New Vulnerabilities to DoS Attacks in 802.11 Networks Our first goal was to define new attack schemes that could lead a wireless infrastructured network to a DoS situation, in order to do that, we considered the following guidelines: - The MAC (Medium Access Control) layer of the 802.11 protocol (in all its various releases, e.g.: 802.11a, 802.11b, 802.11g) is based on the exchange of request/response messages: each request sent by a station (STA) in the network triggers a corresponding response on its counterpart; - infrastructured networks rely on an access point (AP) – or a set of them – as a central node through which every communication is routed. - attack patterns should be as simple as possible, in order to apply both to open systems and WEP-protected networks. Following these guidelines, we started to identify message sequences that could lead to an attack towards the AP. The management frames of the 802.11 protocol look like the most suitable to this purpose, because any management frame sent to an AP triggers an elaboration with consequent consumption of computational resources. The scheme is quite simple: each request message sent by a STA must be responded with a response message sent by the AP. Thus, sending out a Probe Request frame to an AP triggers the transmission of a proper Probe Response frame, which contains information about the network managed by the AP. Alternatively, when a STA sends an Authentication Request to the AP, the AP has to check the authentication credentials of the STA and then has to produce an Authentication Response frame which notifies the STA about the outcome of the authentication process. In a similar way, when a STA sends an Association Request to the AP, the device has to check whether the STA can associate with the current network and then has to respond with a proper Association Response message. As we can see, all these interactions are based on a simple request-response messages exchange, but even the elaboration of a single response message can become, when repeated over a large scale, a heavy load for the AP. According to these considerations we devised three simple DoS attack schemes: - Probe Request Flood (PRF); - Authentication Request Flood (ARF); - Association Request Flood (ASRF). these are essentially flooding attacks, based on the repeated, massive injection of frames; in particular, each frame has its own fake MAC address, randomly generated, in order to simulate the presence of a large number of stations sending requests to the AP, this technique is also called MAC spoofing. request sent by a station (STA) in the network triggers a corresponding response on its counterpart; - infrastructured networks rely on an access point (AP) – or a set of them – as a central node through which every communication is routed. - attack patterns should be as simple as possible, in order to apply both to open systems and WEP-protected networks. Following these guidelines, we started to identify message sequences that could lead to an attack towards the AP. The management frames of the 802.11 protocol look like the most suitable to this purpose, because any management frame sent to an AP triggers an elaboration with consequent consumption of computational resources. The scheme is quite simple: each request message sent by a STA must be responded with a response message sent by the AP. Thus, sending out a Probe Request frame to an AP triggers the transmission of a proper Probe Response frame, which contains information about the network managed by the AP. Alternatively, when a STA sends an Authentication Request to the AP, the AP has to check the authentication credentials of the STA and then has to produce an Authentication Response frame which notifies the STA about the outcome of the authentication process. In a similar way, when a STA sends an Association Request to the AP, the device has to check whether the STA can associate with the current network and then has to respond with a proper Association Response message. As we can see, all these interactions are based on a simple request-response messages exchange, but even the elaboration of a single response message can become, when repeated over a large scale, a heavy load for the AP. According to these considerations we devised three simple DoS attack schemes: - Probe Request Flood (PRF); - Authentication Request Flood (ARF); - Association Request Flood (ASRF). these are essentially flooding attacks, based on the repeated, massive injection of frames; in particular, each frame has its own fake MAC address, randomly generated, in order to simulate the presence of a large number of stations sending requests to the AP, this technique is also called MAC spoofing.
|
