Autoimmunity disorder in wireless lans
Download
1 / 21

Autoimmunity Disorder in Wireless LANs - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Autoimmunity Disorder in Wireless LANs. By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks. Attacker. Biological Systems Vs WLAN Systems: Similarities. Biological systems. Wireless LAN systems. foreign bodies. Immune system. Built-in Security software.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Autoimmunity Disorder in Wireless LANs' - kalil


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Autoimmunity disorder in wireless lans l.jpg

Autoimmunity Disorder in Wireless LANs

ByMd Sohail AhmadJ V R Murthy, Amit VartakAirTight Networks


Biological systems vs wlan systems similarities l.jpg

Attacker

Biological Systems Vs WLAN Systems: Similarities

Biological systems

Wireless LAN systems

foreign

bodies

Immune

system

Built-in

Security software

Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies

Purpose of WLAN system software is to defend against attacks from intruders and hackers

August 9, 2008 DefCon 16


Autoimmunity disorder l.jpg

Attacker

Autoimmunity Disorder

Biological systems

Wireless LAN systems

foreign

bodies

Immune

system

Built-in

Security software

When immune system mistakenly attacks & destroys healthy body tissues

When AP mistakenly attacks and destroys legitimate client connections

August 9, 2008 DefCon 16


What s well known dos from an external source l.jpg

Attacker

DoS Attack Launched on CL

Connection Breaks

Connection Breaks

DoS Attack launched on AP

What’s Well Known -- DoS from an External Source

  • It is well known that by sending spoofed De-authentication or Dis-association packets it is possible to break connections.

Client

AP

August 9, 2008 DefCon 16


What s new self dos triggered by an external stimulus l.jpg

Stimulus

Self DoS

What’s New – Self DoS Triggered by an External Stimulus

  • There exist mal-formed packets whose injection can turn an AP into a connection killing machine

Client

Attacker

AP

August 9, 2008 DefCon 16


Example of self dos 1 l.jpg

Attacker

Broadcast Disconnection Notification from AP

Example of Self DoS (1)

Client

AP

August 9, 2008 DefCon 16


Result l.jpg
Result

August 9, 2008 DefCon 16


Example of self dos 2 l.jpg

Attacker

Client and AP in Associated State

Stimulus: Req packet with invalid attributes

Disconnection Notification or Response with “Failure” status code

Example of Self DoS (2)

Client

AP

  • Attributes:Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….

August 9, 2008 DefCon 16


Stimulus l.jpg
Stimulus

Newly introduced reason code in 802.11w

  • 26: Robust management frame policy violation

August 9, 2008 DefCon 16


Result10 l.jpg
Result

August 9, 2008 DefCon 16


Is cisco mfp also vulnerable to self dos l.jpg
Is Cisco MFP also vulnerable to Self DoS ?

Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.

August 9, 2008 DefCon 16


Example mfp l ap l.jpg

Data

Client and AP in Associated state

Attacker

Stimulus:Assoc Req, from Client to AP

Assoc Response

Deauthentication

AP and Client in Deadlock

Example: MFP (L)AP

MFP Client

MFP AP

AP has an important decision to make !!!

Ignore or Honor

Assoc Req Packet

?

Client ignores unsolicited

Association Response

Uprotected “Deauth” ignored by Client

August 9, 2008 DefCon 16


Example mfp client l.jpg

Client and AP in Associated state

Stimulus:Assoc Response, from AP to Client, Status Code Failure

Attacker

Protected Deauthentication, teardown connection

Example: MFP Client

MFP AP

MFP Client

Association dropped at Client

Association dropped at AP

August 9, 2008 DefCon 16


The key point l.jpg
The Key Point

New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software.

Even with MFP (11w) protection

DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!

August 9, 2008 DefCon 16


Slide15 l.jpg
Demo

August 9, 2008 DefCon 16


References l.jpg
References

  • www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf

  • http://en.wikipedia.org/wiki/IEEE_802.11w

  • http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml

  • IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 )

  • IEEE P802.11w™/D5.0, February 2008

August 9, 2008 DefCon 16


Contact us l.jpg
Contact Us

  • Md Sohail Ahmad

    md.ahmad@airtightnetworks.com

  • Amit Vartak

    amit.vartak@airtightnetworks.com

  • J V R Murthy

    murthy.jvr@airtightnetworks.com

August 9, 2008 DefCon 16


Stimulus 1 l.jpg
Stimulus #1

  • Input : Class 2 or 3 frame with Source MAC as Broadcast

    MAC address (FF:FF:FF:FF:FF:FF) and

    Destination MAC address as AP MAC address

  • Output : Broadcast Deauthentication generated by AP

  • Effect : Associated clients which honor Broadcast

    Deauthentication packet, disconnect from AP

Stimulus #2

  • Input : Class 2 or 3 frame with Source MAC as Multicast

    MAC address (01:XX:XX:XX:XX:XX) and

    Destination MAC address as AP MAC address

  • Output : Multicast Deauthentication generated by AP

  • Effect : Associated clients honor Multicast Deauthentication

    packet and disconnect from AP

August 9, 2008 DefCon 16


Stimulus 3 l.jpg
Stimulus #3

  • Input :Reassociation Request frame with Source MAC

    address as Client’s MAC address and Destination

    MAC address as APMAC address and current AP

    MAC as any spoofed non-existent MAC address

  • Output : Unicast Deauthentication generated by AP

  • Effect : Associated client honor Deauthentication packet

    and disconnect from AP

Stimulus #4

  • Input :Association Request frame with spoofed Basic

    Rate Param and Source MAC address as Client

    MAC address and Destination MAC address as AP

    MAC address

  • Output : Unicast Deauthentication generated by AP

  • Effect : Associated client honor Deauthentication packet

    and disconnect from AP

August 9, 2008 DefCon 16


Stimulus 5 l.jpg
Stimulus #5

  • Input :4 MAC address DATA frame with Source

    MAC as victim’s Client MAC address (or Broadcast

    MAC) Destination MAC address as AP MAC

    address

  • Output : Deauthentication Frame generated by AP

  • Effect : Associated client honor Deauthentication packet

    and disconnect from AP

Stimulus #6

  • Input :Association Request frame with spoofed

    capabilities field and Source MAC address as

    Client MAC address and Destination MAC

    address as AP MAC address

  • Output : Unicast Deauthentication generated by AP

  • Effect : Associated client honor Deauthentication

    packet and disconnect from AP

August 9, 2008 DefCon 16


Stimulus 7 l.jpg
Stimulus #7

  • Input :Authentication frame with invalid Authentication

    Algorithm sent to AP with Source MAC as Client’s

    MAC address and Destination MAC address as

    AP MAC address

  • Output : Unicast Deauthentication generated by AP

  • Effect : Associated client honor Deauthentication packet

    and disconnect from AP

Stimulus #8

  • Input :Authentication frame with invalid Authentication

    Transaction sequence number sent to AP with

    Source MAC as Client’s MAC address and

    Destination MAC address as AP MAC address

  • Output : Unicast Deauthentication generated by AP

  • Effect : Associated client honor Deauthentication packet

    and disconnect from AP

August 9, 2008 DefCon 16