. Denial of Service
A denial of service (DoS) occurs when a system is
not providing services to authorized clients because of resource exhaustion by
unauthorized clients. In wireless networks, DoS attacks are difficult to
prevent, difficult to stop an on-going attack and the victim and its clients
may not even detect the attacks. The duration of such DoS may range from
milliseconds to hours. A DoS attack against an individual station enables
session hijacking.
A number of consumer appliances such as microwave ovens, baby
monitors, and cordless phones operate on the unregulated 2.4GHz radio
frequency. An attacker can unleash large amounts of noise using these devices
and jam the airwaves so that the signal to noise drops so low, that the
wireless LAN ceases to function. The only solution to this is RF proofing
the surrounding environment.
The AP inserts the data supplied by the station in the Association
Request into a table called the association table that the AP
maintains in its memory. The IEEE 802.11 specifies a maximum value of
2007 concurrent associations to an AP. The actual size of this table
varies among different models of APs. When this table overflows, the AP
would refuse further clients.
Having cracked WEP, an attacker authenticates several non-existing
stations using legitimate-looking but randomly generated MAC
addresses. The attacker then sends a flood of spoofed associate requests
so that the association table overflows.
Enabling MAC filtering in the AP will prevent this attack.
The attacker sends a spoofed Disassociation frame where the source
MAC address is set to that of the AP. The station is still authenticated but
needs only to reassociate and sends Reassociation Requests to the AP. The
AP may send a Reassociation Response accepting the station and the station can
then resume sending data. To prevent Reassociation, the attacker continues to
send Disassociation frames for a desired period.
The attacker monitors all raw frames collecting the source and
destination MAC addresses to verify that they are among the targeted
victims. When a data or Association Response frame is observed, the
attacker sends a spoofed Deauthentication frame where the source MAC address is
spoofed to that of the AP. The station is now unassociated and
unauthenticated, and needs to reconnect. To prevent a reconnection, the
attacker continues to send Deauthentication frames for a desired period.
The attacker may even rate limit the Deauthentication frames to avoid
overloading an already congested network.
The mischievous packets of Disassociation and
Deauthentication are sent directly to the client, so these will not be logged
by the AP or IDS, and neither MAC filtering nor WEP protection will prevent it.
Power conservation is important for typical station laptops, so
they frequently enter an 802.11 state called Doze. An attacker can steal
packets intended for a station while the station is in the Doze state.
The 802.11 protocol requires a station to inform the AP through a
successful frame exchange that it wishes to enter the Doze state from the
Active state.
Periodically the station awakens and sends a PS-Poll frame to the
AP. The AP will transmit in response the packets that were buffered for the
station while it was dozing. This polling frame can be spoofed by an attacker
causing the AP to send the collected packets and flush its internal
buffers. An attacker can repeat these polling messages so that when the
legitimate station periodically awakens and polls, AP will inform that there
are no pending packets.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.