1. An improved authentication model
for IEEE 802.11 to prevent
Probe Request DoS Attacks.
Deepthi Ratnayake
(gdd0014@londonmet.ac.uk)
LMU PG Student Conference
12th Nov 2010
2. Topics
Introduction
Aim
Design Flaws
Experiment
Test Bed
Results
Existing Countermeasures
Future Research
4. Introduction
What is a PRF Attack ?
designed to manipulate 802.11 design flaws
Sends a flood of PR frames using MAC spoofing to
represent a large number of nodes scanning the
wireless network
So what happens?
Serious performance degradation or prevent
legitimate users from accessing network
resources (DoS). DoS attacks are the most
common
5. Aim
To find an effective method to:
recognise rogue Probe Request frames,
and prevent an AP from triggering a Probe
Response.
Length -
Bytes
2 2 6 6 6 2 6 Variable Variable 4
Field
Frame
Control
Duration
ID
DA SA BSSID
Sequence
Control
SSID
Supported
Rates
Estended
Supported Rates
FCS
MAC HEADER FRAME BODY CRC
Length -
Bits
2 2 4 1 1 1 1 1 1 1 1
Field Protocol Version Type
Sub
Type
To DS From DS More Frag Retry
Power
Management
More
Data
WEP Reserved
FRAME CONTROL
6. Design Flaws
each request message sent by a STA
must be responded with a response
message sent by the AP.
Probe Request/Response frames are
unprotected.
7. Test Bed
BSS
Test1-PC (User)
Windows XP
Intel(R) PRO/Wireless LAN 2100 3B Mini
PCI Adapter
MAC: Intel_5b:dd:b3
Test3-PC (Attacker)
BackTrack4 (Linux)
MAC: Intel_a5:23:37
Test-AP (Access Point)
MAC: Netgrar_42:cf:c0
Test2-PC (User)
Windows Vista
Intel® PRO/Wireless 2200BG
Wireless Connection
MAC: Intel_39:c9:33
9. Existing Countermeasures
Cryptography
Encryption
long-term secret key
Client Puzzle
MAC Frame Fields
Analysis of Sequence Number field.
Change Re-try limit
Response Delay
NIC Profiling & Signal Finger Printing
AI Models
10. The future research
Keep a “Safe List” of known attributes and
give priority to “Safe List”.
Pattern Recognition of “Transactions” and
filter peculiar Probe Requests.
11. Summary
What is IEEE 802.11?
What is Probe Request & Response ?
What is a Probe Request Flooding Attack ?
So what happens?
Aim
Design Flaws
Experiment
Existing Countermeasures
Future Research
12. References
Bicakci, K. and Tavli, B. (2009) Denial-of-Service attacks and countermeasures in IEEE
802.11 wireless networks, Computer Standards and Interfaces 31(5), pp931-941, [Online]
Available at http://www.sciencedirect.com [Accessed: 3rd October 2009].
Faria, D.B. and Cheriton, D.R. (2006) Detecting identity-based attacks in wireless networks
using signal prints, Proceedings of the 5th ACM workshop on Wireless security, Los Angeles,
California [Online] Available at http://0-delivery.acm.org [Accessed: 30 November 2009].
Liu, C. and Yu, J. (2008) Rogue access point based DoS attacks against 802.11 WLANs,
Fourth Advanced International Conference on Telecommunications, AICT '08., 8(13),
pp271-276, [Online] Available at: http://0-ieeexplore.ieee.org [Accessed: 10 October
2008].
Malekzadeh, M. et al. (2007) Security improvement for management frames in IEEE 802.11
wireless networks, International Journal of Computer Science and Network Security, IJCSNS
7(6) [Online] Available at: http://citeseerx.ist.psu.edu [Accessed: 2 February 2010].
Martinovic, I. et al. (2008) Wireless client puzzles in IEEE 802.11 networks: security by
wireless. In Proceedings of the First ACM Conference on Wireless Network Security, WiSec
'08, New York [Online] Available at: http://0-doi.acm.org [Accessed: 31 March 2010].