High Throughput Hounds of Hell Unleashed

High Throughput Hounds of Hell Unleashed

By CWNP On 04/10/2008 - 8 Comments

It has officially started.  Hacking 802.11n was inevitable of course, and now we have Denial of Service (DoS) and Service Degradation attacks aimed squarely at 802.11n networks.  Using normal functions of the High Throughput (HT) PHY/MAC such as Block ACKs and coexistance (protection) mechanisms is a perfect place for a hacker to start because those features are required for proper operation.

Here are some recent posts to the Wireless Vulnerabilities and Exploits website:

  • HT Intolerant Degradation of Service - http://www.wve.org/entries/show/WVE-2008-0004
  • GF Mode WIDS Rogue AP Evasion - http://www.wve.org/entries/show/WVE-2008-0005
  • Block ACK DoS - http://www.wve.org/entries/show/WVE-2008-0006

These are only the beginning of course, and I would be willing to bet that there will be a steady stream of 802.11n attacks aimed at reducing your high-priced investment to wireless rubble.  In many ways, 802.11n networks are susceptible to the same kind of Service Degradation attacks that 802.11g networks experienced when they were initially introduced - quickly nulling a company's ROI.  As long as we have backwards compatibility in new PHY/MAC standards, there will be readily accessible attack points for hackers.

Should this affect your decision to upgrade to 802.11n?  To answer that question, I would ask you a question: "Did you upgrade from 802.11b to 802.11g?"  If your answer was 'yes' and it has been a good experience, then you should also upgrade to 802.11n for the same reasons.

WLAN security professionals are surely going to have their hands full fending off 802.11n attacks, but first they have to learn how 802.11n works in detail.  That's something The CWNP Program stands ready to help with.  Drop us a line. :)

8 Responses to High Throughput Hounds of Hell Unleashed

Subscribe by Email
04/17/2008 at 09:42am
Double checked with the 6.0 rev of the spec, and you are correct! Seems that they've removed those Action Frames!

Sorry for the clutter.

04/16/2008 at 22:13pm
Yikes, I just realized that my 802.11w article was written around 802.11w-D2.0 and now 802.11w-D6.0 is available. Time for me to upgrade. Thanks for the update. I'll confirm, and if I find anything different, I'll post it here.

04/16/2008 at 15:43pm
Ok, last comment from me.
I still believe the HT Intolerant 'attack' isn't really an attack as much as a poorly designed protocol. Backwards compatibility rules our daily lives.

The AddBA Request is a QoS Action Frame, and my version of the 11w spec states that Action Frames with categories (Spectrum Mgmt, Qos, DLS, and Block Ack) are included. Second to that, the statement that the Block Ack Agreement Recipient would reset it's window still assumes too much about the implementation.

04/15/2008 at 12:21pm
Unfortunately, 802.11w won't do anything to mitigate HT Intolerant or Block ACK attacks.


And I don't know anything about HTML. :)

04/15/2008 at 12:11pm
Seems to me that HT Intolerant and Block Ack attack will both be mitigated by 11w (Management Frame Protection). Consider that Cisco already deploys this solution on their 4400 WLCs.

The GF Rogue AP being undetected by a WIDS is assuming too much. But if you're simply looking for quick exploits, then consider all of the other enhancements too. STBC could be used, or if the WIDS device could only receive 32k AMPDUs and the Rogue AP was configured to transmit AMPDUs > 32k, then the traffic would be 'unreceivable' also. Or Minimum MPDU spacing, or >4k AMSDUs..

So the strategy can be summed as: exploiting the WIDS RF receive capabilities using new or older technology than it supports.


04/15/2008 at 10:35am
When do we get an open system that can simply be upgraded by downloading a firmware to get the 802.11n

04/15/2008 at 07:52am

04/14/2008 at 17:09pm
Hey, did you ever think to hyperlink those URL's?

Or was the tag the only HTML you learned?


<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More