Professional Documents
Culture Documents
Access Points Vulnerabilities To DoS Attacks in 802.11 Networks PDF
Access Points Vulnerabilities To DoS Attacks in 802.11 Networks PDF
DOI 10.1007/s11276-006-8870-6
Abstract We describe possible denial of service attacks to be carried out. In particular we identified some simple attack
access points in infrastructure wireless networks using the schemes that might lead to a DoS effect and then observed
802.11b protocol. To carry out such attacks, only commod- the reaction of various types of infrastructured networks to
ity hardware and software components are required. The ex- these attacks. In the following section we describe the ba-
perimental results obtained on a large set of different ac- sic principles we followed in order to find possible attack
cess points show that serious vulnerabilities exist in any de- schemes; in Section 3 we describe the test-bed framework
vice we tested and that a single malicious station can easily in which we carried out our experiments and finally, in Sec-
hinder any legitimate communication within a basic service tion 4, we report the results obtained for different types of
set. networks.
1 Introduction The design of the attack schemes started with the following
considerations:
The use of 802.11 wireless networks is steadily increasing
– The 802.11 protocol is based on the exchange of re-
despite of many studies that report security problems, mainly
quest/response messages: each request sent by a station
related to authentication, privacy and confidentiality issues.
(STA) in the network triggers a corresponding response on
Besides that, the peculiar features of the wireless medium
its counterpart, which can be, in turn, another station or an
suggest a greater exposure to Denial of Service (DoS) attacks
Access Point (AP);
than wired networks. Since the wireless networks do not have
– infrastructured networks rely on an access point (or a set of
well defined physical boundaries, a malicious station can ap-
them) as a central node through which every communica-
pear in the range of such a network and launch an attack in
tion is routed, thus an AP can easily become a bottleneck
order to stop any legitimate communication. The aim of the
for the entire network (or, at least, for the Basic Service Set
present work is to investigate how this kind of attacks can
it defines1 ). An AP failure causes the block of the entire
network or a part of it;
M. Bernaschi () – attack patterns should be as simple as possible, in order to
IAC – CNR, Viale del Policlinico, 137, 00161 - Rome, Italy apply both to open systems and WEP-protected networks.
e-mail: massimo@iac.cnr.it From this viewpoint, a malicious station should be able to
F. Ferreri . L. Valcamonici
launch an attack even if it is neither associated nor authen-
CASPUR, Via dei Tizii, 6b, 00185 - Rome, Italy ticated to the target network.
e-mail: f.ferreri@caspur.it
1
L. Valcamonici A Basic Service Set is made of an AP and the client stations connected
e-mail: l.valcamonici@caspur.it to that AP.
Springer
160 Wireless Netw (2008) 14:159–169
Fig. 1 Finite state machine (FSM) representing the AP/STA interac- open system networks: no cryptography is involved, the AP
tion. State 1 represents any client neither associated nor authenticated
to the AP yet (such as an external attacker station) processes each request, possibly comparing the MAC ad-
dress with an access control list, then it responds with a
frame containing the authentication process result;
Following these guidelines, we started to identify mes- shared key networks: after receiving an Authentication
sage sequences that could lead to an attack towards the AP. Request by a station, the AP generates a random chal-
The management frames of the 802.11 protocol look like lenge text and sends it to the station in a second authenti-
the most suitable to this purpose, because any management cation frame; the challenge text has to be encrypted with
frame sent to an AP triggers an elaboration with consequent a proper WEP key by the station to gain access to the
consumption of computational resources. Figure 1 shows network.
a Finite State Machine (FSM) representing the interaction
between an AP and any station in a 802.11 infrastructured In both cases the AP must allocate memory to keep informa-
network. State 1 in the FSM represents stations that have tion about each new station that successfully authenticates.
not gained any privilege yet (they are neither associated nor As in the previous case, by sending a burst of Authentica-
authenticated to the AP), thus this is a common situation tion Request frames, using MAC spoofing, it should be
for a malicious station willing to launch an attack. 802.11 possible to bring AP’s resources close to the saturation level.
management frames are divided into three classes, in each
state of the FSM only certain classes of frames can be ex- 2.3 Association request flood (ASRF)
changed (see Table 1). Starting from this classification, we
identified three simple attack schemes. They are essentially According to the protocol FSM, Association Request
flooding attacks that aim at gaining predominant access to frames should not be sent by stations in unauthenti-
the wireless medium and wasting computational resources cated/unassociated state, so such requests should never re-
of the AP. We describe these schemes in the next three ceive an answer by the AP. Actually, we discovered that many
paragraphs. APs respond to “illegal” Association Request frames by
sending a Disassociation or Deauthentication frame.
