[MLB-WIRELESS] FW: 802.11b DoS exploit
Jason Tedesco
jtedesco at request.com.au
Wed Mar 12 10:05:23 EST 2003
Sorry for the repost if your on both lists.
-----Original Message-----
From: Mark Osborne [mailto:mark at loud-fat-bloke.co.uk]
Sent: Wednesday, 12 March 2003 09:27
To: bugtraq at securityfocus.com
Subject: 802.11b DoS exploit
While working to develop code for WIDZ that is equivalent to a standard
Intrusion Detection system's RESET or SHUN functionality, an effective
802.11b disruption of service attack has been discovered. I haven't
spotted any other postings so here we go....
FATA-jack - a modified version of the Wlan-jack, Fata-jack sends an
Authentication-Failed packets (with a reason code of previous
authentication failed) to a Wireless client PC. The source and
destination macs have been spoofed so as to appear to come from the Access-
point. The original Wlan-jack code rate of transmission has been
significantly reduced to a meagre rate of 1 every 2.5 seconds, so as to
avoid any flood effect.
In limited tests on multiple operating systems including Windows98,
Windows ME and Linux, FATA-jack effectively tears down any active session
and in many cases causing the client driver or client software to fail
requiring a reboot.
Apart from being an extremely lethal DoS attack, FATA-jack is significant
for a number of reasons:
-As the transmission rate is very low, it is easy to see how a low-spec PC
and a standard 802.11 card could disable a large wireless network.
-As the malevolent packet are sent directly to the client these will not
picked-up by logging functionality on the AP (if you have any) - this
highlights the need for Wireless IDS.
-As the malevolent packets are spoofed AND sent directly to client MAC
protection or WEP protection will not prevent it.
-Some workmates have suggested that it could be used to cause IVs/WEP keys
to be cycled. This would significantly reduce the time for a WEP cracking
exercise. This is yet to be verified.
To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message
More information about the Melbwireless
mailing list