=Paper=
{{Paper
|id=Vol-1256/paper5
|storemode=property
|title=Coping with Spoofed PS-Poll Based DoS Attack in IEEE
|pdfUrl=https://ceur-ws.org/Vol-1256/paper5.pdf
|volume=Vol-1256
|dblpUrl=https://dblp.org/rec/conf/vecos/HocineAB14
}}
==Coping with Spoofed PS-Poll Based DoS Attack in IEEE==
https://ceur-ws.org/Vol-1256/paper5.pdf
57
Coping with Spoofed PS-Poll Based DoS
Attack in IEEE 802.11 Networks
Hocine Souilah Abderrahmane Baadache
Laboratory of Modelling and Optimization of Systems Laboratory of Modelling and Optimization of Systems
Faculty of exact science, University of Bejaia, Algeria Faculty of exact science, University of Bejaia, Algeria
hocinesouilah@gmail.com abderrahmane.baadache@gmail.com
Louiza Bouallouche-Medjkoune
Laboratory of Modelling and Optimization of Systems
Faculty of exact science, University of Bejaia, Algeria
louiza medjkoune@yahoo.fr
IEEE 802.11 networks are particularly vulnerable to DoS (Denial of Service) attacks targeting the network
availability. In this paper, we focus on the PS-Poll based DoS attack, where the attacker spoofs the polling
frame on behalf of the client in order to discard the client’s buffered packets at the access point level. To cope
with this attack, we propose a security solution called APSP (Authenticated Power Save Poll) and based on
the integer prime factorization to authenticate PS-Poll frames. Our solution is both detective and preventive
one and generates low communication, computing and storage overheads. It did not require any additional
hardware and can be implemented via firmware upgrade. Simulation results show that the proposed solution
is effective and robust to defend against the considered attack.
IEEE 802.11 networks, DoS attacks, integer prime factorization, power save mode, PS-Poll frame
1. INTRODUCTION attacker. This attack can be taken place because PS-
Poll frames are neither protected nor authenticated.
IEEE 802.11 networks are extremely popular and To cope with this attack, we propose an integer
used in several civilian and military applications prime factorization based solution called APSP
to avoid the expenses and delays associated with (Authenticated Power Save Poll). To successfully
installing wired networks. They are deployed in conduct its attack, the attacker should decompose
businesses, homes, communities, and open spaces large integer numbers into non-trivial prime divisors.
to provide the connectivity to anyone with a receiver No efficient integer prime factorization algorithm is
that is in radio range. IEEE 802.11 standards series known when considered numbers are very large,
are providing increasingly higher access speeds and so, the attacker cannot never launch its attack.
offering some accommodations to users. However, Performed simulations prove that the proposed
several security issues need to be taken into deeper solution is effective and robust to defend against
consideration in order to secure 802.11 wireless the spoof PS-Poll based DoS attack. Furthermore,
communications. no important communication, computing or storage
overheads are generated by our solution, and it can
In this paper, we focus on vulnerabilities pronounced be easily implemented through a firmware upgrade,
in the Power Save Mode (PSM), where the client without requiring any additional hardware.
is in sleep state and unaware to security threats.
One of DoS attacks that can be launched in PSM The remainder of this paper is organized as follows.
is the spoofed PS-Poll attack, where the attacker Section 2 introduces IEEE 802.11 networks, Section
spoofs the client PS-Poll frame and sends it, on 3 summarizes some related works and Section
behalf of the client, to the AP (Access Point). When 4 describes how the spoofed PS-Poll based DoS
this spoofed frame is received by the AP, the latter attack is launched. The proposal is presented and
delivers the buffered packets (these packets are discussed in Section 5. Simulation results are
intended to be delivered to the legitimate sleepy analyzed and interpreted in Section 6. In Section
client) to the attacker, then empties the buffer 7, we conclude the paper and highlight some future
as soon it receives an acknowledgment from the works.
� 58
2. BACKGROUND keys, in order to detect and prevent the spoofed
PS-Poll based DoS attacks. This solution does not
The IEEE 802.11 standard defines the physical require any additional hardware and can be imple-
and MAC layers of OSI model for ad hoc mented in both wireless clients and AP via firmware
and infrastructure modes. It uses three types of upgrade. Authors in (9) presented a solution to
frames, namely, data frames, control frames and address vulnerabilities that exist in the exchange of
management frames. Data frames are used to send management frames, and employ a modified Diffe-
the upper layer data, control frames are used to Hellman’s algorithm to ensure the authentication and
arbitrate access to the medium and management the integrity, and consequently prevent threats such
frames are used for network management tasks. as active eavesdropping and DoS attacks.
