1 / 21

Autoimmunity Disorder in Wireless LANs

Autoimmunity Disorder in Wireless LANs. By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks. Attacker. Biological Systems Vs WLAN Systems: Similarities. Biological systems. Wireless LAN systems. foreign bodies. Immune system. Built-in Security software.

kalil
Download Presentation

Autoimmunity Disorder in Wireless LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Autoimmunity Disorder in Wireless LANs ByMd Sohail AhmadJ V R Murthy, Amit VartakAirTight Networks

  2. Attacker Biological Systems Vs WLAN Systems: Similarities Biological systems Wireless LAN systems foreign bodies Immune system Built-in Security software Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers August 9, 2008 DefCon 16

  3. Attacker Autoimmunity Disorder Biological systems Wireless LAN systems foreign bodies Immune system Built-in Security software When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections August 9, 2008 DefCon 16

  4. Attacker DoS Attack Launched on CL Connection Breaks Connection Breaks DoS Attack launched on AP What’s Well Known -- DoS from an External Source • It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections. Client AP August 9, 2008 DefCon 16

  5. Stimulus Self DoS What’s New – Self DoS Triggered by an External Stimulus • There exist mal-formed packets whose injection can turn an AP into a connection killing machine Client Attacker AP August 9, 2008 DefCon 16

  6. Attacker Broadcast Disconnection Notification from AP Example of Self DoS (1) Client AP August 9, 2008 DefCon 16

  7. Result August 9, 2008 DefCon 16

  8. Attacker Client and AP in Associated State Stimulus: Req packet with invalid attributes Disconnection Notification or Response with “Failure” status code Example of Self DoS (2) Client AP • Attributes:Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs …. August 9, 2008 DefCon 16

  9. Stimulus Newly introduced reason code in 802.11w • 26: Robust management frame policy violation August 9, 2008 DefCon 16

  10. Result August 9, 2008 DefCon 16

  11. Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant. August 9, 2008 DefCon 16

  12. Data Client and AP in Associated state Attacker Stimulus:Assoc Req, from Client to AP Assoc Response Deauthentication AP and Client in Deadlock Example: MFP (L)AP MFP Client MFP AP AP has an important decision to make !!! Ignore or Honor Assoc Req Packet ? Client ignores unsolicited Association Response Uprotected “Deauth” ignored by Client August 9, 2008 DefCon 16

  13. Client and AP in Associated state Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection Example: MFP Client MFP AP MFP Client Association dropped at Client Association dropped at AP August 9, 2008 DefCon 16

  14. The Key Point New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software. Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable! August 9, 2008 DefCon 16

  15. Demo August 9, 2008 DefCon 16

  16. References • www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf • http://en.wikipedia.org/wiki/IEEE_802.11w • http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml • IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 ) • IEEE P802.11w™/D5.0, February 2008 August 9, 2008 DefCon 16

  17. Contact Us • Md Sohail Ahmad md.ahmad@airtightnetworks.com • Amit Vartak amit.vartak@airtightnetworks.com • J V R Murthy murthy.jvr@airtightnetworks.com August 9, 2008 DefCon 16

  18. Stimulus #1 • Input : Class 2 or 3 frame with Source MAC as Broadcast MAC address (FF:FF:FF:FF:FF:FF) and Destination MAC address as AP MAC address • Output : Broadcast Deauthentication generated by AP • Effect : Associated clients which honor Broadcast Deauthentication packet, disconnect from AP Stimulus #2 • Input : Class 2 or 3 frame with Source MAC as Multicast MAC address (01:XX:XX:XX:XX:XX) and Destination MAC address as AP MAC address • Output : Multicast Deauthentication generated by AP • Effect : Associated clients honor Multicast Deauthentication packet and disconnect from AP August 9, 2008 DefCon 16

  19. Stimulus #3 • Input :Reassociation Request frame with Source MAC address as Client’s MAC address and Destination MAC address as APMAC address and current AP MAC as any spoofed non-existent MAC address • Output : Unicast Deauthentication generated by AP • Effect : Associated client honor Deauthentication packet and disconnect from AP Stimulus #4 • Input :Association Request frame with spoofed Basic Rate Param and Source MAC address as Client MAC address and Destination MAC address as AP MAC address • Output : Unicast Deauthentication generated by AP • Effect : Associated client honor Deauthentication packet and disconnect from AP August 9, 2008 DefCon 16

  20. Stimulus #5 • Input :4 MAC address DATA frame with Source MAC as victim’s Client MAC address (or Broadcast MAC) Destination MAC address as AP MAC address • Output : Deauthentication Frame generated by AP • Effect : Associated client honor Deauthentication packet and disconnect from AP Stimulus #6 • Input :Association Request frame with spoofed capabilities field and Source MAC address as Client MAC address and Destination MAC address as AP MAC address • Output : Unicast Deauthentication generated by AP • Effect : Associated client honor Deauthentication packet and disconnect from AP August 9, 2008 DefCon 16

  21. Stimulus #7 • Input :Authentication frame with invalid Authentication Algorithm sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address • Output : Unicast Deauthentication generated by AP • Effect : Associated client honor Deauthentication packet and disconnect from AP Stimulus #8 • Input :Authentication frame with invalid Authentication Transaction sequence number sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address • Output : Unicast Deauthentication generated by AP • Effect : Associated client honor Deauthentication packet and disconnect from AP August 9, 2008 DefCon 16

More Related