure of relation of random bit authentication number and Deauth & Disassoc flooding attacks...53

Figure 22 Attacker launched Deauth flooding attack with no ( or 0 ) Random bit authentication defense...54

Figure 23 Using 6 random bits for authentication to defend Deauth flooding attacks... 55

Figure 24 Using 8 random bits for authentication to defend Deauth flooding attack ... 56

Figure 25 FTP session delay after Deauth flooding attacks...56 Figure 26 Changes of ping echo time during the FTP session delayed after

(12)

Deauth flooding attacks ...57 Figure 27 FTP session delay after deauth flooding attacks between Windows

XP STA and Host AP. ... 58 Figure 28 The SNs of the sequential frames captured by Host AP ...60 Figure 29 Reorded SND record ...61 Figure 30 Filter out the Disassoc flooding frames of which SND was under

or equal to 64... 63 Figure 31 Graph of results according to table 14...65 Figure 32 FTP duration under Disassoc flooding attacks on condition of

RBN=3 & SND=24 ...66 Figure 33 FTP duration under Disassoc flooding attacks on condition of

RBN=4 & SND=12 ...66 Figure 34 FTP duration under Deauth flooding attacks in windows STA on

condition of RBN=3 & SND=24 ...68 Figure 35 Captured frame digest in FTP duration under Deauth flooding

(13)

Chapter 1 Introduction

Wireless Local Area Networks (WLANs) are popularly and widely deployed in public places, companies, and homes. Many goverments also deployed WLANs in the metropolitan areas to offer citizens to access information via the mobile devices. While WLANs are prevailing, wireless security has become an importment issuse. If one carelessly deploys the WLANs, the important data of the corporations or individuals may be leaked.

Since 802.11i standard was ratified on June 24, 2004, many of the vulnerabilities of Wired Equivalent Privacy (WEP) were fixed. However, security problems still remain. Wireless network are inherently diffirent from wired network. Evil nodes within the range of a certain wireless network are as capable as the legal nodes in receiving radio signals. Hence, the frames of WLANs are easily sniffed, intercepted, forged and blocked by the attacker. It is thus an important issue to defend the various attacks when designing the security mechanisms for WLANs.

1.1 Research

Motivation

The vulnerabilities of WEP are well known. WEP is the security scheme defined in IEEE 802.11. The security scheme of 802.11 has been modified for many times, either by the IEEE institute or by others. Wi-Fi Protected Access (WPA) was proposed by Wi-Fi alliance to solve the vulnerability problem of WEP. Being compatible to prevailing 802.11 devices, WPA still contains some security weakness. IEEE 802.11 task group I amended 802.11 standard with 8002.11i specification to enhance the security.

(14)

confidentiality, integrity and availability. Some researchers found that 802.11i only concentrated on addressing the issues of confidentiality and integraty, but not on the availability. 802.11i appears vulnerable to DoS attacks even when RSNA is implemented [6].

Launching DoS attacks against 802.11(i) is easy. Attacking tools, such as void11 are readily obtainable from the Internet. The tools are easily installed on common devices equipped with 802.11 wireless cards. An attacker with only median skills can therefore can launch DoS attacks to block or slow down the WLAN network. One may argue that the DoS attacks are inevitable, because of the inheretant characteristics of wireless network. The idea in solving such an issue is to impose relatively higher cost for an adversary to mount these attacks.

Wireless devices usually have only limited computing power and bandwidth. A malicious attacker launching a great number of attacking frames can easily exhaust the limited resources. Probe, authentication and association request frames can be used to flood the network to cause a traffic jamming DoS attack.. On the other hand, some complex encryptional and decryptional algorithms may lead the computing resource-exhausted vulnerabilities which are easily exploited by the attacker to launch DoS attacks.

Certain vulnerabilities are inherent in the design of protocol. The most common exploition are the deauthentication and disassociation flooding attacks. 802.11 network use management frames to establish transmitting sessions. However these frames are not protected by any key-based authentication. Also they are transmitted in the clear. They are easily captured, spoofed and blocked by the attackers.

Our research has three purposes:

First of all, we want to design a mechanism to defend deauthentication and disassociation flooding based DoS attacks against 802.11 WLANs. Secondly, we want

(15)

the mechanism to be backward compatible. Finally, we want the mechanism to be efficient and lightweight.

1.2 Thesis

Organization

This thesis is organized as follows. Chapter 2 describes background materials, such as the diffirence between the wireless and wired networks, the evolution of the 802.11 security issues and the concepts of DoS attacks. Chapter 3 briefly discusses related works. In Chapter 4 we present our proposed protocol that defends deauthentication and association flooding attacks. Chapter 5 shows our experimental results in detail. Chapter 6 presents the conclusion and future work.

(16)

Chapter 2 Background

Wireless networks have characteristics that are different from the wired networks. These differences introduce many security issues that must be considered, or the wireless network can be exposed to security risks

IEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm to protect the data transmitted over wireless networks. It had been proven that WEP has insufficient security. To replace WEP, Wi-Fi alliance proposed Wi-Fi Protected Access (WPA). As a long term solution, IEEE 802.11 TGi approved 802.11i specification to address 802.11 security issues.

802.11 networks are vulnerable to Denial of Service (DoS) attacks. A DoS attack is an attack against a computer system or network that results in a loss of services to legitimate users. Denial of Service attack not only disables your computer system or networks, but more seriously, it effectively disrupts the normal operation of your organization.

2.1 Overview of Wireless Local Area Network (WLAN)

2.1.1 Characteristics of Wireless LAN

Wireless networks have inherent characteristics that are significantly different from traditional wired LANs [2].

The most distinguishing characteristic is that radio transmission has no definite boundaries. When we set up wireless equipments, we cannot predict with any certainty where the message transmitted may eventual arrive. A transceiver placed near a wireless network by an evil adversary can potentially receive messages from or insert

(17)

messages into the network.

Furthermore, the signals transmitted wirelessly are significantly less reliable than the signals transmitted through wired networks. Frames are much more likely to be lost or be distorted by noise interference.

Besides, IEEE 802.11 PHYs (physical layer) lack full connectivity. Therefore, we cannot make the normal assumption that every STA (station) can hear every other STA. For example, some STAs may be hidden from others.

Last but not the least, IEEE 802.11 is designed to handle mobile as well as portable stations. Portable stations can be moved from location to location, yet can only be used in fixed locations. On the other hand, mobile stations can access the WLAN while in motion, and are often battery powered. Hence, power management is an important consideration for mobile stations [2].

We must understand the inherent characteristics of a wireless network when considering its security issues. We must design the security measures to protect the messages from being intercepted, forged, interfered, or blocked.

The system availability is threatened by the peculiar features of 802.11 standard, since they expose the wireless networks to more DoS attacks than wired networks. The wireless medium allows a malicious station or a directive antenna inside the range of a wireless network to launch an attack that blocks any legitimate communications [13].

2.1.2 Evolution of 802.11 network

Originally, the 802.11 standard was ratified by IEEE-SA in 1997. Now, 802.11 is a set of IEEE standards that govern wireless networking transmission methods. Today, versions like 802.11a, 802.11b, and 802.11g are commonly used to provide wireless connectivity at homes, offices, and commercial establishments. The draft of 802.11n is underway. When accepted, it will provide a new amendment to the 802.11 standard

(18)

that boost the throughput of wireless LANs.

a. 802.11

The original version of the IEEE 802.11 standard was released in 1997. The standard specifies that the data can be transmitted via infrared signals in raw data rates of 1 or 2 Mbps; or the data can be transmitted using the Industrial Scientific Medical frequency of 2.4 GHz. It also defines Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) as the media access method.

The original 802.11 standard is really a “meta-specification” than a rigid specification. Individual product vendors are given the flexibility to add innovations that could enrich their products. Legacy 802.11 devices are rapidly supplemented (and popularized) by 802.11b modifications. Widespread adoption of 802.11 networks only began after 802.11b was published, and as a result, few networks follow the 802.11-1997 standard [27]. However, 802.11-1997 standard acts as the base of the following 802.11 standard family.

b. 802.11b

The 802.11b was amended to the original 802.11 standard in 1999. The maximum raw data rate is increased to 11 Mbps and also uses the same CSMA/CA media access method as the original standard.

802.11b products appeared on the market very quickly. The dramatic increase in data throughput (compared to the original standard) along with the substantial price reduction both contribute to the rapid acceptance of 802.11b as the definitive wireless LAN technology.

A point-to-multipoint configuration is usually used by an 802.11b network. In this configuration, a single AP communicates with one or more clients (STAs) located inside the coverage area of the AP. The throughput rate varies inversely with the distance between the AP and the STA [2].

(19)

Even though 802.11b network cards can operate at the rate of 11 Mbps, they will scale back to the rate of 5.5, 2, or 1 Mbps. Extensions have been proposed to increase the speed to 22, 33, and 44 Mbps, but the extensions are proprietary and not yet endorsed by IEEE. Many companies call their enhanced versions as “802.11b+”.

c. 802.11a

The 802.11a was amended to the 802.11 family in 1999. The 802.11a standard uses the same core protocol as the original standard, but the operating frequency is changed to 5 GHz. It also employs the orthogonal frequency division multiplexing (OFDM) with a maximum raw data rate of 54 Mbps.

If required, the data rate can be reduced to 48, 36, 24, 18, 12, 9 or even 6 Mbps. In 802.11a standard, 12 non-overlapping channels are utilized. Eight of the channels are dedicated to indoor communication, and the other four channels are reserved for point-to-point communication. In this respect, 802.11a is not interoperable with 802.11b.

Since the 2.4 GHz band is heavily used, using the 5 GHz band gives 802.11a the advantage of having less interference. However, the higher carrier frequency also bears a disadvantage. It restricts the use of 802.11a to almost line of sight. This means that 802.11a cannot penetrate as far as 802.11b [27].

d. 802.11g

The 802.11g was the new addition to the 802.11 family in June 2003. It has data rates up to 54 Mbps, and works in the 2.4 GHz band like 802.11b. 802.11g hardware is compatible with 802.11b hardware. However, the presence of an 802.11b STA significantly reduces the speed of an 802.11g network.

Identical to 802.11a standard, the modulation scheme used in 802.11g is orthogonal frequency division multiplexing (OFDM) with data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps [27].

(20)

Since the crowded 2.4 GHz frequency band is also used, 802.11g suffers the same interference problems present in a 802.11b network. Devices operating in this frequency range include microwave ovens, Bluetooth® devices, and cordless telephones. Those devices can emit signals that would interfere with the 802.11g transmission.

e. 802.11n

The IEEE 802.11n standard development project began in 2003. The standard committee expects to complete the draft in late 2006, and plans to publish the 802.11n amendment to the 802.11 standard in 2007 [28].

802.11 Task Group n (TGn) was formed by IEEE to be responsible in developing a new amendment to the 802.11 standard. The actual data throughput attained is estimated to reach a theoretical 600 Mbps [28]. It is projected that 802.11n will also offer a better operating distance than current networks.

802.11n builds upon previous 802.11 standards and adds MIMO (multiple-input multiple-output) feature. MIMO uses multiple transmitter and receiver antennas to increase data throughput by incorporating spatial multiplexing and to increase range by exploiting the spatial diversity.

2.2 IEEE 802.11 security issues

The IEEE 802.11 security issues were discussed fierily and criticized seriously. After some papers presented the weakness of 802.11 security and shoed the way to crack WEP. Some solutions, including short term and long term, were published. The Wi-Fi Alliance proposed WPA security solution for the vulnerabilities of 802.11 before 802.11i standard was approved. To enhance the security of 802.11, the IEEE 802.11i task group was formed, and approved the 802.11i standard on June 24, 2004. Though 802.11i specifies the rigorous organism to protect the propagating packets,

(21)

some secure issues like DoS attacks, are not solved.

2.2.1 WEP

According to the 802.11 standard, authentication and privacy services are provided to bring the IEEE 802.11 functionality in line with wired local area networks. Authentication is used instead of the wired media physical connection. Privacy is used to provide the confidential aspects of closed wired media. Access control and confidentiality services of 802.11 standard are also important security services [2].

To control access to the unrestricted radio medium, IEEE 802.11 provides two modes of authentication services: Open System and Shared Key.

