autoimmunity disorder in wireless lans
Download
Skip this Video
Download Presentation
Autoimmunity Disorder in Wireless LANs

Loading in 2 Seconds...

play fullscreen
1 / 21

Autoimmunity Disorder in Wireless LANs - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Autoimmunity Disorder in Wireless LANs. By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks. Attacker. Biological Systems Vs WLAN Systems: Similarities. Biological systems. Wireless LAN systems. foreign bodies. Immune system. Built-in Security software.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Autoimmunity Disorder in Wireless LANs' - kalil


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
autoimmunity disorder in wireless lans

Autoimmunity Disorder in Wireless LANs

ByMd Sohail AhmadJ V R Murthy, Amit VartakAirTight Networks

biological systems vs wlan systems similarities

Attacker

Biological Systems Vs WLAN Systems: Similarities

Biological systems

Wireless LAN systems

foreign

bodies

Immune

system

Built-in

Security software

Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies

Purpose of WLAN system software is to defend against attacks from intruders and hackers

August 9, 2008 DefCon 16

autoimmunity disorder

Attacker

Autoimmunity Disorder

Biological systems

Wireless LAN systems

foreign

bodies

Immune

system

Built-in

Security software

When immune system mistakenly attacks & destroys healthy body tissues

When AP mistakenly attacks and destroys legitimate client connections

August 9, 2008 DefCon 16

what s well known dos from an external source

Attacker

DoS Attack Launched on CL

Connection Breaks

Connection Breaks

DoS Attack launched on AP

What’s Well Known -- DoS from an External Source
  • It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections.

Client

AP

August 9, 2008 DefCon 16

what s new self dos triggered by an external stimulus

Stimulus

Self DoS

What’s New – Self DoS Triggered by an External Stimulus
  • There exist mal-formed packets whose injection can turn an AP into a connection killing machine

Client

Attacker

AP

August 9, 2008 DefCon 16

example of self dos 1

Attacker

Broadcast Disconnection Notification from AP

Example of Self DoS (1)

Client

AP

August 9, 2008 DefCon 16

result
Result

August 9, 2008 DefCon 16

example of self dos 2

Attacker

Client and AP in Associated State

Stimulus: Req packet with invalid attributes

Disconnection Notification or Response with “Failure” status code

Example of Self DoS (2)

Client

AP

  • Attributes:Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….

August 9, 2008 DefCon 16

stimulus
Stimulus

Newly introduced reason code in 802.11w

  • 26: Robust management frame policy violation

August 9, 2008 DefCon 16

result10
Result

August 9, 2008 DefCon 16

is cisco mfp also vulnerable to self dos
Is Cisco MFP also vulnerable to Self DoS ?

Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.

August 9, 2008 DefCon 16

example mfp l ap

Data

Client and AP in Associated state

Attacker

Stimulus:Assoc Req, from Client to AP

Assoc Response

Deauthentication

AP and Client in Deadlock

Example: MFP (L)AP

MFP Client

MFP AP

AP has an important decision to make !!!

Ignore or Honor

Assoc Req Packet

?

Client ignores unsolicited

Association Response

Uprotected “Deauth” ignored by Client

August 9, 2008 DefCon 16

example mfp client

Client and AP in Associated state

Stimulus:Assoc Response, from AP to Client, Status Code Failure

Attacker

Protected Deauthentication, teardown connection

Example: MFP Client

MFP AP

MFP Client

Association dropped at Client

Association dropped at AP

August 9, 2008 DefCon 16

the key point
The Key Point

New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software.

Even with MFP (11w) protection

DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!

August 9, 2008 DefCon 16

slide15
Demo

August 9, 2008 DefCon 16

references
References
  • www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf
  • http://en.wikipedia.org/wiki/IEEE_802.11w
  • http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml
  • IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 )
  • IEEE P802.11w™/D5.0, February 2008

August 9, 2008 DefCon 16

contact us
Contact Us
  • Md Sohail Ahmad

[email protected]

  • Amit Vartak

[email protected]

  • J V R Murthy

[email protected]

August 9, 2008 DefCon 16

stimulus 1
Stimulus #1
  • Input : Class 2 or 3 frame with Source MAC as Broadcast

MAC address (FF:FF:FF:FF:FF:FF) and

Destination MAC address as AP MAC address

  • Output : Broadcast Deauthentication generated by AP
  • Effect : Associated clients which honor Broadcast

Deauthentication packet, disconnect from AP

Stimulus #2

  • Input : Class 2 or 3 frame with Source MAC as Multicast

MAC address (01:XX:XX:XX:XX:XX) and

Destination MAC address as AP MAC address

  • Output : Multicast Deauthentication generated by AP
  • Effect : Associated clients honor Multicast Deauthentication

packet and disconnect from AP

August 9, 2008 DefCon 16

stimulus 3
Stimulus #3
  • Input :Reassociation Request frame with Source MAC

address as Client’s MAC address and Destination

MAC address as APMAC address and current AP

MAC as any spoofed non-existent MAC address

  • Output : Unicast Deauthentication generated by AP
  • Effect : Associated client honor Deauthentication packet

and disconnect from AP

Stimulus #4

  • Input :Association Request frame with spoofed Basic

Rate Param and Source MAC address as Client

MAC address and Destination MAC address as AP

MAC address

  • Output : Unicast Deauthentication generated by AP
  • Effect : Associated client honor Deauthentication packet

and disconnect from AP

August 9, 2008 DefCon 16

stimulus 5
Stimulus #5
  • Input :4 MAC address DATA frame with Source

MAC as victim’s Client MAC address (or Broadcast

MAC) Destination MAC address as AP MAC

address

  • Output : Deauthentication Frame generated by AP
  • Effect : Associated client honor Deauthentication packet

and disconnect from AP

Stimulus #6

  • Input :Association Request frame with spoofed

capabilities field and Source MAC address as

Client MAC address and Destination MAC

address as AP MAC address

  • Output : Unicast Deauthentication generated by AP
  • Effect : Associated client honor Deauthentication

packet and disconnect from AP

August 9, 2008 DefCon 16

stimulus 7
Stimulus #7
  • Input :Authentication frame with invalid Authentication

Algorithm sent to AP with Source MAC as Client’s

MAC address and Destination MAC address as

AP MAC address

  • Output : Unicast Deauthentication generated by AP
  • Effect : Associated client honor Deauthentication packet

and disconnect from AP

Stimulus #8

  • Input :Authentication frame with invalid Authentication

Transaction sequence number sent to AP with

Source MAC as Client’s MAC address and

Destination MAC address as AP MAC address

  • Output : Unicast Deauthentication generated by AP
  • Effect : Associated client honor Deauthentication packet

and disconnect from AP

August 9, 2008 DefCon 16

ad