When WLANs Launch Self DoS Attacks

1,652 views

Published on

The WLAN can be compared to the human body in its complexity. Similar methodology which is used to study the phenomenon in humans can be applied to study wireless systems when they are invaded by intruders such as foreign clients or malicious code.

The purpose of the human immune system is to defend against attacks from germs, viruses & foreign bodies. Likewise, the purpose of access point security software is to defend against attacks from intruders and hackers. But when the immune system fails to distinguish between healthy cells and foreign bodies, it mistakenly attacks and destroys healthy cells. This is called an autoimmunity disorder.

AirTight security researchers have discovered a similar autoimmunity disorder in select open source and commercial 802.11 AP implementations. This presentation for DEFCON16 demonstrates how this vulnerability provides an open door through which DoS attacks can still be launched.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,652
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

When WLANs Launch Self DoS Attacks

  1. 1. Autoimmunity Disorder in Wireless LANs
  2. 2. Biological Systems Vs WLAN Systems: Similarities Immune system foreign bodies Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers Biological systems Wireless LAN systems Built-in Security software Attacker
  3. 3. Autoimmunity Disorder Immune system foreign bodies When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections Biological systems Wireless LAN systems Built-in Security software Attacker
  4. 4. What’s Well Known -- DoS from an External Source <ul><li>It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections. </li></ul>AP Client Attacker DoS Attack Launched on CL DoS Attack launched on AP Connection Breaks Connection Breaks
  5. 5. What’s New – Self DoS Triggered by an External Stimulus <ul><li>There exist mal-formed packets whose injection can turn an AP into a connection killing machine </li></ul>AP Client Attacker Stimulus Self DoS
  6. 6. Example of Self DoS (1) AP Client Broadcast Disconnection Notification from AP Attacker
  7. 7. Result    Multicast MAC as source  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48 Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Broadcast MAC as source
  8. 8. Example of Self DoS (2) AP Client <ul><li>Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs …. </li></ul>Disconnection Notification or Response with “Failure” status code Client and AP in Associated State Attacker Stimulus: Req packet with invalid attributes
  9. 9. Stimulus <ul><li>Newly introduced reason code in 802.11w </li></ul><ul><ul><ul><li>26: Robust management frame policy violation </li></ul></ul></ul>10,13,14,18,19,20,21,22,23,24,25 ,26,40,44,45,51 6,7,10,11,13,14,15,21,22 Status Codes Reason Codes
  10. 10. Result      Authentication    Broadcast MAC as source    Multicast MAC as source    Assoc Request  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card  Buffalo Model No-WZR-AG300NH, Firmware ver 1.48  Cisco Model No AIR-AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3  Linksys Model No WRT350N, Firmware Ver 1.0.3.7  DLink, Model No DIR-655, Firmware Ver 1.1 Reassoc Req
  11. 11. Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.
  12. 12. Example: MFP (L)AP MFP Client MFP AP Ignore or Honor Assoc Req Packet ? Client ignores unsolicited Association Response AP has an important decision to make !!! Uprotected “Deauth” ignored by Client Client and AP in Associated state Stimulus:Assoc Req, from Client to AP Attacker Assoc Response Data Deauthentication AP and Client in Deadlock
  13. 13. Example: MFP Client MFP Client MFP AP Association dropped at AP Association dropped at Client Client and AP in Associated state Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection
  14. 14. The Key Point <ul><li>New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software. </li></ul>Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!
  15. 15. Demo
  16. 16. References <ul><li>www.cs.ucsd.edu/users/ savage / papers /UsenixSec03.pdf </li></ul><ul><li>http://en.wikipedia.org/wiki/IEEE_802.11w </li></ul><ul><li>http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml </li></ul><ul><li>IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 ) </li></ul><ul><li>IEEE P802.11w™/D5.0, February 2008 </li></ul>
  17. 17. Contact Us <ul><li>Md Sohail Ahmad </li></ul><ul><li>[email_address] </li></ul><ul><li>Amit Vartak </li></ul><ul><li>[email_address] </li></ul><ul><li>J V R Murthy </li></ul><ul><li>[email_address] </li></ul>
  18. 18. Stimulus #1 <ul><li>Input : Class 2 or 3 frame with Source MAC as Broadcast </li></ul><ul><li> MAC address (FF:FF:FF:FF:FF:FF) and </li></ul><ul><li> Destination MAC address as AP MAC address </li></ul><ul><li>Output : Broadcast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated clients which honor Broadcast </li></ul><ul><li> Deauthentication packet, disconnect from AP </li></ul>Stimulus #2 <ul><li>Input : Class 2 or 3 frame with Source MAC as Multicast </li></ul><ul><li> MAC address (01:XX:XX:XX:XX:XX) and </li></ul><ul><li> Destination MAC address as AP MAC address </li></ul><ul><li>Output : Multicast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated clients honor Multicast Deauthentication </li></ul><ul><li> packet and disconnect from AP </li></ul>
  19. 19. Stimulus #3 <ul><li>Input : Reassociation Request frame with Source MAC </li></ul><ul><li> address as Client’s MAC address and Destination </li></ul><ul><li> MAC address as APMAC address and current AP </li></ul><ul><li> MAC as any spoofed non-existent MAC address </li></ul><ul><li>Output : Unicast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated client honor Deauthentication packet </li></ul><ul><li> and disconnect from AP </li></ul>Stimulus #4 <ul><li>Input : Association Request frame with spoofed Basic </li></ul><ul><li> Rate Param and Source MAC address as Client </li></ul><ul><li> MAC address and Destination MAC address as AP </li></ul><ul><li> MAC address </li></ul><ul><li>Output : Unicast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated client honor Deauthentication packet </li></ul><ul><li> and disconnect from AP </li></ul>
  20. 20. Stimulus #5 <ul><li>Input : 4 MAC address DATA frame with Source </li></ul><ul><li> MAC as victim’s Client MAC address (or Broadcast </li></ul><ul><li> MAC) Destination MAC address as AP MAC </li></ul><ul><li> address </li></ul><ul><li>Output : Deauthentication Frame generated by AP </li></ul><ul><li>Effect : Associated client honor Deauthentication packet </li></ul><ul><li> and disconnect from AP </li></ul>Stimulus #6 <ul><li>Input : Association Request frame with spoofed </li></ul><ul><li> capabilities field and Source MAC address as </li></ul><ul><li> Client MAC address and Destination MAC </li></ul><ul><li> address as AP MAC address </li></ul><ul><li>Output : Unicast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated client honor Deauthentication </li></ul><ul><li> packet and disconnect from AP </li></ul>
  21. 21. Stimulus #7 <ul><li>Input : Authentication frame with invalid Authentication </li></ul><ul><li> Algorithm sent to AP with Source MAC as Client’s </li></ul><ul><li> MAC address and Destination MAC address as </li></ul><ul><li> AP MAC address </li></ul><ul><li>Output : Unicast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated client honor Deauthentication packet </li></ul><ul><li> and disconnect from AP </li></ul>Stimulus #8 <ul><li>Input : Authentication frame with invalid Authentication </li></ul><ul><li> Transaction sequence number sent to AP with </li></ul><ul><li> Source MAC as Client’s MAC address and </li></ul><ul><li> Destination MAC address as AP MAC address </li></ul><ul><li>Output : Unicast Deauthentication generated by AP </li></ul><ul><li>Effect : Associated client honor Deauthentication packet </li></ul><ul><li> and disconnect from AP </li></ul>

×