The PS-Poll frame considered in this paper is a
control frame used by a client in power save mode to Some commercial softwares such as AirDefense
request pending frames buffered at the access point. Guard, Odyssey Server and SnifferWireless are
Some control and management frames enumerated available and considered as intrusion detection
in Table 1 are usually exploited to launch DoS attacks solutions that provide real-time network audits
in IEEE 802.11 networks (1). and monitoring, in order to identify and respond
to hardware failures, network interferences and
Management frames Control frames performance degradation (8). Authors of (10)
Probe Request/Response Request to Send proposed an intrusion detection system based on the
Authentication/Deauthentication Clear to Send relationship that can be exist between a node and
Association /Disassociation Acknowledgement the traffic it generates, in order to detect attacks that
Reassociation Power Save Poll target the MAC layer of 802.11 networks. General
Table 1: Control and management frames approches (11; 12) for detecting MAC address
spoofing attacks are also proposed. This detection
can be achieved through the analysis of sequence
In order to identify APs within communication number patterns of the captured wireless traffic.
range, a client listen to beacon frames periodically
transmitted by APs. After this, authentication request 4. ATTACK MODEL
and response frames are exchanged between
client and AP. Then, an association process takes The Power Save Mode (PSM) (7), defined in the
place in which the client learns the AP’s MAC 802.11 standard, allows stations to switch from
address and the AP assigns an association identifier active mode to sleep mode when there are no
to the wireless client. An 802.11 client can be transmission in order to conserve their power. As
authenticated by multiple APs, however it should be depicted in Figure 1, to enter into PSM, a client
associated with only one AP at a time. Once the sends a PS (Power Save) request to AP and a PS
authentication and the association processes are response should be sent back by AP to the client
finished, the communication between the client and before it can enter into sleep mode. During the
AP can take place. sleep period, the AP buffers all packets addressed
to that client. The presence of buffered packets
is periodically indicated in the Traffic Indication
3. RELATED WORK
Map (TIM) contained in beacon frames. If there
Usually, DoS attacks launched in IEEE 802.11 net- is an indication of pending packets, the client can
works exploit vulnerabilities related to unauthen- choose to receive those frames at its convenience,
ticated management frames exchanged between otherwise, it sleeps immediately (8). To receive
clients and the AP. In (2; 3), authors present sev- pending data, the client asks the AP through the
eral denial of service attacks against 802.11-based Power Save Poll (PS-Poll) frame to get these
networks, and examine the 802.11 MAC layer in packets. After successful reception of data frames,
order to identify a number of vulnerabilities that could the client sends an acknowledgment (ACK) which
be exploited to deny service to legitimate users. allows the AP to empty data buffer.
WEP (Wired Equivalent Privacy) (4) is the popu-
lar security protocol that ensures security services The PS-Poll frame is neither protected nor authen-
such as confidentiality, authentication and integrity. ticated. An attacker can easily spoof PS-Poll frame
This protocol did not provide solutions to already using tools such as SpoofMAC, Airsnarf and Net-
discovered security weaknesses (5). To remedy to Stumbler. Therefore, it can simply launch a DoS
these security weaknesses, IEEE proposed Wi-Fi attack by sending spoofed PS-Poll frame on behalf
Protected Access (WPA) and 802.11i (6) as the se- of the asleep client, thereby causing the destruction
curity standards for WLANs. In (8), authors proposed of packets destined to the client. A generic PS-Poll
an encryption based solution using pre-established DoS attack scenario is shown in Figure 2.
� 59
Figure 1: Power save mode
Figure 2: Spoofed PS-Poll based DoS attack
5. OUR PROPOSAL
4. After the reception of frames, the client renews
In order to cope with the spoofed PS-Poll based the parameters p, q and N . For this, it
DoS attack, we have proposed APSP (Authenticated sends an acknowledgment (ACK) containing
Power Save Poll). This solution exploits the principle the newly calculated N , which will be used
of the integer prime factorization, that consists to to authenticate the PS-Poll subsequently
decompose a large number N = p ∗ q (where p and exchanged with the recent generated p.
q are two positive large prime numbers) into non-
trivial prime divisors. When the number is very large, Since p and q are two large primes, even the attacker
no efficient integer prime factorization algorithm is can obtain N , it is difficult for it to generate the
known (13). As depicted in Figure 3, APSP works same prime number p generated by the client due
as follows : to the intractable factorization problem. Also, while
the division N/p can be efficiently performed by
1. Initially, when the client wants to switch to PSM, the AP, the spoofed PS-Poll will be easily detected.
it randomly generates two positive large prime Furthermore, the factorization of N is unique, so,
numbers p and q then computes N = p ∗ q. only the client who generated the number N can
prove that it is the legitimate owner of the challenge
2. During the PSM switching process, the client p, and thus it alone can send the legitimate PS-Poll
sends a PS request containing N to the AP. frame.