Open System authentication is a null authentication algorithm. Any STA requesting authentication using this method may become authenticated. Shared Key authentication requires STAs to agree on a common shared key before the authentication service can be used. In infrastructure architecture, the AP is the authenticator, and the other STAs are authenticated by the AP. This authentication scheme is only available if the WEP option is implemented.

Shared Key authentication accomplishes its task without transmitting the secret key over the air. Upon receiving an authentication request, the AP sends a challenge text for the STA to encrypt with the shared secret key using WEP. Then, the AP decrypts the encrypted response packet to match the original challenge text. If there is a match, the authentication succeeds [2]. Please refer to Figure 1 for detail.

(22)

Figure 1 Shared Key authentication scheme

No matter which authentication method is used, either sides of the communicating parties can send deauthentication notification to cease the session. For an AP, the deauthentication notifications are broadcasted to all authenticated STAs to stop communicating with them. The deauthentication frame is send in clear, and no key-based authentication is used. This makes forging the deauthentication frame easy.

If a STA is authenticated by some AP, the STA then has to become associated with the authenticating AP to be allowed to send data messages through the AP. The association service provides the STA-to-AP mapping, and this mapping is delivered to the distribution system (DS). The DS will use this information to accomplish message distribution services.

The disassociation service is invoked whenever an existing association is to be terminated. Either the STA or AP may initiate the disassociation process. To do so, one sends a disassociation message to the other, then the disassociation succeeds. The disassociation frame is transmitted in the clear and has similar problems as the deauthentication frame.

The (de)authentication and (dis)association processes are illustrated in Figure 2 as a state transition diagram.

(23)

Figure 2 Relationship between state variables and services [2].

As shown in Figure 2, any STA and AP must follow the state machine specified in the IEEE 802.11 standard. A successfully associated STA stays in State 3 in order to continue wireless communication. In State 1 or 2, a STA cannot participate in the WLAN data communication process until it is again authenticated and associated.

IEEE 802.11 specifies a data confidentiality algorithm that hopefully provides the level of secrecy comparable to that provided in a wired LAN. The algorithm, named WEP, protects authorized users of a wireless LAN from casual eavesdropping. This service is intended to provide functionality for the wireless LAN equivalent to that provided by the wired medium [2].

The standard document claims that the WEP algorithm is “reasonably strong”. The security of the algorithm, as stated in the standard, relies of the difficulty of discovering the secret key through a brute-force attack. Therefore, the security can be enhanced by increasing the length of the secret key and the frequency for changing the IV. Please refer to [2]. for detailed WEP algorithm description.

WEP does not include any key management protocols; the pre-shared key must be fed into devices manually. The AP and the associated STAs share the same key. If the shared key is leaked, the WEP security mechanism is cracked. Since WEP keys are

(24)

changed manually, they would be changed infrequently. However, this increases the danger of being sniffed and cracked.

Jesse R. Walker noted that it is infeasible to achieve privacy using WEP encapsulation, even if the key size is expanded from 40 bits to 104 bits. He presented an attack against WEP and demonstrated that the attack will succeed regardless of the key size or the cipher used. Also, the attack can be implemented easily [4].

Fluhrer, Mantin, and Shamir described several attacks on RC4 algorithm used in WEP [10]. They found that an eavesdropper, who can obtain several million encrypted packets with a known first byte of plaintext, would be able to deduce the RC4 key by exploiting properties of the RC4 key schedule. Their passive ciphertext-only attack can recover an arbitrary long key in a short amount of time for any key lengths, even when 24 and 128 bit IV modifiers are added.

Stubblefield, Ioannidis, and Rubin experimentally implemented the “F.M.S.” attack using off-the-shelf devices, and demonstrated that real systems could be cracked in several hours [5]. They also improved the RC4 attack implementation with some optimizations. Fluhrer et al. speculated that around 4,000,000 to 6,000,000 packets would be sufficient to successfully attack RC4, but Stubblefield’s improvement dropped the number to around 1,000,000 packets. They concluded that 802.11 WEP was totally insecure.

Once the WEP vulnerabilities were publicized, tools like Airsnort [16]. and WEPCrack [17]. emerged and they enabled anyone having popular 802.11 devices to sniff 802.11 packets and discover the key in a short time.

2.2.2 WPA

Due to the poor access control and weak WEP privacy in the 802.11 standard, the Wi-Fi Alliance devised Wi-Fi Protected Access (WPA) to enhance the security of a

(25)

802.11 network.

WPA is an intermediate solution. It replaces WEP with Temporal Key Integrity Protocol (TKIP). TKIP is a compromise on achieving strong security while still using existing hardware. It continues the use of RC4 as the encryption algorithm. However, a keyed packet authentication mechanism (called Michael) is implemented to guard against replay attacks.

To provide access control and key management, WPA can either use an external authentication server (e.g., RADIUS) and EAP similar to that used in IEEE 802.1x, or it can use pre-shared keys without additional servers. WPA implements a new key handshake process (4-Way Handshake) for generating and exchanging data encryption keys between the Authenticator and the Supplicant. This handshake is also used to verify that both the Authenticator and the Supplicant know the master session key.

When a station would like to use the services of an AP, the station will first perform an IEEE 802.11 authentication. Open system authentication is used in this case, so there is no security. After this, IEEE 802.11 association is performed. If 802.11x is configured to be used, the virtual port of the station is set in the unauthorized state and this port can now accept only IEEE 802.11x frames. The Authenticator will then ask the Supplicant to authenticate itself with the Authentication Server. After the Supplicant is authenticated successfully, the virtual port is set to the authorized state, and any frames from and to the station are accepted.

TKIP is proposed to address known vulnerabilities of WEP, and it does enhance the security. However, weakness is predestined since the appearance of WPA due to the limitation imposed by its re-use of legacy hardware [6].

2.2.3 IEEE 802.11i

(26)

security in the Medium Access Control layer for 802.11 networks. The 802.11i specification defines two classes of security algorithms: Robust Security Network Association (RSNA), and Pre-RSNA. Pre-RSNA is the old security mechanism discussed in section 2.2.1.

RSNA provides two data confidentiality protocols: the Temporal Key Integrity Protocol (TKIP) and the Counter-mode/CBC-MAC Protocol (CCMP). The TKIP protocol has already been discussed in section 2.2.2. It is designed to be backward compatible to older 802.11 devices.

