CWNP
Your Account   |   View Cart
Search:   

CWNP Daily Dashboard
Wireless LAN Security and IEEE 802.11w Print E-mail
Add to: RSS FeedRSS Feed DeliciousDelicious DiggDigg NewsVineNewsVine YahooMyWebYahooMyWeb
Written by Gopinath KN   
Friday, 23 October 2009

As Wireless LANs (WLANs) have been increasingly entrusted to carry mission critical enterprise data and voice communication, the impact of Wireless LAN (WLAN) Denial of Service (DoS) attacks has increased manyfold. The recently ratified 802.11w standard that provides Management Frame Protection (MFP) does provide some help in fighting WLAN DoS attacks. But, if you think that 802.11w can put an end to all of your WLAN DoS problems, I beg to differ. Please read on to find out why.

 

Ever since inception, wireless LANs have been known to be susceptible to Denial of Service (DoS) attacks. Example DoS attacks include radio-level DoS attacks such as RF jamming and MAC-level DoS attacks such as deauthentication flood, disassociation flood, association flood, and virtual (802.11-NAV-field based) jamming. Tools to launch these DoS attacks are freely available on the Internet. There are 2 main reasons as to why WLANs have been vulnerable to DoS attacks. First, the wireless medium is not confined to physical boundaries such as wires and buildings. Hence, attacks can be potentially launched from outside an enterprise (e.g., from parking lots). Second, authentication/encryption of management and control plane frames was never a part of the original 802.11 specification. This makes it is easy for an attacker to transmit spoofed attack packets that appear legitimate.  

The IEEE 802.11w standard aims to mitigate certain types of WLAN DoS attacks. 802.11w extends strong cryptographic protection to specific management frames (in a manner that is similar to what 802.11i/RSN defines for data frames). A select set of management frames transmitted after 802.11i/RSN key derivation is protected. MFP is provided for a category of management frames called “Robust Management Frames”. Deauthentication frames, Disassociation frames, and certain categories of Action Management frames are defined as Robust Management Frames. Action Management Frames are special types of management frames that carry WLAN operation related information – e.g., QoS Management, Spectrum Management or BlockAck session management.  Note that management frames transmitted before the derivation of 802.11i/RSN keys are unprotected. 

802.11w provides data integrity and replay protection for broadcast/multicast Robust management frames. Additionally, data confidentiality is provided for unicast management frames. A new protocol “Broadcast Integrity Protocol” (BIP) is defined for achieving integrity of broadcast/multicast management frames. BIP makes use of a Message Integrity Code (MIC) that is calculated over the frame body to detect tampering of management frames. A receiver silently drops all tampered frames. The basic premise here is that the MIC computation uses a shared-secret that is available only to authorized WLAN users (and not to an attacker). I will explain this further using a deauthentication attack. An attacker launching a deauthentication attack cannot compute the correct MIC for the spoofed deauth packets. Hence, his or her deauth packets will be silently rejected by the 802.11w AP/clients in a WLAN. Alternately, he cannot replay any legitimate deauth packets due to replay protection. Thus, 802.11w can protect a WLAN against deauthentication attack.   

802.11w definitely helps mitigate certain classes of DoS attacks on WLANs – e.g., deauthentication attack, dis-association attack. However, the following are the limitations of 802.11w in fighting WLAN DoS attacks: 

-          802.11w provides protection for certain specific 802.11 management frames only, specifically, deauthentication frames, disassociation frames, and action management frames. Hence, DoS attacks based on management frames not protected by 802.11w are still possible (e.g., association based attacks, beacon based attacks).

-          DoS attacks based on 802.11 data and control frames are outside the scope of 802.11w and still continue to be a pain.

-          RF jamming based DoS attacks cannot be mitigated via 802.11w.

-          Certain logistical issues exist with the 802.11w solution

     o        802.11w requires a code change/software upgrade on not just an AP, but also on clients

     o        802.11w cannot protect the large number of legacy devices that exist today.

Hence, 802.11w is a good first line of defense in mitigating WLAN DoS attacks and you should adopt it. However, for more robust protection, it should be complemented by a DoS detection and mitigation strategy based on a Wireless Intrusion Prevention System (WIPS). Further, WIPS can help you protect against other wireless security threats that are completely outside of the scope of 802.11w – AP based threats (e.g., Rogue APs), client based threats (e.g., Evil Twins) and threats on WLAN infrastructure (e.g., Skyjacking). 

