Ivan Martinovic
ABSTRACT
In this work we focus on resource depletion attacks within IEEE 802.11 networks. This type of DoS attacks is used to exhaust access points' resources resulting in denying service to legitimate clients and rising the opportunity for more sophisticated attacks. It is usually based on flooding an access point (AP) with a high number of fake authentication requests. This paper introduces a protection method which assists APs to selectively block fake requests sent by an attacker, while at the same time allowing other legitimate clients to successfully join the network. For this purpose we introduce the concept of regions, estimates on client's relative locations. The concept itself is similar to a known protection against DoS attacks based on client puzzles in wired networks, yet had to be adjusted to the peculiarities of wireless networks. Rather than utilizing CPU or memory-based resources that are highly variable among wireless clients we take advantage of wireless characteristics such as broadcast communication, signal propagation, and dense deployment of IEEE 802.11 technology. The proposed protection enables a tradeoff between security and performance thus providing its adaptation to different network configurations.
- W. A. Arbaugh, S. Shankar, J. Wang, and K. Zhang. Your 802.11 Network has No Clothes. In Proceedings of the First IEEE International Conference on Wireless LANs and Home Networks, pages 15--28, December 2001.Google Scholar
Cross Ref
- J. Bellardo and S. Savage. 802.11 Denial-of-Service attacks: Real Vulnerabilities and Practical Solutions. In Proceedings of the USENIX Security Symposium, pages 15--28, August 2003. Google ScholarDigital Library
- M. Demirbas and Y. Song. An RSSI-based Scheme for Sybil Attack Detection in Wireless Sensor Networks. In WOWMOM '06: Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, pages 564--570. IEEE Computer Society, June 2006. Google ScholarDigital Library
- D. B. Faria and D. R. Cheriton. DoS and Authentication in Wireless Public Access Networks. In WiSe '02:Proceedings of the 2004 ACM Workshop on Wireless Security, pages 47--56. ACM Press, September 2002. Google ScholarDigital Library
- D. B. Faria and D. R. Cheriton. Detecting Identity-based Attacks in Wireless Networks using Signalprints. In WiSe '06: Proceedings of the 5th ACM workshop on Wireless security, pages 43--52. ACM Press, 2006. Google ScholarDigital Library
- R. Floeter. Wireless LAN Security Framework: void11. http://www.wirelessdefence.org/Contents/Void11Main.htm (last access: 2007-08-01).Google Scholar
- I. Martinovic, F. A. Zdarsky, A. Bachorek, C. Jung, and J. B. Schmitt. Phishing in the Wireless: Implementation and Analysis. In Proceedings of the 22nd IFIP International Information Security Conference (SEC 2007). Springer LNCS, May 2007.Google ScholarCross Ref
Index Terms
- Regional-based authentication against dos attacks in wireless networks
Recommendations
Wireless client puzzles in IEEE 802.11 networks: security by wireless
WiSec '08: Proceedings of the first ACM conference on Wireless network securityResource-depletion attacks against IEEE 802.11 access points (APs) are commonly executed by flooding APs with fake authentication requests. Such attacks may exhaust an AP's memory resources and result in denied association service, thus enabling more ...
Defending against path-based DoS attacks in wireless sensor networks
SASN '05: Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networksDenial of service (DoS) attacks can cause serious damage in resource-constrained, wireless sensor networks (WSNs). This paper addresses an especially damaging form of DoS attack, called PDoS (Path-based Denial of Service). In a PDoS attack, an adversary ...
A Client Puzzle Based Defense Mechanism to Resist DoS Attacks in WLAN
IFITA '10: Proceedings of the 2010 International Forum on Information Technology and Applications - Volume 03Wireless networking technologies based on the IEEE802.11 series of standards fail to authenticate management frames and network card addresses and suffer from serious vulnerabilities that may lead to denial of service attacks, this paper proposes a ...
Comments