The AP stores N and sends a PS response to
the client.
6. PERFORMANCE EVALUATION
3. When the sleepy client receives a beacon
frame from AP indicating that it has pending This section is devoted to evaluate the performance
frames in buffer, it sends the PS-Poll frame of our security protocol (APSP). We have performed
to the AP, along with the p to get these series of simulations by implementing a prototype
frames. If this number p corresponds to the in Maple modeling and development environment
number N previously stored, i.e., p divides N , (14). Our prototype has a modular design, which
then the PS-Poll frame is authenticated and allows parallel programming. We have used one
will be processed accordingly. Consequently, AP and one legitimate client operating in 802.11
the AP delivers buffered frames to the client. PSM. Another client periodically sends packets to
Otherwise, the frame is rejected assuming that the legitimate client and one attacker to launch
it is from the attacker. the spoofed PS-Poll based DoS attack. The source
� 60
• Attack Success Ratio (ASR): represents the
ratio between the number of buffered packets
devastated because of the attack and the total
number of packets buffered in the AP. We can
consider this ratio as packets loss ratio.
• Attacker Efficiency: we define this metric as
the ratio between the number of spoofed PS-
Poll successfully treated by the AP and the
total number of spoofed PS-Poll sent by the
attacker.
Simulation results shown in Figure 4 represent PDR,
PSR and ASR with N equal to 512 bits. From Figure
Figure 3: APSP, Authenticated Power Save Poll
Figure 4: PDR, PSR and ASR, N=512 bits
node periodically and randomly sends data packets 4, we observe that the PDR increases, while the
to the client in PSM, while the AP sends beacon PSR decreases. This means that the AP has kept
frames with an average of 10 beacons/second. the buffered packets while the client sinks into a
The simulation duration is 3600 seconds. We deep sleep then buffered packets are well delivered
use different values of primes p and q in order to the client. In other words, the client and the
to determine the impact of the size of prime AP have been fully mastered through our solution.
numbers in our solution performance. Furthermore, Additionally, ASR is kept at 0% during the simulation.
the simulation was performed without protection This means that all the spoofed PS-Poll sent by
constraints (i.e., without WEP or WPA/WPA2). the attacker were detected and ignored by the AP,
Additionally, we have ignored transmission errors i.e., the adequate challenge p hasn’t discovered by
that can be occurred in the wireless channel. the attacker, hence the total failure of the attack.
These simulation results shows that our solution is
The main goal of our solution is to ensure the fully effective against the spoofed PS-Poll based DoS
reliability of the buffering and subsequent delivery of attack.
packets by the AP. Thus, following metrics have been
measured : In order to determine the impact of the size of the
challenge p (or the size of the number N ) on PDR,
• Packet Delivery Ratio (PDR): denotes the ratio ASR and attacker efficiency, we have used different
between the number of delivered packets by sizes of N . Results are shown in Figure 5.
the AP that well received by the client in PSM
and the total number of packets generated by From Figure 5, we observe that the increasing of
the source node and buffered by in the AP. PDR is the direct consequence of the increasing of
the size of N . More N is larger, more PDR becomes
• Packet Saving Ratio (PSR): is defined as
closer to 100% with sizes less than 64-bits. PDR
the ratio between the number of maintained
reachs 100% with sizes equal to 64-bits and more.
packets in the buffer during the client sleep
Moreover, we observe that the increasing of the size
period and the total number of packets buffered
of N causes the decreasing of ASR and the attacker
in the AP.
efficiency. In other words, more N is larger; more
ASR and attacker efficiency become closer to 0% for
� 61
provided by our solution against the spoofed PS-
Poll attack. All spoofed PS-Poll sent by the attacker
was detected and crushed. So, it is very difficult
for the attacker to find the correct number p within
a reasonable time. This justifies the result of the
attacker efficiency (0%).
Note that the solution we propose is not only
detective but also preventive against the spoofed
PS-Poll based DoS attack, with low communication,
computing and storage overheads. Furthermore, it
can be easily implemented in wireless clients and
AP via firmware upgrade and without any additional
Figure 5: Impact of N on performance metrics
hardware.
