Title
But...my station is awake! (Power Save Denial of Service in 802.11 Networks)
Authors
Leandro Meiners
In
ekoparty'09
Date published
2009-09-17
Keywords
wifi 802.11 meiners dos power_save

Abstract

The IEEE 802.11 wireless network standard defines a power save mechanism that allows client stations to enter a sleep mode, during which they are unable to transmit or receive data, in order to conserve energy.

The power save mechanism defined in the standard is fairly simple. In order to enter sleep mode a station must inform the access point by setting power management bit (present in all frames) in all frames sent during the frame exchange previous to changing its power management mode. When a station is in sleep mode the access point stops forwarding inbound frames for the station and instead buffers them.

Periodically the stations must wake up to listen for Beacon frames sent by the access point. These frames indicate, among other things, for which stations, if any, the access point has buffered frames. If a station in sleep mode that has woken up to receive the Beacon frame, has buffered frames at the access point (indicated in the Beacon frame received), it has to send a PS-Poll frame to the access point and wait for it to forward the buffered frames, before returning to sleep mode. The PS-Poll frame sent by the station is simply meant to let the access point know that it can send the buffered frames for the station to it. On the other hand, if a station is in active mode it can disregard the contents of the Beacon frame since it shouldn't have buffered frames.

We present a low bandwidth active targeted denial of service for wireless (IEEE 802.11) networks based on the power save features of the IEEE 802.11 wireless standard.

Denial of service attacks, which are aimed at disrupting availability of a service or host, are generally based in flooding the victim. Denial of service against the IEEE 802.11 protocol are no exception to this rule. Nevertheless, this attack departs from this rule since it doesn't require flooding the victim. Instead it abuses the power save features of the standard to partially disconnect a station from the network (it can still send frames).

This attack requires sending one frame to start the attack, and an additional frame after each frame exchange performed by the victim station (to maintain the attack over time).

The attack relies in tricking the access point into believing that the victim is in sleep mode. Until the station changes its power save mode to active and notifies this to the access point, the access point will buffer frames headed for the station resulting in a partial disconnection of the station from the network (it can still send frames). Since the station is in active mode it disregards Beacon frames, therefore never requesting the buffered frames. After an implementation-specific time the access point will start dropping buffered frames.

In order to maintain this attack over time, the attacker must monitor the traffic between the station under attack and, if necessary, trick the access point into believing that the station changed its power management mode to sleep again. The access point might stop buffering frames for the station for three reasons. If the station starts to transmit again it will ``leave'' sleep mode (its frames will not have the power management bit set), some implementation-specific quirk of the access point or the station might send PS-Poll frames even in active mode. In this last case the station will not be vulnerable to our attack.

We present the results obtained from having implemented this attack and performing attacks in a laboratory environment. We implemented the attack using different frame types and compared both their theoretical and practical advantages and disadvantages.

We conclude the study with two possible mitigation strategies, which require only minor changes to the standard and current implementations, as well as impose only minor overheads. One of the mitigation strategies needs only modifying the station drivers, is backward compatible and targets the key of this attack; it thwarts the attacker's ability to desynchronize the access point's view of the station's power management mode and that of the station, by forcing the station to resynchronize. We implemented and tested this countermeasure, which proved to be effective in our labs.

Attachments

EKO-PS_DoS.pdf - ekoparty presentation slides
PS_DoS.pdf - Full paper
psdos.py - Tool - PoC Code
rausb.fix.patch - RT2570 PSDoS patch