802.11 Denial Of Service

Andrew Taylor

Types of DoS

Electronic/Phy layer Overpowering, modulation techniques

Management Frame DoS i.e. RTS/CTS

Application Specific Application layer vulnerabilities

Low level interference

Quick interference recap:•Any type of interference is bad with 802.11g/a due to QPSK•Error correction/retransmission has a hard time keeping up under load.

Causing Interference

Directional Antenna High power output

FCC PtoP over 4 watts if directional antenna gain greater than 6dBi

Legal attacks within FCC range Determined attackers wont care

about FCC restrictions

Higher Layer Attacks

RTS/CTS 802.11 ACK (with large duration value)

attack when AP using RTS/CTS, made by modifying the NAV to force a clear medium for an extended period of time.

RTS/CTS Attack Cont.

Maximum NAV value is ~32 milliseconds.

Attacker need only to transmit 30 times a second for full medium denial.

RTS/CTS is not authenticated. Require correct firmware/hardware to

disregard standards. (AUX port) Some clients disregard standards

Application Layer Vulnerabilities

New ones coming out all the time, vendor specific.

Recent Cisco vulnerability allows a reload of the system when malformed POST is sent to the login page of the web administration.

Patching systems and employing other means of security is the only way to be sure.

Questions?

Sources

ARRL. (n.d.). Amature Radio Service. Retrieved March 2009, from http://www.arrl.org/FandES/field/regulations/news/part97/

Cisco Systems. (2009, February 04). Cisco Security Center. Retrieved March 12, 2009, from http://tools.cisco.com/security/center/viewAlert.x?alertId=16321

John Bellardo, S. S. (2002). 802.11 Denial-of-Service Attacks. Retrieved March 2009, from http://www-cse.ucsd.edu/~savage/papers/UsenixSec03.pdf