Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks.

Slides:



Advertisements
Similar presentations
Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC
Advertisements

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:
Wireless Cracking By: Christopher Zacky.
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Configure a Wireless Router LAN Switching and Wireless – Chapter 7.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
John Bellardo Stefan Savage Presented by: Hal Lindsey
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
CSEE W4140 Networking Laboratory
Distributed systems Module 1 -Basic networking Teaching unit 1 – LAN standards Ernesto Damiani University of Bozen-Bolzano Lesson 4 – Ethernet frame.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—3-1 Wireless LANs Understanding WLAN Security.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Wireless Security.
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
Networks: known attacks: technical review Nguyen Dinh Thuc University of Science, HCMC
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.
Wireless and Security CSCI 5857: Encoding and Encryption.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Router LAN Switching and Wireless – Chapter 7.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Configure a Wireless Router Basic Wireless Concepts & Configuration Chapter.
1 MAC Management. 2 Outline Introduction - Authentication, Association - Address filtering, Privacy - Power Management, Synchronization MAC Management.
MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.
Project Idea #1 Project: Simulation in NS Learn how to use NS-2 Examine 2-3 papers that do benchmark studies Implement a simulation of the Drexel TAARP.
1. Insert the Resource CD into your CD-ROM drive, click Start and choose Run. In the field that appears, enter F:\XXX\Setup.exe (if “F” is the letter of.
Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.
Wireless II. Frames Frames – Notes 3 Frame type ▫Management  Beacons  Probes  Request  Response  Associations  Request  Response  Disassociate.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified
WEP Protocol Weaknesses and Vulnerabilities
DoS Attacks On Wireless Voice Over IP Systems By Brendon Wesley Supervisor- Noria Foukia.
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Abusing : Weaknesses in LEAP Challenge/Response – Defcon 2003 Slide 1 Weaknesses in LEAP Challenge/Response Joshua Wright
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
Wi-Fi: How it Works and Security Measures. What is Wi-Fi? Any wireless local area network (WLAN) product that meets the Institute of Electrical and Electronics.
The University of Bolton School of Business & Creative Technologies Wireless Networks - Security 1.
Lecture 24 Wireless Network Security
Solving the Security Risks of WLAN Tuukka Karvonen
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 24 “Wireless Network Security”.
Doc.: IEEE /1378r0 Submission November 2008 Darwin Engwer, Nortel NetworksSlide 1 Improving Multicast Reliability Date: Authors:
Natalie Podrazik – CS 491V – “ Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions” Natalie Podrazik April.
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Doc.: IEEE /0237r0 Submission March 2005 Fabrice Stevens, Sébastien Duré Requirements for Management Frame Protection Schemes Fabrice Stevens,
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.
Erik Nicholson COSC 352 March 2, WPA Wi-Fi Protected Access New security standard adopted by Wi-Fi Alliance consortium Ensures compliance with different.
COMP2322 Lab 1 Introduction to Wireless LAN Weichao Li Apr. 8, 2016.
By Billy Ripple.  Security requirements  Authentication  Integrity  Privacy  Security concerns  Security techniques  WEP  WPA/WPA2  Conclusion.
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
Port Based Network Access Control
7/31/2002Black Hat 2002, Las Vegas NV Advanced Attack Michael Lynn & Robert Baird.
Rogue Access Points attacks
Wireless II.
A Wireless LAN Security Protocol
CompTIA Security+ Study Guide (SY0-501)
Wireless LAN Security 4.3 Wireless LAN Security.
Seminar class presentation Student: Chuming Chen & Xinliang Zheng
WLAN Security Antti Miettinen.
Presentation transcript:

Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks

August 9, 2008 DefCon 16 Immune system foreign bodies Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers Biological Systems Vs WLAN Systems: Similarities Biological systemsWireless LAN systems Built-in Security software Attacker

August 9, 2008 DefCon 16 Immune system foreign bodies When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections Autoimmunity Disorder Biological systemsWireless LAN systems Built-in Security software Attacker

August 9, 2008 DefCon 16 What’s Well Known -- DoS from an External Source  It is well known that by sending spoofed De-authentication or Dis- association packets it is possible to break connections. AP Client Attacker DoS Attack Launched on CL DoS Attack launched on AP Connection Breaks

