Transcript DoS Attacks On Wireless Voice Over IP Systems

DoS Attacks On Wireless
Voice Over IP Systems
By Brendon Wesley
Supervisor- Noria Foukia
Abstract
•
As converged wireless networks become increasingly widespread, there is
an assumption that such systems now have strong confidentiality and
reliability.
•
While the flaws in WiFi confidentiality mechanisms namely ‘WEP’ have been
highly documented, the concern of reliability has gone reasonably
unnoticed.
•
The reliability flaws in WiFi are still evident in the majority of today's WiFi
devices.
•
IEEE standard resolving this weakness will not be released until 2008.
•
This paper Outlines various DoS attacks used on 802.11 networks and
demonstrates a proof of concept implementation as to how effective they
are against a VoIP call.
Quality of Service (QoS)
• Quality of service (QoS) is a general term that is used to describe a
number of metrics that themselves describe a specific measure of
performance in a network or service. The QoS of a system is
determined by four main factors:
•
•
•
•
Latency – 150ms one way delay
Jitter – time varying wireless channel
Packet loss – 3% maximum for VoIP
Bandwidth – Depends on security, codec's etc.
N.B - Paper Address other QoS considerations in the 802.11
specification. (MAC layer of 802.11)
Denial of service attacks
• A denial of service attack ( DoS) is used to overload the victims
resources to an extent that it can no longer provide a service to
authentic clients.
• wVoIP is extremely vulnerable to DoS attacks because access to the
transmission medium is open to anybody with 802.11 hardware.
• Because real-time traffic such as VoIP and video conferencing
media is intolerable of even small delays it is relatively easy to
disrupt the service long enough to make it unacceptable for the
users.
802.11 management frames
• 802.11a/b/g management frames are used to initiate, manage or
discontinue communication between two clients ( in ad-hoc mode) or
between client's and Access Points (infrastructure mode).
• They are not confidential! and not authenticated!
• Security mechanisms such as WEP, WPA and WPA2 currently
provide security services only for data frames, leaving management
frames in a readable and forgeable state. This is a major flaw!
State of Connection
• As specified by the Medium Access Control (MAC) and Physical
Layer (PHY) Specifications in IEEE802.11. A client within a 802.11
infrastructure network may be in 1 of 3 states at a time.
1-Unauthenticated and Unassociated.
2-Authenticated and unassociated.
3-Authenticated and associated.
Types of 802.11 management
frames
Authentication Frame
• Authentication provides a way for stations to identify themselves to
an AP. It is then the AP’s job to decide if authentication will be
granted to the client or not.
• Open system or shared key.
Authentication Attack.
• During the authentication process there are a number of packets
that need to be exchanged between a client and the AP. A buffer is
used to temporarily hold this information while authentication is
taking place. Because the size of the buffer limits the number of
authentication requests that the AP can process at any one time, it is
possible to flood authentication frames to the AP with a pool of
random MAC source addresses.
Deauthentication Frame
• If a client or AP wishes to exit the authenticated state, either party
may transmit a deauthentication frame. This causes the device(s) to
exit the authenticated-associated state and terminate all further
communications. This frame is rather a notification of the clients or
access points intention opposed to a request
De authentication attack
A de authentication frame will also disassociate the
station. This is because a client cannot be associated
without being authenticated as specified by one of the
three rules above. This message can be used by an
attacker masquerading as either the client or AP and
send one of these frames by spoofing the Source
Address of the device. The client or AP will immediately
discontinue communication with the other.
Association request Frame
• After a client has successfully authenticated with one or more
access points, it needs to associate with it in order to utilize its
services. An association frame is sent to the AP specifying
parameters such as supported data rates and more importantly the
SSID of the AP.
Disassociation frame
• A disassociation frame is used by a client or AP to effectively stop
communication. This frees up the resources used to maintain the
communication. It gives the client the capacity to migrate to a
neighboring AP in the same BSS with minimal delay.
Disassociation flooding attack
• The disassociation attack operates on a very similar principle to the
deauthentication attack. In this case a disassociation frame is sent
to the AP or client by an attacker (by spoofing the client and AP
MAC addresses). This will make an AP believe that the client has
sent a disassociation frame and wishes to disassociate. Client will
attempt to maintain communication so will re-associate. The attacker
will continuously send disassociation frames to the AP to keep it in
the disassociated state.
My Implementation
•
•
•
•
•
Access Point: D-Link Airplus Xtreme G wireless router.
Client 1: Compaq Laptop (windows XP) with Enterasys 802.11g wireless
network adapter.
Client 2: Compaq Laptop (Windows XP) with Linksys 802.11g USB wireless
network adapter
Attacker: Insite PC (Linux Kernel 2.6.16 Fedora Core 5)
Sniffer: HP Laptop (Windows XP) running Ethereal and airodump-ng
Aireplay-ng
Ethereal Packet Capture
DoS attack
Deauthentication Flood effect on VoIP latency
800
700
Latecny (ms)
600
500
Series2
400
Series1
300
200
100
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19
Seconds
Protection For sensitive 802.11
management frames
• 802.11w (task group w) is an IEEE
standard that is due for release in April
2008 to provide a degree of protection for
802.11 management frames.
• Extend the functionality of 802.11i (WPA2)
to provide encryption and integrity not only
for data frames but some types of
management frames as well.
802.11 Management Frame
Recommendations
• Utilise a timer when a station sends a deauthentication frame to the
access point. Within a certain time period if the station sends data
frames to the AP then it will not deauthenticate the station and
assume an attack has occurred.
• Week form of protection which is not practical to implement. Hard to
modify firmware of devices!
• Contacted RoamAD (converged voice/data networks) how their
commercial WiFi networks were protected. Very surprised to find
that not many companies do much outside of the 802.11 spec.
• as lack of interoperability between systems and platforms,
incompatible hardware, difficult upgrades of software and hardware.
• Wait until 802.11w!
What else is in the report?
• Security in VoIP
• Frequency jamming
• WiMax Management frames
• WiFi VoIP networks in new Zealand . A threat to 3G??
• What do commercial wLAN providers do to mitigate the affects of
DoS attacks on VoIP in NZ?
• Bottleneck at crypto engine (IPsec)
Acknowledgments
• Noria Foukia (Supervisor)
• Cameron Kerr (Linux Guru)
• Da Deng
(Acting H.O.D)