[MLB-WIRELESS] FW: 802.11b DoS exploit

Michael O'Brien michael.obrien at logicacmg.com
Wed Mar 12 12:23:48 EST 2003


Thought this was interesting

-----Original Message-----
From: Mark Osborne [mailto:mark at loud-fat-bloke.co.uk]
Sent: Wednesday, 12 March 2003 9:27 AM
To: bugtraq at securityfocus.com
Subject: 802.11b DoS exploit


While working to develop code for WIDZ that is equivalent to a standard 

Intrusion Detection system's RESET or SHUN functionality, an effective 

802.11b disruption of service attack has been discovered.  I haven't 

spotted any other postings so here we go....



FATA-jack - a modified version of the Wlan-jack, Fata-jack sends an 

Authentication-Failed packets (with a reason code of previous 

authentication failed) to a Wireless client PC.  The source and 

destination macs have been spoofed so as to appear to come from the Access-

point.  The original Wlan-jack code rate of transmission has been 

significantly reduced to a meagre rate of 1 every 2.5 seconds, so as to 

avoid any flood effect.



In limited tests on multiple operating systems including Windows98, 

Windows ME and Linux, FATA-jack effectively tears down any active session 

and in many cases causing the client driver or client software to fail 

requiring a reboot.



Apart from being an extremely lethal DoS attack, FATA-jack is significant 

for a number of reasons:



-As the transmission rate is very low, it is easy to see how a low-spec PC 

and a standard 802.11 card could  disable a large wireless network.



-As the malevolent packet are sent directly to the client these will not 

picked-up by logging functionality on the AP (if you have any) - this 

highlights the need for Wireless IDS.



-As the malevolent packets are spoofed AND sent directly to client MAC 

protection or WEP protection will not prevent it.  



-Some workmates have suggested that it could be used to cause IVs/WEP keys 

to be cycled.  This would significantly reduce the time for a WEP cracking 

exercise. This is yet to be verified.



To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message



More information about the Melbwireless mailing list