802.11i RSNA establishment procedure makes use of 802.1x authentication and key management protocols. The complete handshakes of establishing a RSNA are shown in Figure 3. These steps can be divided into 6 stages as follows [6].

Stage 1. Network and Security Capability Discovery Stage 2. 802.11 Authentication and Association Stage 3. EAP/802.1x/RADIUS Authentication Stage 4. 4-Way Handshake

Stage 5. Group Key Handshake Stage 6. Secure Data Communication

For our research purposes, we must keep an eye on Stage 2. The deauthentication service is invoked when an existing Open System authentication is to be terminated. In an ESS, because authentication is a prerequisite for association, deauthentication also causes the station to be disassociated. In an RSN ESS, Open System authentication is required. Deauthentication results in the termination of any association for the deauthenticated station. It also results in the disabling of the IEEE 802.1x Controlled Port for that STA and the deletion of the pairwise transient key security association (PTKSA). It also destroys the pairwise master key security association (PMKSA) from which the deleted PTKSA was derived [1].

(27)

(28)

2.2.4 802.11w

Although 802.11i addresses the security of data frames, the unprotected management frames still leave wireless networks vulnerable to malicious attacks.

The IEEE-SA Standards Board had approved the 802.11w project on March 20, 2005 [25]. The timeline of the project is expected to end in December, 2009. The goal of 802.11w is to strengthen the IEEE 802.11 Medium Access Control layer to provide appropriate mechanisms that enable data integrity, data origin authenticity, replay protection, and data confidentiality for selected IEEE 802.11 management frames. The Task Group responsible for developing IEEE 802.11w focuses on increasing the security of IEEE 802.11 management frames.

The 802.11w project is still in progress. As of March 2006, P802.11w D1.0 was send to Working Group letter ballot [26].

2.3 Denial of Service attacks

Denial of service attacks can paralyze your computer systems or networks. More seriously, they can easily disconnect your organization from the rest of the world. Some denial of service attacks can be executed against a large web site, a network device or a communication session using only limited resources.

2.3.1 Definition of Denial of Service attacks

A denial of service (DoS) attack is characterized as an explicit attempt by attackers to prevent legitimate users of a service from using that service [29]. For example, it includes:

a. One attempts to “flood” a network, and thereby blocks legitimate network traffic.

(29)

b. One attempts to disrupt connections between two machines, and thereby prevents one machine to access a service on the other.

c. One attempts to prevent a particular individual from accessing a service. d. One attempts to disrupt a service to a specific system or a person [29].

In other words, a denial of service attack is an attack against a computer or a network that causes the loss of services to users. Typically, the DoS attacks disrupt network connectivity and services by consuming the bandwidth of the victim network or overloading the computing or memory resources of the victim system. When DoS attacks are mounted, the victim system cannot operate normally to provide its services.

2.3.2 Types of Denial of Service attacks

Denial of Service attack comes in a variety of forms and aims at a variety of services. We simply describe some typical types of DoS attacks here.

a. Consumption of system resources

Computers and networks need certain resources to work normally. These resources include CPU time, memory and disk space, etc.

Denial of Service attack is most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attacks is the "SYN flood" attack.

In SYN flood attack, the attacker attempt to establish a connection with the victim machine, but it does not really complete the connection. By flooding SYN frames, the attackers can exhaust the resources of the victum node.

We should note that this type of attacks does not rely on the attacker being able to consume the network bandwidth. In 802.11 networks, the probe request flooding, authentication request flooding and association flooding attacks are such kinds of DoS attacks.

(30)

b. Bandwidth Consumption

An attacker may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to the victim network. Typically, the easist way is to use ICMP ECHO packets. The “Ping flooding” is one such attack. The idea is to simply flood the victim with so much ping traffic that normal traffic will fail to reach the aimed node.

Further, the attackers need not be operating from a single machine. He may be able to coordinate several machines on the same or different networks to achieve the DoS attack. We usually call this form of DoS attack Distributed Denial of Service attack (DDoS) [30].

c. Exploit of the unsophisticated protocol

Some protocols contain vulnerabilities that can be exploited by the attackers to launch DoS attacks. The networks based on IEEE 802.11 contain many inheret vulnerabilities to be exploited to launch DoS attacks. The deauthentication and deauthentication flooding attacks both belong to this category. The unbound radio signals are easily captured and spoofed by the attacker. Many management and control frames of 802.11 are not protected by any key-based authentication.

In addition to the deauthentication and deauthentication flooding attacks, the power saving mode attack is a similar attack. Since the control messages in 802.11 are not protected or authenticated, an attacker spoofs the polling message on behalf of the STA, and cause the access point to discard the STA packets while the STA is asleep in power saving mode. On the other hand, it is possible to trick a STA into believing that there are no buffered packets at the AP [13].

Virtual carrier sense DoS attack is another vulnerability of the 802.11 network. It is also called the duration attack. WLAN devices perform virtual carrier sensing prior to accessing the medium. This mechanism is designed to reduce frame collisions and

(31)

prevent the hidden node problem. The virtual carrier-sense function is based on the Network Allocation Vector (NAV). IEEE 802.11 MAC frames carry a duration field, which is used to reserve the medium for a certain period of time. The NAV is a timer that indicates the time for which the medium has been reserved. Transmitting nodes set the NAV to the time for which they expect to use the medium. Other nodes set up a mechanism to count down the value of NAV. When the NAV is greater than zero, the virtual carrier-sense function indicates that the medium is busy.

However, an attacker can send frames with huge duration values. This would force other nodes in the range to wait till the NAV value reaches zero. If the attacker successfully sends such continuous packets, then it prevents other nodes from accessing the media, and therefore results in DoS attacks [3][13].

802.11i is the enhanced security amendment of 802.11. 802.11i contains some unique vulnerabilities of DoS attacks. The 4-Way Handshake block and RSN IE Poisoning attacks etc., are detailed in [6][15].

The weakness of 802.11 is well known. The 802.11 specification about the security is modified many times as we described in section 2.2.