I look forward to hear your views. 

Thanks,Gopi

Comments (10)Add Comment
...
written by Marcus Burton, October 23, 2009
Interestingly enough, introducing 802.11w as a security feature also introduces new security problems. Specifically, WIPS have traditionally used deauthentication frames as rogue containment measures. Now that MFP-protected stations discard frames that fail the MIC, WIPS may have to come up with some new ways of booting rogue devices.
...
written by senthilraj CWNE#!15, October 23, 2009
Hi Gopi,

Gud one but a few corrections :)

Association Based attacks are protected by 802.11W
SA Query Protocol help to protect (Re)Association Based attacks.

RF jamming cannot be mitigated by WIPS it can jsut detect it:)

Sure need for sensor and Endpoint security solution will not go off.

Thanks
Senthilraj

...
written by Ramprasad, October 27, 2009
Hi Gopi,

You mentioned Block ack agreement is a robust action management frame. Could you let me know, where did you get this info?. I searched in draft, I couldn't locate.Any specific draft version you referred?

And also I would like to know list of robust action frames as well.

Thanks,
Ramprasad.

...
written by Gopi, October 30, 2009
Hey Ramprasad,
Pls refer to Draft 10. Here is a list of robust action frames: Spectrum management, QoS, DLS (Direct Link Setup between peers in BSS), Protected Public action frames (those used for various measurement requests/reports), Block ack session management (e.g., ADDBA, DELBA), Radio measurement, Fast BSS transition, HT (802.11n MIMO related meaurement/feedback info), Security Association (SA) Query related action frames.

Hope it helps!
...
written by Ramprasad, October 30, 2009
Thanks gopi. This information is really helpful.

Ramprasad.
...
written by Gopi, October 30, 2009
Hey Senthil,

Thanks for your comment.

On the point on association based attacks, I was referring to the authenticatin flood/association flood attacks that can occur prior to key/SA establishment phase. These attacks try to inflict DoS by flooding the internal data structures of an AP using fake stations. Such attacks cannot be protected by .11w (though, many vendors implement certain heurisitc based defense against such attacks).

You are referring to a slightly different attack that is based on breaking the association of an already associated client - yes, this is proected by .11w SA query procedures.

On RF jamming and WIPS, you have stolen a leaf out of one of my possible future articles :)
...
written by Gopi, October 30, 2009
Hey Marcus,

Good point - IMHO, a WIPS that implements a bag of tricks (and not just one technique) for Rogue AP prevention should always be preferred.
...
written by senthil, October 31, 2009
Hi Gopi,

Thats a good idea to Bank on a WIPS Vendor with a BAG a Tricks. But i would like to defer if some one says ARP cache poisioning as a trick,

1) Firewalls Detect these Attacks
2) If allowed it would cause problems since it would
Create Problems for the users connected to the switch
since it would alter the CAM table .

Again i would like to understand:) :)
...
written by Gopi, November 02, 2009
Hey Senthil,

I am ducking - valid issues if somebody pursuing Arp poisoning. Hence, it is worth investigating about possible wireless side techniques as well.
...
written by Sangeeta, December 13, 2009
Hi Gopi,

I had a small query regarding SA query procedures.According to 802.11w , the association request is responded by an association response with status code "association request rejected temporarily", after which the AP engages in the SA query procedures. Could you please give an idea what happens next,How does the association procedure complete?

And one more thing, the SA procedure is done only if the station is already associated with the AP and then the AP receives another association request from the same STA, for the first association procedure there is no such SA procedure, the STA will have a normal association. Please correct me if I am wrong.

Your help would be highly appreciated. Thanks!!

Write comment
quote
bold
italicize
underline
strike
url
image
quote
quote

security code
Write the displayed characters


busy
 
< Prev   Next >
[ Back ]

Upcoming CWNP Classes

Search All Classes »

Add this feed to your online news reader

Google wireless search

Google Wireless Search
Google our favorite wireless sites for answers and information:

Suggest a site