Re: [nycwireless] Fw: 802.11b DoS exploit

Tue, 11 Mar 2003 18:31:38 -0800

This has been known for nearly as long as 802.11 has been there... Basically, none of the management frames are encrypted or authenticated, so you can spoof any of those packets, the most obvious being the disassociation frame, or indeed the failed authentication frame.

This is supposed to change with 802.11i, I believe...

Jacques.

At 02:39 12/03/2003, David Kane-Parry wrote:
Unverified, caveat emptor...

- d.

Begin forwarded message:

From: Mark Osborne <[EMAIL PROTECTED]>
Date: Tue Mar 11, 2003  5:26:32  PM America/New_York
To: [EMAIL PROTECTED]
Subject: 802.11b DoS exploit

While working to develop code for WIDZ that is equivalent to a standard
Intrusion Detection system's RESET or SHUN functionality, an effective
802.11b disruption of service attack has been discovered.  I haven't
spotted any other postings so here we go�.

FATA-jack - a modified version of the Wlan-jack, Fata-jack sends an
Authentication-Failed packets (with a reason code of previous
authentication failed) to a Wireless client PC.  The source and
destination macs have been spoofed so as to appear to come from the Access-
point.  The original Wlan-jack code rate of transmission has been
significantly reduced to a meagre rate of 1 every 2.5 seconds, so as to
avoid any flood effect.

In limited tests on multiple operating systems including Windows98,
Windows ME and Linux, FATA-jack effectively tears down any active session
and in many cases causing the client driver or client software to fail
requiring a reboot.

Apart from being an extremely lethal DoS attack, FATA-jack is significant
for a number of reasons:

-As the transmission rate is very low, it is easy to see how a low-spec PC
and a standard 802.11 card could  disable a large wireless network.

-As the malevolent packet are sent directly to the client these will not
picked-up by logging functionality on the AP (if you have any) � this
highlights the need for Wireless IDS.

-As the malevolent packets are spoofed AND sent directly to client MAC
protection or WEP protection will not prevent it.

-Some workmates have suggested that it could be used to cause IVs/WEP keys
to be cycled.  This would significantly reduce the time for a WEP cracking
exercise. This is yet to be verified.


--
NYCwireless - http://www.nycwireless.net/
Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
Archives: http://lists.nycwireless.net/pipermail/nycwireless/



-- Jacques Caron, IP Sector Technologies
   Join the discussion on public WLAN open global roaming:
   http://lists.ipsector.com/listinfo/openroaming


--
NYCwireless - http://www.nycwireless.net/
Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/
Archives: http://lists.nycwireless.net/pipermail/nycwireless/

Reply via email to