(32)

Chapter 3 Related work

In order to analyze the 802.11 protocol and its security issues, it is important to characterize the possible capabilities of any adversaries. For the Link Layer of a WLAN, there are three possible types of frames: Management Frame, Control Frame, and Data Frame. Any illegal manipulation of these frames may be exploited by the adversary who creates a security threat.

WLAN systems are quite vulnerable to DoS attacks. Because of the inherent unshielded characteristics of wireless network, an adversary may launch DoS attacks in several ways. For example, by forging the unprotected management frames, exploiting some protocol weaknesses, or jamming the frequency bandwith, the services to legitimate clients will be denied.

However, we only consider DoS attacks that require reasonable effort on the part of an adversary. For instance, the commodity devices like prevailing Wi-Fi cards, PDAs and laptops consume little energy and can easily be bought from the markets. Such devices can be exploited by commom users. Some DoS attacks using special devices and consuming considerable resources would not be discussed in our thesis.

3.1 DoS attacks against 802.11 network

The 802.11 MAC layer incorporates functionalities uniquely designed to be used in the specific wireless networks. In particular, these include the ability to discover radio networks, to join and leave networks, and to coordinate access to the radio medium.

Many of the vulnerabilities are resulted from the unprotected management and control frames. Some adversaries exploit the 802.11 specific mechanisms like

(33)

CSMA/CA to launch DoS attacks.

Among the 802.11 DoS attacks, the most efficient way is to forge and send deauthentication or disassociation frames repeatedly to the victims. It is not difficult to setup such kinds of DoS attacks. Many commodity 802.11 devices can be exploited. More seriously, it is easy to download the attacking softwares from the Internet and to install on devices.

3.1.1 802.11 Deauthentication and Disassociation flooding attacks

After an 802.11 STA has selected an AP to use for communication, it must first authenticate then associate itself to the AP. When the STA or the AP wants to stop the communication, the STA or AP can send a deauthentication message to the other side and disconnect the communication. Unfortunately, this deauthentication message itself is not protected by using any key material. Consequently the attacker may spoof this message, by pretending to be the AP or the STA, and then sends the spoofed message to the other node. Figure 4 illustrates the scenario of the deauthentication and disassociation attacks.

Figure 4 Graphical depiction of the Deauth and Disassoc attacks [13]

(34)

authenticated state until authentication is reestablished. If the attacker keeps sending deauthentications frame to the victim, the victim may be prevented from transmitting or receiving data until the attack stops.

The attacker can pretend to be an AP to broadcast deauthentication or disassociation frames to all the STAs that were authenticated by the legal AP, and forces them to stop the communication. Alternatively, the attacker can pretend to be a legal STA to send deauthentication or disassociation frames to the AP and disconnect the communication between the AP and the legal STA.

J. Bellardo and S. Savage implemented successfully the attacks described above. They suggested that the vulnerabilities can be solved directly by explicitly authenticating management frames. However, the 802.11 standard is still some ways off and it is clear that legacy 802.11 devices do not have sufficient CPU capacity to implement this functionality as a software upgrade [13]. Therefore, to defend such attacks with low-overhead designs can still offer significant value.

To defend the deauthentication and disassociation attacks, J. Bellardo and S. Savage designed one mechanism that delays the effects of deauthentication or disassociation requests (e.g., by queuing such requests for 5-10 seconds). The AP or STA has the opportunity to observe subsequent packets from the the other corresponding node. If a data packet arrives after a deauthentication or disassociation request is queued, that request is discarded, since a legitimate node would never generate packets in that order [13]. They implemented their mechanism to defend deauthentication attacks successfully when there are the FTP sessions between the communicating nodes.

There are some drawbacks, as J. Bellardo and S. Savage metioned. Such defending mechanism delays the handoff processes when the mobile STA roams between APs and opens up a new vulnerability when mobile clients roam between

(35)

access points [13].

If the STA sends the deauthentication or disassociation frame to the AP, but the frame is queued and delayed for 5-10 seconds, the session hijacking attacker may exploit the delaying period to send forged data frames to the AP and void the real deauthentication frame. The hijacking attacker will successfully connect to the AP without being detected.

On the other hand, FTP applications are not always used, and other applications like the web browser and email are used more frequently. When the user browses the web, the browser does not always downloand the webpage during the connecting phase. When the user reads the webpage, the network usually idles more than 10 seconds. If the deauthentication attack happened at this time, it would succeed disconnecting the network. Then the STA will reauthenticate itself with the AP. This situation may happen frequently, and bothers the users who browse a certain website. It is similar to the DoS attacks, though the network probabily is not blocked thoroughly.

3.1.2 Traffic Jamming DoS attack

In our thesis, the traffic jamming DoS attack means the attack that exhausts resources of the devices (e.g. AP), and hinders the devices to communicate with other legal nodes. With a request-respond model, the management frames of the 802.11 seem the most suitable to be exploited for this type of attack. Any management frames sent to a certain node (e.g. AP) consumes some computing or memory resources.

We discuss probe, authentication and association request flooding attacks in this section. We do not discuss the bandwidth consuming traffic jams caused by common abundant data transmissions.

An AP can easily become a bottleneck for the entire network in infrastructured network. If an AP failed, the entire network blocks on the condition that no other APs

(36)

are deployed besides the failed AP.

Ferreri, F. et al., implemented probe, authentication and association request flooding attacks againt 4 models of APs: Enterasys RoamAbout R2, Netgear ME102, 3Com AP 8000 and Host AP. They developed a simple application, named wfit (wireless frame injection tool), based on the Radiate library which is built on top of an old version of the HostAP driver [14]. They exploited this attack tool to launch probe, authentication and association request flooding attacks by spoofing MAC addresses of attacking frames.

We summarize their experimental results as shown in Table 1. Probe Request Flood Authentication Request Flood(open system) Authentication Request Flood(WEP enable) Association request flood Enterasys RoamAbout R2 DoS performance degradation performance degradation performance degradation Netgear ME102 No effect on

performance Can withstand the attacks AP crashed each time DoS

3Com AP 8000 DoS DoS DoS No relevant effects Host AP DoS Similar to Enterasys RoamAbout R2 AP

Model

AP

Attack Type

Table 1 probe, authentication and association request flooding attacks against APs [14]. Note: DoS attacks are to exhaust the AP resources, and the communication among legitimate clients

becomes impossible.