As a consequence, even a burst of Association Request
Table 1 802.11 management frame classes frames is able to consume computational resources on an
AP.
Class Frame types
Springer
Wireless Netw (2008) 14:159–169 161
Springer
162 Wireless Netw (2008) 14:159–169
Springer
Wireless Netw (2008) 14:159–169 163
Table 3 Attacks statistics for the Enterasys RoamAbout managed net- ture. From this viewpoint, the next section presents a pretty
work different situation.
Nreq Ndup Nresp Nlost Nrr Trr
PRF 4553 0 2089 2464 3.69 0.24 4.2 Netgear ME102 managed network
ASRF 886 886 886 0 3.88 0.0007
ARF 765 754 756 0 7.813 0.0008 For the Netgear ME102 AP, we started the tests with WEP
(128 bit) cryptography enabled. The results can be summa-
rized as follows:
– average elapsed time (in seconds) since a request frame
and correspondent first AP response frame (Trr). – The PRF attack has no effect on network performance;
– The ARF attack causes the AP to crash and stop working.
Collected values are reported in Table 3: from the value of The AP needs to be restarted after each attack;
Nrr, we extrapolate that the retry limit for an Authenti- – The ASRF attack causes the exhaustion of the AP re-
cation Response frame is set equal to 8, whereas it is set sources. The communication among legitimate clients be-
equal to 4 for an Association Response frame (that is, comes impossible.
actually, a Deauthentication frame). Nonetheless, these
Actually, this network showed, in general, a worse perfor-
two attacks do not have a serious impact on the network. The
mance with respect to the previous one, even running under
reason is probably the lower frame injection rate as compared
normal conditions. This probably accounts for its higher sen-
to the PRF case. If it were possible to send authentication and
sibility to flooding attacks executed at a lower frame injection
association frames at higher rates we could probably cause a
rate.
DoS effect as well.
Looking at the results shown in Table 3, the difference
between the PRF scheme and the other two (the ASRF and 4.2.1 Detailed results
the ARF) is readily apparent. In the PRF case more than half
of the requests are not fulfilled by the AP. Moreover, the Looking at the Nrr values in Table 5, we see that the Netgear
average response time is almost three orders of magnitude AP has a retry limit set equal to 1 for Probe Response
larger than in the other cases. This is probably due to a lack frames. This can explain why the attack does not have a
of buffer space and a heavy consumption of resources on the serious impact: no frame is stored for retransmission and no
AP. Unfortunately, AP’s built-in counters give no valuable buffer space is required for deferred transmissions. However,
information about internal resources usage. As an additional there is still a high number of frames that receive no response
result, it looks like the introduction of WEP cryptography by the AP. This could be due to a lack of buffers for the
(128 bit) does not modify significantly the picture. reception but it looks like there are no bad side effects (normal
communications among clients are not hindered).
