Presentation is loading. Please wait.

Presentation is loading. Please wait.

Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks.

Published byBryan Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks."— Presentation transcript:

1 Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks

2 August 9, 2008 DefCon 16 Immune system foreign bodies Purpose of the immune system is to defend against attacks from germs, viruses & foreign bodies Purpose of WLAN system software is to defend against attacks from intruders and hackers Biological Systems Vs WLAN Systems: Similarities Biological systemsWireless LAN systems Built-in Security software Attacker

3 August 9, 2008 DefCon 16 Immune system foreign bodies When immune system mistakenly attacks & destroys healthy body tissues When AP mistakenly attacks and destroys legitimate client connections Autoimmunity Disorder Biological systemsWireless LAN systems Built-in Security software Attacker

4 August 9, 2008 DefCon 16 What’s Well Known -- DoS from an External Source  It is well known that by sending spoofed De-authentication or Dis- association packets it is possible to break connections. AP Client Attacker DoS Attack Launched on CL DoS Attack launched on AP Connection Breaks

5 August 9, 2008 DefCon 16 What’s New – Self DoS Triggered by an External Stimulus  There exist mal-formed packets whose injection can turn an AP into a connection killing machine AP ClientAttacker Stimulus Self DoS

6 August 9, 2008 DefCon 16 Example of Self DoS (1) APClient Broadcast Disconnection Notification from AP Attacker

7 August 9, 2008 DefCon 16 Result Broadcast MAC as source Multicast MAC as source DLink, Model No DIR-655, Firmware Ver 1.1  Linksys Model No WRT350N, Firmware Ver 1.0.3.7 Cisco Model No AIR- AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3 Buffalo Model No-WZR- AG300NH, Firmware ver 1.48  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card 

8 August 9, 2008 DefCon 16 Example of Self DoS (2) APClient Disconnection Notification or Response with “Failure” status code Client and AP in Associated State Attacker Stimulus: Req packet with invalid attributes Attributes: Capabilities Basic Rate sets Power capabilities element Supported channels element Invalid IEs ….

9 August 9, 2008 DefCon 16 Stimulus Reason Codes Status Codes 6,7,10,11,13,14,15,21,22 10,13,14,18,19, 20,21,22,2 3,24,25,26,40,44,45,51 Newly introduced reason code in 802.11w 26: Robust management frame policy violation

10 August 9, 2008 DefCon 16 Result Broadcast MAC as source Multicast MAC as source Reassoc Req Authentic ation Assoc Request DLink, Model No DIR-655, Firmware Ver 1.1  Linksys Model No WRT350N, Firmware Ver 1.0.3.7  Cisco Model No AIR- AP1232AG-A-K9 Firmware Ver 12.3(8)JEA3  Buffalo Model No-WZR- AG300NH, Firmware ver 1.48  Madwifi-0.9.4 driver with Cisco Aironet a/b/g Card 

11 August 9, 2008 DefCon 16 Is Cisco MFP also vulnerable to Self DoS ? Think of Cisco MFP (802.11w) as the latest and greatest immune system which is supposed to make WLANs totally attack resistant.

12 August 9, 2008 DefCon 16 Example: MFP (L)AP Client and AP in Associated state MFP ClientMFP AP Stimulus:Assoc Req, from Client to AP Attacker Ignore or Honor Assoc Req Packet ? Assoc Response Client ignores unsolicited Association Response AP has an important decision to make !!! Data Deauthentication Uprotected “Deauth” ignored by Client AP and Client in Deadlock

13 August 9, 2008 DefCon 16 Example: MFP Client Client and AP in Associated state MFP ClientMFP AP Stimulus:Assoc Response, from AP to Client, Status Code Failure Attacker Protected Deauthentication, teardown connection Association dropped at AP Association dropped at Client

14 August 9, 2008 DefCon 16 The Key Point New avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point software. Even with MFP (11w) protection DoS vulnerabilities could not be completely eliminated. Currently available MFP implementations were found vulnerable!