August 9, 2008 DefCon 16 What’s New – Self DoS Triggered by an External Stimulus  There exist mal-formed packets whose injection can turn an AP into a connection killing machine AP ClientAttacker Stimulus Self DoS

August 9, 2008 DefCon 16 Example of Self DoS (1) APClient Broadcast Disconnection Notification from AP Attacker

August 9, 2008 DefCon 16 Result Broadcast MAC as source Multicast MAC as source DLink, Model No DIR-655, Firmware Ver 1.1  Linksys Model No WRT350N, Firmware Ver Cisco Model No AIR- AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Buffalo Model No-WZR- AG300NH, Firmware ver 1.48  Madwifi driver with Cisco Aironet a/b/g Card 

August 9, 2008 DefCon 16 Example of Self DoS (2) APClient Disconnection Notification or Response with “Failure” status code Client and AP in Associated State Attacker Stimulus: Req packet with invalid attributes Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….

August 9, 2008 DefCon 16 Stimulus Reason Codes Status Codes 6,7,10,11,13,14,15,21,22 10,13,14,18,19, 20,21,22,2 3,24,25,26,40,44,45,51 Newly introduced reason code in w 26: Robust management frame policy violation

August 9, 2008 DefCon 16 Result Broadcast MAC as source Multicast MAC as source Reassoc Req Authentic ation Assoc Request DLink, Model No DIR-655, Firmware Ver 1.1  Linksys Model No WRT350N, Firmware Ver  Cisco Model No AIR- AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3  Buffalo Model No-WZR- AG300NH, Firmware ver 1.48  Madwifi driver with Cisco Aironet a/b/g Card 

August 9, 2008 DefCon 16 Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.

August 9, 2008 DefCon 16 Example: MFP (L)AP Client and AP in Associated state MFP ClientMFP AP Stimulus:Assoc Req, from Client to AP Attacker Ignore or Honor Assoc Req Packet ? Assoc Response Client ignores unsolicited Association Response AP has an important decision to make !!! Data Deauthentication Uprotected “Deauth” ignored by Client AP and Client in Deadlock

August 9, 2008 DefCon 16 Example: MFP Client Client and AP in Associated state MFP ClientMFP AP Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection Association dropped at AP Association dropped at Client

August 9, 2008 DefCon 16 The Key Point New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software. Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!

August 9, 2008 DefCon 16 Demo

August 9, 2008 DefCon 16 References    ation_example09186a008080dc8c.shtml ation_example09186a008080dc8c.shtml  IEEE Std ™-2007 (Revision of IEEE Std )  IEEE P802.11w™/D5.0, February 2008

August 9, 2008 DefCon 16 Contact Us  Md Sohail Ahmad  Amit Vartak  J V R Murthy

August 9, 2008 DefCon 16 Stimulus #1  Input : Class 2 or 3 frame with Source MAC as Broadcast MAC address (FF:FF:FF:FF:FF:FF) and Destination MAC address as AP MAC address  Output: Broadcast Deauthentication generated by AP  Effect: Associated clients which honor Broadcast Deauthentication packet, disconnect from AP Stimulus #2  Input : Class 2 or 3 frame with Source MAC as Multicast MAC address (01:XX:XX:XX:XX:XX) and Destination MAC address as AP MAC address  Output: Multicast Deauthentication generated by AP  Effect: Associated clients honor Multicast Deauthentication packet and disconnect from AP

August 9, 2008 DefCon 16 Stimulus #3  Input : Reassociation Request frame with Source MAC address as Client’s MAC address and Destination MAC address as APMAC address and current AP MAC as any spoofed non-existent MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP Stimulus #4  Input : Association Request frame with spoofed Basic Rate Param and Source MAC address as Client MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP

August 9, 2008 DefCon 16 Stimulus #5  Input : 4 MAC address DATA frame with Source MAC as victim’s Client MAC address (or Broadcast MAC) Destination MAC address as AP MAC address  Output: Deauthentication Frame generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP Stimulus #6  Input : Association Request frame with spoofed capabilities field and Source MAC address as Client MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP

August 9, 2008 DefCon 16 Stimulus #7  Input : Authentication frame with invalid Authentication Algorithm sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP Stimulus #8  Input : Authentication frame with invalid Authentication Transaction sequence number sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.