Full Disclosure mailing list archives

Re: 802.11b (others) single packet DoS

From: "Andrew A. Vladimirov" <mlists () arhont com>
Date: Thu, 13 May 2004 19:26:23 +0100

The description of the attack appears to be too general and it is tooearly to say anything before a detailed practical implementation of theattack is shown (after all, this is Full Disclosure). From what I havegathered reading the provided link, it is a form of a casual jammingusing a common wireless client card rather than a specific jammingdevice a la http://www.svbxlabs.com/pages/projects/herf005/

Well, if it is the case, then there is nothing new about it. Anyone whohas experimented with FakeAP, knows that it can flood the channel prettybadly, especially if the attacker sets a smaller interval betweenbeacons (e.g. with prism2_param beacon_int) and supplements it with theprobe requests flood (looping prism2_param hostscan). As an example, see

http://www.wi-foo.com/phorum/read.php?f=1&i=24&t=11#reply_24
at our forum.

Regards,
Andrew

--
Dr. Andrew A. Vladimirov
CISSP #34081, CWNA, CCNP/CCDP, TIA Linux+
CSO
Arhont Ltd - Information Security.

Web: http://www.arhont.com
     http://www.wi-foo.com
Tel: +44 (0)870 44 31337
Fax: +44 (0)117 969 0141
GPG: Key ID - 0x1D312310
GPG: Server - gpg.arhont.com




michaeltone1975 wrote:

http://www.auscert.org.au/render.html?it=4091

The vulnerability is related to the medium access control (MAC)
function of the IEEE 802.11 protocol.  WLAN devices perform Carrier
Sense Multiple Access with Collision Avoidance (CSMA/CA), which
minimises the likelihood of two devices transmitting
simultaneously.  Fundamental to the functioning of CSMA/CA is the
Clear Channel Assessment (CCA) procedure, used in all
standards-compliant hardware and performed by a Direct Sequence
Spread Spectrum (DSSS) physical (PHY) layer.

An attack against this vulnerability exploits the CCA function at
the physical layer and causes all WLAN nodes within range, both
clients and access points (AP), to defer transmission of data for
the duration of the attack. When under attack, the device behaves
as if the channel is always busy, preventing the transmission of
any data over the wireless network.


http://standards.ieee.org/getieee802/download/802.11-1999.pdf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

802.11b (others) single packet DoS michaeltone1975 (May 13)
- Re: 802.11b (others) single packet DoS Andrew A. Vladimirov (May 13)