ACK spoofing on MAC-layer rate control: Attacks and defenses

Abstract In wireless 802.11 networks, MAC-layer rate control mechanisms such as Minstrel have an important role in selecting an appropriate transmission rate to maximize throughput and/or to minimize frame loss. Transmitting at a higher rate in good channel quality achieves high throughput, but it achieves a low or zero throughput if the channel quality is bad. In many MAC-layer rate control mechanisms, the selection of transmission rates depends on link quality metrics calculated based on MAC-layer acknowledgements (ACKs) of the successful transmissions of data frames. We found that injecting forged ACKs to acknowledge lost data frames can mislead most rate control mechanisms to select an unsustainable transmission rate resulting in frame losses. Due to the lack of protection of ACKs, the sender cannot detect and avoid this attack. In this paper, we develop a MAC-layer ACK spoofing mechanism and design experiments to exploit such a vulnerability in 802.11 networks. We analyze this vulnerability in different attack models for well-known MAC-layer rate control mechanisms. Our experiment results show that the spoofing attack can reduce the throughput to zero by tricking the sender to believe the highest rate should be used even when the channel quality is bad. To address this issue, we present a defense mechanism that is effective and light-weight. Experiment results confirm the effectiveness of the proposed solution with low communication overhead.

[1]  Jiahui Wen,et al.  FASUS: A fast association mechanism for 802.11ah networks , 2020, Comput. Networks.

[2]  Jadwiga Indulska,et al.  Robust MAC-layer rate control mechanism for 802.11 wireless networks , 2012, 37th Annual IEEE Conference on Local Computer Networks.

[3]  Jadwiga Indulska,et al.  Rate control in the mac80211 framework: Overview, evaluation and improvements , 2015, Comput. Networks.

[4]  Frank Piessens,et al.  Practical verification of WPA-TKIP vulnerabilities , 2013, ASIA CCS '13.

[5]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[6]  Young-Tak Kim,et al.  Realistic modeling of IEEE 802.11 WLAN considering rate adaptation and multi-rate retry , 2011, IEEE Transactions on Consumer Electronics.

[7]  Lili Qiu,et al.  Greedy Receivers in IEEE 802.11 Hotspots , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[8]  Frank Piessens,et al.  Advanced Wi-Fi attacks using commodity hardware , 2014, ACSAC.

[9]  Frank Piessens,et al.  Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 , 2017, CCS.

[10]  Thierry Turletti,et al.  IEEE 802.11 rate adaptation: a practical approach , 2004, MSWiM '04.

[11]  Jadwiga Indulska,et al.  Performance of mac80211 rate control mechanisms , 2011, MSWiM '11.

[12]  Andre Pawlowski,et al.  A practical investigation of identity theft vulnerabilities in Eduroam , 2015, WISEC.

[13]  Yan Shi,et al.  UABeam: UAV-Based Beamforming System Analysis with In-Field Air-to-Ground Channels , 2018, 2018 15th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON).

[14]  Kate Ching-Ju Lin,et al.  Traffic-Aware Sensor Grouping for IEEE 802.11ah Networks: Regression Based Analysis and Design , 2019, IEEE Transactions on Mobile Computing.

[15]  Frank Piessens,et al.  Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys , 2016, USENIX Security Symposium.

[16]  John C. Mitchell,et al.  Security Analysis and Improvements for IEEE 802.11i , 2005, NDSS.

[17]  Guevara Noubir,et al.  A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication , 2013, NDSS.

[18]  Wim Lamotte,et al.  Short paper: exploiting WPA2-enterprise vendor implementation weaknesses through challenge response oracles , 2014, WiSec '14.

[19]  Jadwiga Indulska,et al.  A Method to Improve Adaptability of the Minstrel MAC Rate Control Algorithm , 2010, UIC.