Tuesday, 19 February 2008
This article is presented as part of hacking + solution track for Wireless Security Expo 2008. The hacking video is available here hxxp://www.cwnp.com/learning_center/video_deauth.html
Deauthentication is the most common form of 802.11 protocol denial-of-service (DoS) attack. After watching the Deauthentication video, you can see that performing this type of attack takes seconds using common and user-friendly software and hardware, can wreak havoc on a network, and can be used as part of other types of wireless network attacks. Deauthentication frames are considered notifications, not requests, which means any associated station or AP that receives a deauthentication frame must comply.
802.11 stations must authenticate themselves through "Open System Authentication" prior to requesting a connection. Following successful authentication (consisting of two acknowledged authentication frames), the client station will then request association (connectivity). The association request frame is followed by an association response frame. Each of these frames are also acknowledged.
The next steps depend on the type of security in use on the WLAN and determine just how intrusive a deauthentication attack will be. If the WLAN is using only Open System authentication, then a deauthentication attack will yield a very minor interruption for client stations. The reason for this is that the authentication and association process is extremely fast. When deauthenticated, a client station must reauthenticate and reassociate, but this entire process takes only a few milliseconds to complete. If the WLAN is using WEP with Open System authentication, the same process would apply.
If the WLAN is using WPA/WPA2-PSK, then a 4-way handshake (plus 4 ACK frames) will follow the acknowledged association response frame. This process is fairly fast (roughly an additional 20-30 ms), but added to the Open System authentication and association, it can easily add up to 50 ms (total) when adding in contention time. If a single AP is used, this won't be a big problem, but a deauthentication like this may also cause a client station to roam. Roaming requires passive and active scanning, which could add 1-3 seconds to the process. This additional time can easily disrupt many applications.
If the WLAN is using 802.1X/EAP and not using Opportunistic PMK Caching (not widely supported in client utilities), deauthentication can cause a disruption of 0.5 - 5 seconds depending on the specific EAP type in use, scanning processes, and the 4-way handshake. 802.1X/EAP authentication mechanisms are almost always deployed in enterprise WLANs. Any application that is latency sensitive will suffer dramatic problems when the client station is deauthenticated. File transfers, voice/video streams, thin-client sessions, and other real-time applications will often break when disrupted for more than 0.5 seconds.
The 802.11w amendment to the 802.11-2007 standard offers three new security pieces: Data Origin Authenticity, Replay Detection, and Management Frame Protection. The data origin authenticity mechanism defines a means by which a station that receives a management frame (such as a deauthentication frame) can determine which station transmitted the data or management frame. This feature is required to prevent an intruder from masquerading as an authorized station. The replay detection mechanism defines a means by which a station that receives a management frame from another station can detect whether the received frame is an unauthorized retransmission. Management frame protection is required to protect against forgery and eavesdropping on management frames such as Action, Disassociate, and Deauthenticate frames through the use of security keys.
Most of today's WLAN infrastructure systems do not support management frame protection, and until they do, deauthentication attacks will remain a significant security problem.