In both the ARF and the ASRF case, the retry limits are
4.1.2 Firmware upgrade set equal to 11. We can see that, under the ASRF and the
initial phase of the ARF attack, the response time is about
Recently, we upgraded the firmware of this AP to the latest 60–80 times higher than in the PRF case. While the DoS ef-
version (v6.02.07) in order to check whether its vulnerabili- fect caused by the ASRF attack can still be justified by high
ties had been eliminated or, at least, mitigated. Actually, the retry limits, the most interesting effect is the crash caused by
overall result has been even worse compared to the version the ARF attack. Since WEP is enabled, the AP reacts to an
we tested earlier. The Enterasys AP equipped with the lat- authentication request generating a challenge text and send-
est firmware is vulnerable to all of the three attacks. Each ing it to the station that originates the request. It is possible
attack hinders any kind of communication among associated that back-to-back challenge text generation may lead the AP
clients. Detailed results are reported in Table 4. Even in this to a crash. Another possible explanation is that the AP pre-
case, the introduction of WEP does not change the global pic- encrypts each challenge text before receiving the encrypted
Table 4 Attacks statistics for Enterasys AP with the latest Table 5 Attacks statistics for Netgear ME102 managed network (WEP
(v6.02.07) firmware enabled)
Nreq Ndup Nresp Nlost Nrr Trr Nreq Ndup Nresp Nlost Nrr Trr
PRF 5542 1 3017 2525 2.45 0.189 PRF 6621 0 4048 2573 1.009 0.002
ASRF 5920 0 3587 2333 2.4 0.164 ASRF 537 536 391 146 11.189 0.126
ARF 6003 0 3644 2359 2.392 0.163 ARF 617 616 72 545 10.708 0.167
Springer
164 Wireless Netw (2008) 14:159–169
version by the station. The anomalous sequence of crypto- Table 7 Attacks statistics for 3Com access point 8000 managed net-
graphic operations could induce a fatal workload on the AP work (no WEP)
or produce illegal operations that cause the crash. Unfortu- Nreq Ndup Nresp Nlost Nrr Trr
nately, no details are available to us about the internals of this
PRF 10288 1 724 9504 1 0.588
AP.
ASRF 1040 1039 875 165 1 0.399
ARF 1021 1020 146 875 7.938 3.064
4.2.2 Disabling WEP
After disabling WEP, no attack leads to DoS situations, even latter is not susceptible to the attack. Under the PRF attack,
though retry limits are unchanged: Table 6 reports the results the Netgear AP keeps sending responses at an almost con-
for this case. Response times and lost frames values (except stant rate (about a response every 2–4 requests) whereas the
for the PRF and the ARF cases) are similar to the previous 3Com AP seems to be completely subverted by the requests
ones, but there is no interruption of normal communications flow. By looking at the data of the entire test period (20-sec).
between the legitimate clients. These results led us to revise we found very long sequences of Probe Request frames
our statement that frame retransmission is the origin of the without any response from the AP. It is as if the 3Com AP
DoS effect. Actually, it looks like the efficiency of our flood- were not able to gain access to the wireless medium in case
ing attacks strongly depends on the overall AP performance. of flooding attacks regardless of retry mechanisms. Data re-
When WEP is enabled, the Netgear AP has to manage a ported in Table 7 show that the attacker station is able to
heavier workload even in normal conditions, so it is easy to send out up to 10000 frames in 10 sec. In other words, it has
cause a DoS through a flooding attack regardless of the (low) an almost exclusive access to the wireless medium. The re-
injection rate. Disabling WEP probably frees memory and sponse time also denotes a very high latency (half a second)
computational resources that allow the AP to withstand to when compared to other APs.
the same attack. In case of an ARF attack, the 3Com AP shows a better
promptness (indeed, the ARF attack has a lower injection
4.3 3Com access point 8000 managed network rate) but a high retry limit (nearly 8) still causes a DoS ef-
fect: the number of lost frames (Table 7) is very high and
Testing the 3Com AP we noted a somehow different behavior: the response time reaches 3 sec. We could expect a simi-
lar behavior in the ASRF case, but the retry limit set equal
– The PRF attack completely blocks the testbed network, to one prevents any DoS effect. It is worth noting that a
even though the retry limit for probe response frames vulnerability to a low-rate attack, such our ARF, suggests a
is set equal to one; serious weakness of the implementation. The activation of
– The ARF attack blocks the testbed network, but it doesn’t WEP cryptography does not modify significantly the overall
cause a crash of the AP. After the attack stops, communi- results.
cations among legitimate clients are restored;
– The ASRF attack does not show relevant effects on the 4.4 HostAP, PC-based managed network
network.
