4

Going over the security+ lectures by professor Messer here, he explains and demonstrates a wireless disassociation attack very well. But no where in the video does he explain how this type of attack is prevented and I can't seem to think of ways that this could be prevented (asides from upgrading the WIFI standard).

How do modern day users prevent wireless disassociation attacks? What's stopping me (asides from legality) from hopping to a network and sending disassociation packets to everyone else's device?

Thomas
  • 437
  • 2
  • 9
  • I marked my question as a duplicate - thank you @YLearn. I did search before, but "wireless disassociation attack" and "deauthentication attack" are different terms for the same concept. – Thomas May 06 '19 at 22:00
  • 2
    You are welcome. If someone wants to split hairs, they are two separate things (deauth and disassoc frames are two different types of management frame). However, on modern 802.11 networks they are effectually the same and the implementation, results, and defenses are the same. – YLearn May 07 '19 at 01:38

1 Answers1

4

This can be protected from with the IEEE 802.11w, also called Management Frame Protection (MFP), which provides authentication for Wi-Fi management frames, including those related to deauthentication and disassociation. When protected management frames are supported and enabled by both sides, the attack will not work because it will fail to authenticate as legitimate and will be ignored.

According to the above-linked Wikipedia page, the frames that are protected by 802.11w are:

  • Disassociation and deauthentication
  • Radio measurement action for infrastructure BSS (802.11k frames)
  • QoS action frame (802.11e frames)
  • Future 11v management frames (802.11v frames)

The frames which are not protected due to infeasibility are:

  • Beacon and probe request/response
  • Announcement traffic indication message (ATIM)
  • Authentication
  • Association request/response
  • Spectrum management action

Unfortunately, lots of hardware does not support 802.11w, and lots of software does not take advantage of it even when it is supported, so its utility may be limited and you will not often encounter it as an obstacle to deauth attacks. Note that this does not and cannot protect against a radio jamming denial of service attack where the entire spectrum is saturated with noise. However, such arbitrary jamming is far less stealthy and cannot be used for targeted attacks, rendering it a much less likely source of DoS.

As mentioned in the comments, IEEE 802.11w is not perfect, and other denial of service techniques exist. A paper called A Formal Analysis of IEEE 802.11w Deadlock Vulnerabilities shows how deadlocks can be exploited to selectively deny service to any associated clients. The paper concludes by demonstrating the inadequacy of current methods for validating specs like 802.11w and recommends formal methods.

forest
  • 65,613
  • 20
  • 208
  • 262
  • I actually did some research on defeating 802.11w a few years back. There are some other layer 2 attacks besides sending deauthentication attacks that are equally or more effective, and sometimes even quieter. These aforementioned attacks utilize those unprotected management frames. What's also amusing is that deauthentication frames still work while the client is trying to authenticate, i.e. the original attack works fine if the target is not already connected. – multithr3at3d May 05 '19 at 14:52
  • Also, as mentioned, it is not too widely supported (especially in software for consumer-grade access points), but it is possible to set it up at home with OpenWRT (assuming the driver for your hardware supports it). Most client devices should support it. If some of your devices don't, you can have it set to optional so those devices can still connect without protection. – multithr3at3d May 05 '19 at 15:17
  • @multithr3at3d I'm not surprised that there are many ways to get around it. I'd be interested to learn more about the attacks you are mentioning, though. – forest May 05 '19 at 22:37
  • 2
    I believe this paper was where I got the specific vulnerabilities from, but I don't think I can access it anymore: https://ieeexplore.ieee.org/document/6195841 I went ahead and implemented/tested a few of them. The most successful was abusing dynamic frequency switching (DFS), which can be used to trick clients into changing the channel they think the AP is on. You have to simply send beacon frames that look like the AP but with the DFS portion, and clients waste multiple seconds each time you send a beacon. It's a "feature" of 5 GHz networks but the attack worked on 2.4 GHz as well. – multithr3at3d May 06 '19 at 00:45
  • 1
    @multithr3at3d Thanks! I found a copy at https://sci-hub.se/10.1109/INFCOM.2012.6195841 anyone can access. – forest May 06 '19 at 00:52
  • Is there any update about this 802.11w vulnerability? – Motheus Jul 22 '20 at 06:12