• News
• Ideas
• Projects
• Articles
  • Anti-airjack
  • You might be a sysadmin if...
  • Sysadmin SPOF Analysis
  • Robert's Rules of Online Order

    

Enter your search terms Submit search form

Web bitshift.org

Sites
Instructables
MAKE Magazine
The Show with Ze Frank
Hacker News
Joel On Software Discussion Forum
Wacky Uses


    

Blogs
The Daily WTF
Boing Boing
Warren Ellis' Blog
Valleywag
Consumerist
Joel On Software


    

Comics
xkcd
Penny Arcade
Ctrl-Alt-Del
Bunny
Two Lumps
Casey & Andy
VG Cats
Edible Dirt
Daily Instructions
Real Life Comics


    

Archives

ATTACK

At Black Hat 2002, a presentation was given that discussed a particular Linux 802.11b driver called AirJack. It's quite nice, and the author even provided a few tools for the curious, as a platform for experimentation.

One of these tools allowed the user to kick everyone off an access point, for as long as she wished.

This is, of course, a Very Bad Thing(TM).

DefCon 11 saw a new version of AirJack made available. Which means someone, somewhere, is going to get mischievous and find or write a tool that'll do what I just described. In fact, it's a safe bet that several such tools already exist.

How does it work? Simple: 802.11a/b/g has no Layer 1 (frame-level) authentication. This means that anyone can pretend to be your access point. This, in turn, means anyone can easily perpetrate a MitM attack, or DoS.

How does an 802.11a/b/g DoS work? Again, simple: You pretend to be the user's access point, then you send the user dissociate/deauthenticate frames in rapid succession. Since the user doesn't know how to distinguish you from the valid AP, the user drops the wireless connection.

Fun, huh?

DEFENSE

There's not much defense from this, as there's really no way to distinguish the attacker from your valid AP. There are a few things you can do, however. I'll list them in order of effeciveness, from most to least effective:

1. Hack your wireless driver to ignore all dissociation/deauthentication requests from the AP.
2. Hack your wireless driver to ignore all dissociation/deauthentication requests sent to a broadcast address.
3. Examine the tool's traffic, isolate a fingerprint, then filter any and all frames containing said fingerprint.

I list fingerprinting last because it's the method most easily subverted, and most likely to give the user a false sense of security. At least with method #2, you know you're going to miss any packets sent directly to you rather than the broadcast address. With method #3, you get warm fuzzies thinking you've bested the tool-writer, only to discover later someone tweaked a byte or two and your fingerprint's worthless.