A minimal AP can be set up by using a laptop computer
4.3.1 Detailed results equipped with a Prism2 card (such as the Netgear MA401
we use in our testbed) and the HostAP driver [11]. Clearly,
Interestingly, although the retry limit is set equal to one, this kind of infrastructured network does not have the same
the PRF attack still causes a DoS effect. This result seems range of action of a specialized AP (unless an additional
to be somehow in contrast with the previous ones, so a more antenna is used) but we used it to gain further information
detailed analysis is required. To this purpose, it is useful to about the DoS attacks we devised. When exposed to flood-
compare the 3Com pattern with that produced by the Net- ing attacks, the HostAP network reacts in a way which is
gear. Both APs have the retry limit set equal to one, but the quite similar to the Enterasys AP: a PRF attack causes
Nreq Ndup Nresp Nlost Nrr Trr Nreq Ndup Nresp Nlost Nrr Trr
PRF 849 1 790 59 1 0.0015 PRF 9629 1 860 8769 2.98 0.44
ASR 550 549 396 154 11.247 0.115 ASRF 788 786 787 1 2.998 0.004
AR 619 618 449 170 10.797 0.123 ARF 736 736 736 0 2.997 0.0024
Springer
Wireless Netw (2008) 14:159–169 165
DoS (all communications are hindered), whereas ARF and Table 9 Attacks statistics for the D-Link DWL-1000AP+ managed
ASRF attacks do not cause major troubles to the network. In network (no WEP)
Table 8 we report some results: the AP has a retry limit equal Nreq Ndup Nresp Nlost Nrr Trr
to 3 for all kinds of frames. Under the PRF attack, there is a
PRF 10227 0 785 9442 1.89 0.004
high loss of frames and a response time which is about two
ASRF 609 608 536 73 19.68 0.279
orders of magnitude higher than in the ARF and ASRF cases. ARF (40s) 2491 2490 908 1583 19.46 0.299
The HostAP driver provides further information about the
PRF attack. By looking at the /proc filesystem (Fig. 4), we
Table 10 Attacks statistics for the Linksys WRT54G managed net-
found a large number of work (no WEP, f/w v1.41.2)
TxDeferredTransmissions that indicates that the AP is
under heavy load and a lot of frames are in queue for Nreq Ndup Nresp Nlost Nrr Trr
transmission. The TxRetryLimitExceeded counter cor- PRF 10196 0 263 9933 6.81 0.298
rectly reported the number of frames that have been retrans- ASRF 938 937 162 776 19.135 9.386
mitted until the retry limit. Interestingly, the RxDiscard- ARF 941 940 175 766 18.228 10.142
sNoBuffer parameter had a high value, an indication that
a lot of frames were discarded (neither elaborated nor re-
sponded) due to the lack of buffer space for reception. 4.6 Linksys WRT54G
Springer
166 Wireless Netw (2008) 14:159–169
Table 11 Attacks statistics for the Netgear WG602 managed network to 1 (the minimum value accepted): DoS effects are always
(no WEP) present and the only notable difference is a reduction in the
Nreq Ndup Nresp Nlost Nrr Trr value of Trr that decreases to (about) 17 sec. On the basis
of these observations, we can not relate the vulnerabilities
PRF 5415 0 5397 18 1 0.001
simply to the retransmission of unacknowledged frames. The
ASRF 3394 3393 49 3345 7.795 0.114
ARF 2987 2986 29 2958 7.482 0.232 behaviour showed by this AP, under the ARF or ASRF attack,
is quite similar to the behaviour of the 3Com Access Point
8000 under the PRF attack: during the requests flooding, the
close to 60) is reached, the AP ignores any further request AP is unable to gain access to the medium to send out a re-
(that is, it does not respond at all). Unfortunately, the list sponse or to transmit the data frames belonging to legitimate
of accepted authentications/associations is never refreshed. communications. This is probably due to the implementation
Then, if an ARF or ASRF attack fills it with fake stations choices with respect to transmit/receive queues and memory
requests, the AP doesn’t allow any other client, even legit- management, but a definitive analysis requires support from
imate, to authenticate/associate to it. From this viewpoint, the vendor.