15 August 9, 2008 DefCon 16 Demo

16 August 9, 2008 DefCon 16 References  www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf www.cs.ucsd.edu/users/savage/papers/UsenixSec03.pdf  http://en.wikipedia.org/wiki/IEEE_802.11w http://en.wikipedia.org/wiki/IEEE_802.11w  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configur ation_example09186a008080dc8c.shtml http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configur ation_example09186a008080dc8c.shtml  IEEE Std 802.11™-2007 (Revision of IEEE Std 802.11-1999 )  IEEE P802.11w™/D5.0, February 2008

17 August 9, 2008 DefCon 16 Contact Us  Md Sohail Ahmad md.ahmad@airtightnetworks.com  Amit Vartak amit.vartak@airtightnetworks.com  J V R Murthy murthy.jvr@airtightnetworks.com

18 August 9, 2008 DefCon 16 Stimulus #1  Input : Class 2 or 3 frame with Source MAC as Broadcast MAC address (FF:FF:FF:FF:FF:FF) and Destination MAC address as AP MAC address  Output: Broadcast Deauthentication generated by AP  Effect: Associated clients which honor Broadcast Deauthentication packet, disconnect from AP Stimulus #2  Input : Class 2 or 3 frame with Source MAC as Multicast MAC address (01:XX:XX:XX:XX:XX) and Destination MAC address as AP MAC address  Output: Multicast Deauthentication generated by AP  Effect: Associated clients honor Multicast Deauthentication packet and disconnect from AP

19 August 9, 2008 DefCon 16 Stimulus #3  Input : Reassociation Request frame with Source MAC address as Client’s MAC address and Destination MAC address as APMAC address and current AP MAC as any spoofed non-existent MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP Stimulus #4  Input : Association Request frame with spoofed Basic Rate Param and Source MAC address as Client MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP

20 August 9, 2008 DefCon 16 Stimulus #5  Input : 4 MAC address DATA frame with Source MAC as victim’s Client MAC address (or Broadcast MAC) Destination MAC address as AP MAC address  Output: Deauthentication Frame generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP Stimulus #6  Input : Association Request frame with spoofed capabilities field and Source MAC address as Client MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP

21 August 9, 2008 DefCon 16 Stimulus #7  Input : Authentication frame with invalid Authentication Algorithm sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP Stimulus #8  Input : Authentication frame with invalid Authentication Transaction sequence number sent to AP with Source MAC as Client’s MAC address and Destination MAC address as AP MAC address  Output: Unicast Deauthentication generated by AP  Effect: Associated client honor Deauthentication packet and disconnect from AP

Download ppt "Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks."

Similar presentations

802.11 Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC

Networks: hotspot security Nguyen Dinh Thuc University of Science, HCMC
Doc.: IEEE 802.11-07/2441r2 Submission SA Teardown Protection for 802.11w Date: 2007-11-05.

Doc.: IEEE /2441r2 Submission SA Teardown Protection for w Date:
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
Analysis and Improvements over DoS Attacks against IEEE 802.11i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.

Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.

Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Configure a Wireless Router LAN Switching and Wireless – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Configure a Wireless Router LAN Switching and Wireless – Chapter 7.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
John Bellardo Stefan Savage Presented by: Hal Lindsey

John Bellardo Stefan Savage Presented by: Hal Lindsey
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
CSEE W4140 Networking Laboratory

CSEE W4140 Networking Laboratory
Distributed systems Module 1 -Basic networking Teaching unit 1 – LAN standards Ernesto Damiani University of Bozen-Bolzano Lesson 4 – Ethernet frame.

Distributed systems Module 1 -Basic networking Teaching unit 1 – LAN standards Ernesto Damiani University of Bozen-Bolzano Lesson 4 – Ethernet frame.

Similar presentations

Ads by Google