7. CONCLUSION
sizes less than 64-bits. These latter metrics reach
0% for sizes equal or more than 64-bits. We can In this paper, we have focused on the spoofed PS-
conclude also that sizes of N equal or less than 32- Poll based DoS attack, where the attacker spoofs
bits are insufficient to prevent the attack, because it the PS-Poll frame in the objective to destruct
is relatively easy for the attacker to find the challenge buffered packets intended to be delivered to sleepy
p with small primes. On the contrary, with large sizes clients. To cope with this attack, we have proposed
of N , the attacker has any chance to find the correct APSP (Authenticated Power Save Poll) in order to
challenge p. authenticate PS-Poll frames. Our solution is based
on the integer prime factorization known as an
In order to check the robustness of our solution, we
intractable problem to mitigate this DoS attack.
have modified the attack to launch a brute force PS-
The solution we propose is both detective and
Poll DoS attack, this by testing a set of potential
preventive one, with low communication, computing
numbers p to find the correct one. In this experiment,
and storage overheads, and it can be easily
N is equal to 512 bits. The obtained results are
implemented through a firmware upgrade without
depicted in Figure 6. Note that similar results were
requiring any additional hardware. Simulation results
obtained with N equal to 64, 128, 256 and 1024 bits.
show that the proposed solution is effective and
robust to defend against the considered attack. In
future work, we plan to compare our solution to
other reference works in order to assess further
its effectiveness and robustness, and extend it to
consider other DoS attacks.
REFERENCES
[1] Farooq, T., Llewellyn-Jones, D. and Merabti,
M. (2010) MAC Layer DoS Attacks in IEEE
802.11 Networks. The 11th Annual Conference
on the Convergence of Telecommunications,
Networking & Broadcasting (PGNet 2010),
Liverpool, UK.
Figure 6: Robustness of the proposed solution
[2] Bellardo, J. and Savage, S. (2003) 802.11
denial-of-service attacks: real vulnerabilities and
practical solutions. Proceedings of the 12th
From Figure 6, we can say that the AP has mastered
conference on USENIX Security Symposium,
the legitimate trade in favor of the client, despite the
vol. 12 of SSYM’03, Berkeley, CA, USA, USENIX
existence of a brute force PS-Poll based DoS attack.
Association, pp. 15-28.
Also, simulation results show that the brute force
PS-Poll based DoS attack has totally failed where [3] Bernaschi, M., Ferreri, F. and Valcamonici, L.
the ASR is kept at zero (0%) during the simulation. (2008) Access points vulnerabilities to DoS
This is due to the total prevention and protection attacks in 802.11 networks. Wireless Networks,
Vol. 14, No. 2, pp. 159-169.
� 62
[4] (1999) IEEE 802.11 Local and Metropolitan Area
Networks: Wireless LAN Medium Acess Control
(MAC) and Physical (PHY) Specifications.
[5] Wong S. (2007) The evolution of wireless
security in 802.11 networks: WEP, WPA and
802.11 standards. GSEC Practical v1.4b.
[6] Moffat, M. and Hunt, R. (2007) Evolution of
wireless LAN security architecture to IEEE
802.11i (WPA2). AsiaCSN’07 Proceedings of
the Fourth IASTED Asian Conference on
Communication Systems and Networks, pp. 292-
297.
[7] Matthew G. (2002) 802.11 Wireless Networks:
The Definitive Guide. O’Reilly, pp. 122-133.
[8] Qureshi, Z. I., Aslam, B., Mohsin, A. and Javed,
Y. (2008) Using Randomized Association ID to
Detect and Prevent Spoofed PS-Poll Based De-
nial of Service Attacks in IEEE 802.11 WLANs.
WSEAS Transactions on Communications, Vol.
7, No. 3, pp. 170-179.
[9] Samad, F., Mahmood, W. and Umar Kaleem,
A. (2006) Improved Security in IEEE802.11
Wireless LANs. Proceedings of the 5th WSEAS
International Conference on Data Networks,
Communications and Computers (DNCOCO’06),
Bucharest, Romania.
[10] LaRoche, P. and Zincir-Heywood, A. N. (2005)
802.11 Network Intrusion Detection using Ge-
netic Programming. Proceedings of the 2005
Workshops on Genetic and Evolutionary Compu-
tation, Washington, D.C, pp. 170 171.
[11] Guo, F. and Chiueh, T. C. (2005) Sequence
Number-Based MAC address spoof Detection.
Proceedings of 8th Recent Advances in Intrusion
Detection Symposium (RAID 2005), Location,
Seattle, Washington, USA, pp. 309-329.
[12] Toledo, A. L. and Xiaodong, W. (2008)
Robust Detection of MAC Layer Denial-of-
Service Attacks in CSMA/CA Wireless Networks.
IEEE Transactions on Information Forensics and
Security, vol. 3, No. 3, pp. 347-358.
[13] Hildebrand, A. (1987) On the number of prime
factors of integers without large prime divisors.
Journal of Number Theory. Vol. 25, No. 1,
pp.81106.
[14] http://www.maplesoft.com/products/maple/