our attacks prevent new legitimate clients from getting ac-
cess to the network, that is a different, but still annoying, 4.9 Compaq/HP WL520
form of Denial of Service. As for the other APs, results are
reported in Table 11. As a final investigation, we tested our attacks against a “real-
world” wireless network located in the Bio-Medical Cam-
pus in Rome. The BSSID we targeted was managed by a
4.8 Cisco AP 350
Compaq/HP WL520 access point. For this experiment, we
resorted to a new attack tool we developed, which is essen-
This AP proved to be vulnerable to both ARF and ASRF
tially a modified version of the HostAP driver that “embeds”
attacks, with all communications blocked by the flood of
the attack schemes at kernel level. By means of this tool, we
requests even if the attack is executed at a low injection
are able to execute the attacks at a rate that exceeds 900
rate. Although all the DoS effects disappear when the MAC
frames/sec, regardless of the attack scheme (i.e., the ARF
spoofing mechanism is disabled, it is quite difficult to ex-
and ASRF attacks are more powerful). In such a way, we
plain such severe vulnerability only as a consequence of the,
managed to hinder the network with all of the three attack
already cited, retransmission problems. Actually, the analy-
schemes. However, we noticed an unconventional behaviour:
sis of the logs captured by Ethereal revealed the existence
after being flooded for a while, the AP decided to switch
in the attack process of two different phases: firstly, when the
channel, thus eluding the attacks. Obviously, it is easy to by-
attack is in progress, the AP is completely subverted by the
pass such defense mechanism by switching channel on the
flood of requests, and it is not able to send out any response
attacking machine. Moreover, it is not clear if the channel
frame (we saw a similar behaviour with the 3Com Access
switching is a true defense mechanism or a side-effect of
Point 8000); in a second phase, when the attack is over,
some different feature of the AP.
the AP starts to send out the responses related to the initial
flood of requests. By looking at the values reported in Ta-
ble 12, we can see that the AP sends out only 13 responses,
whereas the number of requests is two orders of magnitude 5 Concluding remarks
larger than that (1600−1900).
The delay between a request frame and the correspond- We showed how some simple flooding attacks, based on
ing response frame reaches the astonishing value of 35 − 37 the injection of forged frames, may cause, under certain cir-
sec. The retry limit is set equal to 32 by default, but it can be cumstances, a serious service degradation in 802.11 wireless
changed through the configuration interface. However, there networks. Figure 5 compares the packet loss experienced by
is no significant change even if the retry limit is set equal all the APs we tested under the three different attack tech-
niques we devised. It is apparent how no AP is fully immune
although some APs are much more vulnerable than others.
Table 12 Attacks statistics for the Cisco AP 350 managed network Figure 6 shows a similar comparison for the response times
(no WEP)
of the APs under attack.
Nreq Ndup Nresp Nlost Nrr Trr The key points we discovered can be summarized as fol-
PRF 4576 0 2127 2449 1.94 0.002
lows:
ASRF 1633 0 13 1620 32 37.705
– PRF, ARF and ASRF flooding attacks can be exe-
ARF 1951 0 13 1938 32 35.847
cuted by any malicious station in the area of a wireless
Springer
Wireless Netw (2008) 14:159–169 167
infrastructured network, without being neither associated Netgear ME102 case), or to prevent other legitimate sta-
nor authenticated to the access point; tions from associating to the AP.
– the minimum frame injection rate required to cause a DoS
depends on the AP in use. For some of the devices we tested It is worth to note how the attacks we devised require only
( e.g., the 3Com Access Point 8000), it is surprisingly very simple hardware and software components (basically
low. a laptop with a Prism card and the HostAP driver plus the
– AP’s main vulnerability to these flooding attacks seems Radiate library) and thus they can be easily executed with a
to reside in unacknowledged frame retransmission, which very limited effort.
causes memory buffers exhaustion and freezes AP func- Our experiments showed that the extent of vulnerability
tionalities; to DoS attacks strongly depends on the firmware used by
– weak implementations of the 802.11 protocol in the ac- the APs. As a matter of fact, by running different versions
cess points can determine further vulnerabilities, which of firmware on the same AP, the results may change sig-
allow malicious stations to crash an AP (as shown in the nificantly. This is apparent in the case of the Enterasys
Springer
168 Wireless Netw (2008) 14:159–169
References
Springer
Wireless Netw (2008) 14:159–169 169
Springer