According to their experiments, they concluded:

a. Such attacks can be executed by a malicious station without being neither associated nor authenticated with the AP.

b. AP’s main vulnerability to these flooding attacks seems to reside in unacked frame retransmissions, which cause memory buffer exhaustion and freeze up the AP.

c. Weak implementations of the 802.11 protocol in APs can bring about further vulnerabilities that allow malicious stations to crash an AP [14].

(37)

Although they had attempted to design a detection and defense mechanism and tried to embed it in the Linux HostAP, the vulnerabilities of probe flooding request flooding attack could not be mitigated at the software driver level. The AP vulnerabilities to those DoS attacks were at the firmware level [14]. Ferreri, F. et al., did not suggest better defensive solutions in their paper.

There are other Denial of Service attacks such as virtual carrier sense DoS attack [3], power saving mode attack, and more [14]. We have discussed them in section 2.3.2, amd do not detail them here.

3.2 DoS attacks against 802.11i network

IEEE institute claims that it deploys the strongest data confidentiality and authentication protocol with 802.11i, but it seems not to emphasize the availability as a primary objective. The result makes 802.11i vulnerable to DoS attacks [6].

Changhua He et al. found that DoS vulnerabilities in 802.11i appear to be more severe than 802.11. An adversary can launch an 802.11i attack much more easily with moderate equipment only. The attack is not easily detectable. A more robust 802.11i specification is needed to strengthen 802.11i against DoS attacks [6].

As shown in Figure 5, the STA, AP and Authentication Server (AS) negotiate with each other. These negotiations are complex processes. The red rectangles mark the messages that are not authenticated by using any keys. These messages provide possible vulnerabilities to be exploited by the attacker by spoofing the same messges.

Since the DoS vulnerabilities is not solved in the 802.11i standard, the 802.11i network inherits the vulnerabilities of the 802.11 network. The DoS vulnerabilities that were decribed in section 3.1 also happened in 802.11i network.

We first discuss the related countermeasures of the disassociation attack in 802.11i network, and then describe the DoS attacks that are unique in 802.11i network.

(38)

Disassoc /Deauth EAPOL-Logoff

Figure 5 RSNA Establishment Procedures [6]

(39)

network

As shown in Figure 6, the 802.1X state machine was applied to 802.11i. 802.11i did not modify the 802.11 (de)authentication and (dis)association mechanism. The deauthentication and disassociation attacks happened as usual.

Deauth Notificaiton

Disassoc Notification.

Figure 6 802.11 / 802.1X state machine. Amended from [21][24]

Ping Ding, JoAnne Holliday and Aslihan Celik devised a so called Central Manager (CM) to defend DoS attacks when the 802.1X was applied to 802.11i network. A CM is designed to manage a large number of APs and their STAs. The CM is a back-end server that takes the role of the authentication server (AS) defined by 802.1X. It not only takes the responsibilities of the AS, but also tracks STAs to avoid the DoS attacks [21].

After an AP receives a disassociation frame from a STA, the AP will forward the frame to the CM. The CM sends a request frame to that STA and asks if it really wants to be disassociated. After the STA receives the request packet, it needs to give a confirmation or denial response. If the CM receives a confirmation message, it will

(40)

send a disassociation-continue message to the AP. Then the AP really disassociates the STA. If the CM receives a denial message or does not get a message from the STA, the CM will send a disassociation-ignore message to the AP. The AP will ignore the disassociate request and keep the STA’s current status [21].

There are some disadvantages in their design. If an attacker pretends to be an AP and sends disassociation frames to a certain STA or broadcasts them to all STAs, the attack will succeed, since the AP and the CM server do not receive any disassociation messages. Furthermore, the current authentication server needs to be modified. The server will inevitably suffer from heavier load. Also, the 802.11i standard must be altered and will not be backward compatible with 802.11 networks that do not implement 802.1X architecture.

3.2.2 EAPOL-Failure and EAPOL-Logoff message attacks

Besides the disassociation attack, there are several DoS attacks that exploit the unprotected EAP messages in 802.1X authentication. As shown in Figure 5, an adversary can forge the EAPOL-Failure message and the EAPOL-Logoff message to disconnect the supplicant [14][15][22].

By disguising as an AP, an attacker can send EAPOL-Failure message to force the STA to stop the negociation among the AP, AS and STA. Then the STA must restart the process of authentication and association. If the attacker sends EAPOL-Failure message repeadly, the DoS attacks happen.

On the other hand, if an attacker pretends to be a certain STA and sends EAPOL-Logoff message to the AP, the AP would log off the STA. If the attacker sends EAPOL-Logoff messages continually, the communication between the AP and STA would be blocked.

(41)

EAPOL-Logoff message DoS attacks in 802.1X applied to 802.11i network [14]. We have mentioned the deficits of the CM approach in the previous section. We do not discuss them here again.

3.3 Lightweight authentication on 802.11

Since the 802.11 management frames are easily forged and exploited by the attacker to launch DoS attacks, it is important to protect the critical frames such as deauthentication frames and disassociation frames. However, we must keep in mind that the computing and memory resources of mobile devices are limited. The use of sophisticated encryption and decryption processes would dominate other kinds of DoS attacks. The lightweight authentication on 802.11 privides another approach to solve the DoS attacks against 802.11 networks.

3.3.1 One-bit lightweight authentication

SOLA, Statistical One-bit Lightweight Authentication, is a new identity authentication protocol proposed to detect unauthorized access in 802.11 network.

It assumes that no encryption will be used at the link layer and that IPSec is used for end-to-end security at the network layer. The main idea is to compute an identical random authentication stream in the STA and the AP, and then add one bit from this stream into the MAC layer header for identity authentication. The goals of SOLA are secure and useful, cheap and robust [11].

We briefly decribe SOLA protocol with the following key words: ASG, packet format, and synchronization algorithm [11].

ASG (Authentication Stream Generator): The purpose is to generate an authentication stream that cannot be guessed by an attacker. It is assumed that the STA and the AP will share a session key. Based on this session key the random

(42)

authentication stream is generated from the ASG.

