<<< Date Index >>>     <<< Thread Index >>>

[IP] more on New flaw takes Wi-Fi off the air




Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Fri, 14 May 2004 07:23:37 -0700
From: Jim Thompson <jim@xxxxxxxxxxx>
Subject: Re: [IP] more on New flaw takes Wi-Fi off the air
To: dave@xxxxxxxxxx

Um, no, I don't think it has anything to do with OFDM's "sub-carriers".

The authors haven't described the attack, exactly, I believe, because there is a paper coming out in a couple days, and there are pre-publication issues. That stated, the Australian CERN report does provide clues. The "problem isn't as bad with 802.11g or 802.11a at speeds over 20Mbps" may provide a hint.

The "vulnerability" may have to do with the longer slot time of DSSS modulation in 802.11b (20us) in comparison to that in OFDM modulations (9us) of 802.11a, and, in particular, values derived from the slot time,
such as DIFS (50us)

802.11b:
        ?       SIFS = 10 µs
        ?       Slot time = 20 µs
        ?       DIFS = 2 x Slot time + SIFS = 50 µs

802.11a:
        ?       SIFS = 16 µs
        ?       Slot time = 9 µs
        ?       DIFS = 2 x Slot time + SIFS = 34 µ

 802.11g SIFS = 10 µs
 802.11g short slot time = 9 µs (802.11g-only mode with no legacy stations)
 802.11g long slot time = 20 µs (mixed mode requires slow slot time)
(I'll leave it to the reader to calculate DIFS for each of the two 11g modes (2 x slot time + SIFS))

Now, whats the throughput for 54Mbps station in a mixed-mode 802.11b/g network? Well, with an 802.11b station associated, but idle (such that protection is enabled, but the 11b STA isn't tying up the air), the (calculated)UDP throughput is .. 19.6Mbps. So once you're "over 20Mbps" then you don't have any 11b STAs associated. And lets not forget that these protection frames have to be sent modulated with DSSS (so the 11b stas can grok them), and thus, it "only affects DSSS" (ahem).

BTW max theoretic TCP throughput for 11g with a 11b client associated to the AP is around 13.5Mbps (if the AP and STA are both sending @ 54Mbps,)

Its not proof, but it does 'fit', given what they've released. I'll also guess out loud that the 'attack' has to do with setting (or resetting) CWmin (15us for 11a/11g, 31us for 11b), an causing overly-long NAVs to be set.

Again, this is just off the top of my head (and from memory). And all of the above is DCF, not PCF or EDCF. If your readers don't understand the terms here, google can be of help.

Jim


On May 14, 2004, at 6:08 AM, Dave Farber wrote:


Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Fri, 14 May 2004 01:50:44 -0400
From: Valdis.Kletnieks@xxxxxx
Subject: Re: [IP] New flaw takes Wi-Fi off the air
To: dave@xxxxxxxxxx

On Thu, 13 May 2004 19:25:28 EDT, Dave Farber <dave@xxxxxxxxxx>  said:

> "When under attack, the device behaves as if the channel is always busy,
> preventing the transmission of any data over the wireless network," a
> security advisory (http://www.auscert.org.au/render.html?it=4091) released
> by AusCERT reads.

It's hardly a "newly discovered" flaw.  It's been known for several decades
that CSMA/CA based networks will fail if something interferes with the
detection of "quiet" on the network.

Anybody who's ever had to find a jabbering transciever or a missing terminator
on an Ethernet thin/thickwire segment knows about this "flaw".

My favorite part was that they *first* mention that you can do this jamming
with very little hardware - so you can hack up even a PDA's software to make
its wireless card jabber.  Then in what appears to be a classic case of
Just Not Getting It, they add:

        The model of a shared communications channel is a fundamental
        factor in the effectiveness of an attack on this vulnerability.
        For this reason, it is likely that devices based on the newer IEEE
        802.11a standard will not be affected by this attack where the
        physical layer uses Orthogonal Frequency Division Multiplexing
        (OFDM).

Yes, *this* attack won't work against a .11a network because the signal is
split across some 48 subchannels.

Obviously, getting a PDA that has an 802.11a card and hacking it to jabber
across all 48 subchannels (and remember - for the card to talk .11a it has to
have the circutry to transmit on the subchannels)... that's considered a
different attack.

-------------------------------------
You are subscribed as jim@xxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/