Information Technology Reference
In-Depth Information
All available network bandwidth may be easily consumed by DoS and DDoS attacks,
whether the network is wired or wireless.
The network clients count on the ability to access network resources. It is gen-
erally easier to perform a DoS attack on a wireless network than it is on a wired
one. 802.11 networks broadcast data over a limited range of radio frequencies. All
wireless networks within range compete for those frequencies. Attackers can take
advantage of this fact by creating signals which saturate the network resources. This
can be done with a powerful transmitter that broadcasts interfering signals or by low-
tech approaches to RF-jamming like placing metal objects in microwaves that use the
same frequency.
Other attacks can be performed at the link layer with disassociation and de-
authentication frames that control the communication. If such frames were spoofed,
connections could be manipulated without consent. Programs such as FakeAP
( http://www.blackalchemy.to/project/fakeap ) , Void11 ( http://forum.defcon.org/
showthread.php?t=1427 ) , and File2air ( http://sourceforge.net/mailarchive/forum.
php?thread_id=3164707&forum_id=34085 ) perform such attacks.
One strategy would be to send an authentication frame with an unrecogniz-
able format which would cause the client to become unauthenticated because the
access point would be confused. This attack has been implemented in the tool
fata_jack ( http://www.networkchemistry.com/news/whitepaper.pdf ) which is meant
to be used with AirJack ( http://sourceforge.net/projects/airjack/ ) . It sends an authen-
tication frame to the access point with the sequence number and the status code both
set to 0xFFFF. This frame is spoofed so that the access point believes it comes from a
node that has already connected. This results in a fractured connection. If this attack
is repeated, the real client will no longer have the ability to connect to the access
point.
When a wireless client associates and authenticates with the access point, the ac-
cess point must store information about the client in an internal state table. This
includes the client's MAC address, IP address, etc. Since the memory of the ac-
cess point is finite, it is possible to fake enough connections that the state table
overflows. Depending on the access point, this could produce a crash or lock-up
thereby blocking legitimate future authentications. Either way the attacker has suc-
cessfully terminated the wireless connection. Joshua Wright wrote a Perl script
called macfld.pl ( http://home.jwu.edu/jwright/perl.htm ) that will perform this attack.
It works by flooding the access point with a large number of MAC addresses. Before
WPA was implemented, the way that 802.11 checked the integrity of the packets that
were received was through the CRC. If the CRC didn't match the value that was
calculated by the wireless device, the packet was dropped. If, on the other hand, the
packet was received correctly, an acknowledgement frame was sent so the sender
could delete the transmitted frame from its send queue. This can be exploited by cor-
Search WWH ::




Custom Search