Packet Format: Inserting this new identification bit in the packet is an important issue. The authentication bit would be inserted into IEEE 802.11 MAC header of the data packet, and the “failed” or “succeeded” bit, from the AP to the STA, will be inserted in the response ACK packet. In the simulations, the most significant bit in the sequence control field and the most significant bit in the duration field are used for the data packet and for the ACK packet, respectively..

Synchronization Algorithm: Due to packet loss and other reasons for failures, the bit stream will not be synchronized. So, SOLA designed a synchronization mechanism to mitigate the problem.

The major purpose of SOLA protocol is to detect an attack. SOLA protocol offers a statistical way to identify the origin of the packets for the purpose of access control. The authors claim that the SOLA protocol is well suited in a wireless resource-constrained environment. Furthermore, it is possible to develop a framework to detect Denial of Service attacks or an adversary who tries to attack the network by guessing the identity authentication bit [11].

H. Wang et al. followed the lightweight authentication ideas, but criticized that a severe problem exists in the synchronization algorithm of [11]. They developed a workable synchronization algorithm [12]. H. Wang et al. incorporated the synchronization mechanism into the current IEEE 802.11 network. They concluded that their lightweight authentication for access control contains the following feature [12]:

Lightweight: Only one bit is added into each frame in the proposed scheme and is easily processed.

Simplicity: No encryption or decryption is needed for the proposed scheme. Continuous authentication: The system is always authenticating hosts. Continuous

(43)

authentication is suitable for wireless networks since lower overhead is needed in authentication process.

High efficiency: When non-synchronization is detected, the synchronization algorithm can resynchronize in a short time.

Fault tolerance: When the BER (Bit Error Rate) is high, the system can tell there are malicious attackers and wireless errors [12].

They claimed that they would “show some evaluation results later to approve the high efficiency and fault tolerance”, but we cannot find the results they promised.

Both of the researchers focused on sycronization algorithm and the statistical analysis. Implementation on real wireless environment is not sufficiently considered.

Based on the above analysis, lightweight, mutual and per-packet authentication are feasible approaches for enhancing the security of 802.11 networks.

3.3.2 Enhanced lightweight authentication

Kui Ren et al., found that the sever synchronization problem exists in Johnson’s work on the lightweight authentication due to the frame loss problem in the wireless networks [20]. They also criticized that the researches of Wang et al., were still not efficient.The loss of frames happen frequently in wireless networks, and non-synchronization between communication parties occurs frequently too. It results in additional communication delay, which could be critical to many realtime applications.

Kui Ren et al. proposed an enhanced lightweight authentication protocol for access control at the MAC layer in wireless LAN. They examined the redundancy existed in the MAC header, and adopted an enhanced 3-bit authentication mechanism [20]. ( see Figure 7, the part of data frame control field )

(44)

Figure 7 Adaption of frame format to the Kui’s proposed protocol [20]

Figure 8 Overview of Kui’s proposed protocol [20]

As shown in Figure 8, Kui’s proposed protocol works as follows [20]. At the beginning, the sender and the receiver establish a common random bit stream generator by sharing a seed value. The random bit stream generator continuously outputs 3 bits as a unit which was then inserted into frame control field of the sending data frame. The receiver will generate the same authentication bit stream as that of the sender. Upon receiving a frame, the receiver first checks the 3-bit authentication value. If the value matches that of the receiver’s, the frame is authenticated and is processed further. On the other hand, when the ACK-failure frame was sent, 7-bit counter value is inserted into the MAC frame header. As shown in Figure 7 (see the part of ACK frame

(45)

control field), seven corresponding bits are chosen based on the structure of the frame control field of the ACK frame. It is known that the 7 bits in the control frame are simply set to 0. The 7-bit counter contains the synchronization information between the communicating parties [20]. The details are, however, beyond the scope of our research.

The authors also offered a statistical way to identify the origin of the data frame for the purpose of detecting an attack. They asserted that the protocol is fully compatible with current IEEE 802.11 frame structure and provides a highly efficient identity authentication scheme [20].

Howerever, all of the researchers described in sections 3.3.1 and 3.3.2 were certain that the lightweight authentication utilized in the wireless network is a feasible approach. In summary, the lightweight authentication mechanism, if it is applyed to the 802.11 network, contains some benefits: lightweight, mutual authentication per frame, high efficiency, and backward compatibility.

(46)

Chapter 4 Proposed protocol to defend 802.11 DoS

attacks

We designed a random bit authentication mechanism to defend 802.11 deauthentication and disassociation flooding attacks. In this chapter, for backward compatibility reason, we first analyze the unused bits of 802.11 management frames to determine the unused bits in the header and body of the management frame we may insert our random authentication bits.

Secondly, we examine the characteristics of the sequence number subfield in the sequence control field of the management frame to devise our defending methods.

Finally, we design a two-phase filtering mechanism to defend deauthentication and disassociation flooding attacks.

4.1 Unused bits of 802.11 management frame

We analyze the frame control field and frame body field of the management frame to find out the unused bits. The other fields are not suitable to be modified in 802.11. The general management frame format is shown in Figure 9.

(47)

4.1.1 Management frame control field analysis

Figure 10 illustrates the frame control field of the MAC header in the management frame. The frame type can be determined by the type field and the subtype field. It is not nessary to examine the unused bits shown in Figure 10 for a management frame.

In Figure 10, the “To DS” field is set to 1 in frames destined for the distribution system (DS). The “From DS” field is set to 1 in frames exiting the DS. The “More Fragments” bit is set to 1 to indicate that the frame is a fragmental frame. The management frame is always limited bythe maximal length of 2312 bytes for the frame body. There are no framgmental frames in any subtypes of the management frames. The “Power Management” bit and the “More Data” are used only in the control frame to indicate the power management mode of a STA. The “Order bit” is used in the data frame which is being transferred using the Strictly Ordered service class [2].

Data frame used

control frame used only

Figure 10 Unused bits of the frame control field in the management frame [2]

4.1.2 Management frame body analysis

Table 2 indicates the contents of the frame body in the authentication frame. The value of authentication algorithm number is 1 or 0. There is only 1 bit that is used, but it contains 16 bits in the 802.11 standard as shown in the Figure 11. It leaves 15 unused

(48)

bits. Similarly the authentication transaction sequence number uses 3 bits, and others are unused, as showen in the Figure 12.

