IEEE 802.11n Denial of Service Attacks

• Issues and Solutions to IEEE 802.11n A-MPDU Denial of Service Attacks [March 2008] doc.: IEEE 802.11-08/0703r0
• Review of 802.11n A-MPDU DoS? Issues - Progres and Status [March 2008] doc.: IEEE 802.11-08/0755r1
• Block Ack Security [May 2008] doc.: IEEE 802.11-08/0665r0
• A Proposed Scale-down Solution to A-MPDU DoS? Related Comments in LB 129 [July 2008] doc.: IEEE 802.11-08/0833r0

Authors: Luke Qian [Cisco], Nancy Cam-Winget [Cisco], Doug Smith [Cisco], Matthew Fischer [Broadcom], Henry Ptasinski [Broadcom]

Annotations

This series of IEEE 802.11 documents covers the possibility of a DoS? based attack against 802.11n devices. These DoS? attacks are possibly due to the use of A-MPDU and Block ACK (BA) and the BA reordering buffer and window.

The possible attacks include:

• Forged packets with advanced Sequence Numbers (SN)
  • essentially a packet is forged that contains a later SN, that is not a duplicate. [SN count goes up to 4095].
• Captured and replayed packets with modified SN
  • capture a series of packets, and replay them when the receiver's SN count rolls over so that the replayed packets have a higher SN.
• Captured and Replayed packets with advanced SN without modification
• False Block ACK Request (BAR) with advanced SN
  • a BAR is sent which causes the sliding window to shift
• False BA to prevent retransmission

The proposed solutions consist of:

• reversing the BA reording and decryiption on the reciever
• protecting SN in CCMP associated data
• including replay detection into the BA reordering layer
• modify SN to indicated dropped packets (dropped packet bit) * or wrap the BAR in encryption
• modify SN to indicate the flush of packets

-- AndrewBlaich - 09 Oct 2008

• MAC data plane architecture: