• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
When WLANs Launch Self DoS Attacks
 

When WLANs Launch Self DoS Attacks

on

  • 2,021 views

The WLAN can be compared to the human body in its complexity. Similar methodology which is used to study the phenomenon in humans can be applied to study wireless systems when they are invaded by ...

The WLAN can be compared to the human body in its complexity. Similar methodology which is used to study the phenomenon in humans can be applied to study wireless systems when they are invaded by intruders such as foreign clients or malicious code.

The purpose of the human immune system is to defend against attacks from germs, viruses & foreign bodies. Likewise, the purpose of access point security software is to defend against attacks from intruders and hackers. But when the immune system fails to distinguish between healthy cells and foreign bodies, it mistakenly attacks and destroys healthy cells. This is called an autoimmunity disorder.

AirTight security researchers have discovered a similar autoimmunity disorder in select open source and commercial 802.11 AP implementations. This presentation for DEFCON16 demonstrates how this vulnerability provides an open door through which DoS attacks can still be launched.

Statistics

Views

Total Views
2,021
Views on SlideShare
1,992
Embed Views
29

Actions

Likes
1
Downloads
0
Comments
0

4 Embeds 29

https://www.coursesites.com 24
http://www.slideshare.net 3
https://coursesites.com 1
https://www.6plus4u.coursesites.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    When WLANs Launch Self DoS Attacks When WLANs Launch Self DoS Attacks Presentation Transcript

    • Autoimmunity Disorder in Wireless LANs
    • Biological Systems Vs WLAN Systems: Similarities Immune system foreign bodies Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers Biological systems Wireless LAN systems Built-in Security software Attacker
    • Autoimmunity Disorder Immune system foreign bodies When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections Biological systems Wireless LAN systems Built-in Security software Attacker
    • What’s Well Known -- DoS from an External Source
      • It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections.
      AP Client Attacker DoS Attack Launched on CL DoS Attack launched on AP Connection Breaks Connection Breaks
    • What’s New – Self DoS Triggered by an External Stimulus
      • There exist mal-formed packets whose injection can turn an AP into a connection killing machine
      AP Client Attacker Stimulus Self DoS
    • Example of Self DoS (1) AP Client Broadcast Disconnection Notification from AP Attacker
    • Result    Multicast MAC as source  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48 Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Broadcast MAC as source
    • Example of Self DoS (2) AP Client
      • Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….
      Disconnection Notification or Response with “Failure” status code Client and AP in Associated State Attacker Stimulus: Req packet with invalid attributes
    • Stimulus
      • Newly introduced reason code in 802.11w
          • 26: Robust management frame policy violation
      10,13,14,18,19,20,21,22,23,24,25 ,26,40,44,45,51 6,7,10,11,13,14,15,21,22 Status Codes Reason Codes
    • Result      Authentication    Broadcast MAC as source    Multicast MAC as source    Assoc Request  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48  Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3  Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Reassoc Req
    • Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.
    • Example: MFP (L)AP MFP Client MFP AP Ignore or Honor Assoc Req Packet ? Client ignores unsolicited Association Response AP has an important decision to make !!! Uprotected “Deauth” ignored by Client Client and AP in Associated state Stimulus:Assoc Req, from Client to AP Attacker Assoc Response Data Deauthentication AP and Client in Deadlock
    • Example: MFP Client MFP Client MFP AP Association dropped at AP Association dropped at Client Client and AP in Associated state Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection
    • The Key Point
      • New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software.
      Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!
    • Demo
    • References
      • www.cs.ucsd.edu/users/ savage / papers /UsenixSec03.pdf
      • http://en.wikipedia.org/wiki/IEEE_802.11w
      • http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml
      • IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 )
      • IEEE P802.11w™/D5.0, February 2008
    • Contact Us
      • Md Sohail Ahmad
      • [email_address]
      • Amit Vartak
      • [email_address]
      • J V R Murthy
      • [email_address]
    • Stimulus #1
      • Input : Class 2 or 3 frame with Source MAC as Broadcast
      • MAC address (FF:FF:FF:FF:FF:FF) and
      • Destination MAC address as AP MAC address
      • Output : Broadcast Deauthentication generated by AP
      • Effect : Associated clients which honor Broadcast
      • Deauthentication packet, disconnect from AP
      Stimulus #2
      • Input : Class 2 or 3 frame with Source MAC as Multicast
      • MAC address (01:XX:XX:XX:XX:XX) and
      • Destination MAC address as AP MAC address
      • Output : Multicast Deauthentication generated by AP
      • Effect : Associated clients honor Multicast Deauthentication
      • packet and disconnect from AP
    • Stimulus #3
      • Input : Reassociation Request frame with Source MAC
      • address as Client’s MAC address and Destination
      • MAC address as APMAC address and current AP
      • MAC as any spoofed non-existent MAC address
      • Output : Unicast Deauthentication generated by AP
      • Effect : Associated client honor Deauthentication packet
      • and disconnect from AP
      Stimulus #4
      • Input : Association Request frame with spoofed Basic
      • Rate Param and Source MAC address as Client
      • MAC address and Destination MAC address as AP
      • MAC address
      • Output : Unicast Deauthentication generated by AP
      • Effect : Associated client honor Deauthentication packet
      • and disconnect from AP
    • Stimulus #5
      • Input : 4 MAC address DATA frame with Source
      • MAC as victim’s Client MAC address (or Broadcast
      • MAC) Destination MAC address as AP MAC
      • address
      • Output : Deauthentication Frame generated by AP
      • Effect : Associated client honor Deauthentication packet
      • and disconnect from AP
      Stimulus #6
      • Input : Association Request frame with spoofed
      • capabilities field and Source MAC address as
      • Client MAC address and Destination MAC
      • address as AP MAC address
      • Output : Unicast Deauthentication generated by AP
      • Effect : Associated client honor Deauthentication
      • packet and disconnect from AP
    • Stimulus #7
      • Input : Authentication frame with invalid Authentication
      • Algorithm sent to AP with Source MAC as Client’s
      • MAC address and Destination MAC address as
      • AP MAC address
      • Output : Unicast Deauthentication generated by AP
      • Effect : Associated client honor Deauthentication packet
      • and disconnect from AP
      Stimulus #8
      • Input : Authentication frame with invalid Authentication
      • Transaction sequence number sent to AP with
      • Source MAC as Client’s MAC address and
      • Destination MAC address as AP MAC address
      • Output : Unicast Deauthentication generated by AP
      • Effect : Associated client honor Deauthentication packet
      • and disconnect from AP