Order Information Size

1 Authentication algorithm number 16 bits

2 Authentication transaction sequence number

16 bits

3 Status code 16 bits

4 Challenge text Max 255 octets

only present in shared key Authentication frames

Table 2 Athentication frame body [2]

Figure 11 Authentication Algorithm Number fixed field [2]

Figure 12 Authentication Transaction Sequence Number fixed field [2]

Order Information 1 Reason code

(49)

Table 4 Deauthentication and disassociation reason code [2]

The reason codes of the deauthentication and disassociation frame bodies are shown in the Table 3 and Table 4. In 802.11 standard, only 4 bits are used. There are 12 unused bits that can be used for random authentication bits. In 802.11i only 5 bits are used, and other bits are unused.

The (re)association request and response frame body as shown in Table 5 and Table 6 has the same 16 bits “Capability information” field. There are 11 (B5 to B15) bits reserved and there can be used as random authentication bits as shown in Figure 13.

Association request Association response

Order Infromation Size Order Infromation Size 1 Capability information _{16 bits} ₁ Capability information _{16 bits}

2 Listen interval _{16 bits} ₂ Status code _{16 bits}

3 SSID Max 34 octets 3 Association ID (AID) 16 bits 4 Supported rates _{Max 10 octets} ₄ Supported rates _{Max 10 octets}

(50)

Reassociation request Reassociation response

Order Infromation Size Order Infromation Size 1 Capability information _{16 bits} ₁ Capability information _{16 bits}

2 Listen interval _{16 bits} ₂ Status code _{16 bits}

3 Current AP address _{48 bits} ₃ Association ID (AID) _{16 bits}

4 SSID Max 34 octets 4 Supported rates Max 10 octets

Supported rates Max 10 octets

Table 6 Reassociation request and response frame body [2]

Figure 13 Capability Information fixed field [2]

Note: 1. 11(B5 - B15) bits are reserved and can be inserted random authen bits. 2. In 802.11b only 8(B8-B15) bits are reserved, others are defined.

The above analysis in sections 4.1.1 and 4.1.2, has determined the unused bits in the header and body of 802.11 management frames. The number of unused bits is enough to be exploited to implement our DoS defense.

4.2 Applying Sequence Number field to detect DoS attack

4.2.1 Sequence Number field characteristics and function

Figure 9 in section 4.1 exhibits the format of 802.11 management frame. There is a sequence control field. The sequence control field is 16 bits in length and consists of two subfields, the Sequence Number (SN) and the fragment mumber. The format of the sequence control field is illustrated in Figure 14.

(51)

The sequence number field contains 12 bits to indicate the sequence number of a frame. Sequence numbers are assigned from a single modulo 4096 counter, which starts from 0 and is incremented by 1 for each frame. The sequence number remains unchanged in all retransmission frames, or fragments thereof [2].

4.2.2 Filtering sequential Sequence Number to detect illegal frames

Under normal conditions, a legal STA or AP transmits the deauthentication or disassociation frame once to disconnect the session. If the frame is lost, the sender will not receive the ACK frame and retry to transmit the frame with the same sequence number.

In the situation of DoS, the attacker will send the deauthentication or disassociation to the victim continually. Mostly the attacker will flood the deauthentication or disassociation frames to the victims. The sequence number of the deauthentication or disassociation frames will increase by 1 for each attacking frame. The sequence numbers of attacking frames will be sequential. We can utilize this characteristic to detect and defend the flooding attack frames [23]. If the STA or AP sends deauthentication or disassociation frames with sequential sequence numbers, we can treat them as forged frames and drop them directly.

4.3 Random

bit

authentication for management frame

4.3.1 Some assumptions and random bit stream generation

We assumed that the communicating nodes had shared the same key, and one session key will be generated for each communication based on the shared key. We do not discuss the key generation and exchange issues in our thesis. Furthermore, we assumed that the communicating nodes that implement the same algorithm use the

以隨機位元認證機制抵禦802.11無線網路阻絶式攻擊

國

立

交

通

大

學

理學院網路學習學程

碩

士

論

文

以隨機位元認證機制抵禦 802.11 無線網路阻絶

式攻擊

Using Random Bit Authentication to Defend IEEE 802.11 DoS

Attacks

研 究 生：簡先得

指導教授：蔡文能

以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

Using Random Bit Authentication to Defend IEEE 802.11 DoS

Attacks

研 究 生：簡先得 Student：Hsien-Te Chien

指導教授：蔡文能 Advisor：Wen-Nung Tsai

國 立 交 通 大 學

理學院網路學習學程

碩 士 論 文

授權書

國 立 交 通 大 學

論文口試委員會審定書

本校 理學院網路學習學程 碩士班 簡先得 君

所提論文 以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

Using Random Bit Authentication to Defend IEEE

802.11 DoS Attacks

合於碩士資格標準，業經本委員會評審認可。

中 華 民 國 九十五 年 五 月 三十 日

以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

學生：簡先得

指導教授：蔡文能

國立交通大學網路學習學程碩士在職專班

摘 要

Using Random Bit Authentication to Defend IEEE 802.11 DoS

Attacks

Student: Hsien-Te hien

Advisor: Wen-Nung Tsai

Degree Program of E-Learning College of Science

National Chiao-Tung University

ABSTRACT

誌謝

Contents

List of Tables

List of Figures

Chapter 1

Introduction

1.1 Research

Motivation

1.2 Thesis

Organization

Chapter 2

Background

2.1 Overview of Wireless Local Area Network (WLAN)

2.2 IEEE 802.11 security issues

2.3 Denial of Service attacks

Chapter 3

Related work

3.1 DoS attacks against 802.11 network

3.2 DoS attacks against 802.11i network

3.3 Lightweight authentication on 802.11

Chapter 4

Proposed protocol to defend 802.11 DoS

attacks

4.1 Unused bits of 802.11 management frame

4.2 Applying Sequence Number field to detect DoS attack

4.3 Random

bit

authentication for management frame

研究生：簡先得

研究生：簡先得 Student：Hsien-Te Chien

國立交通大學

碩士論文

國立交通大學

本校理學院網路學習學程碩士班簡先得君

所提論文以隨機位元認證機制抵禦 802.11 無線網路阻絶式攻擊

中華民國九十五年五月三十日

摘要