Connected flood attacks in wireless D. O.S

D. O.S, all called Deny of service, is the most common type of network attacks. It intentionally attacks the defects of network protocols or directly uses some means to exhaust the resources of the attacked objects, in order to prevent the target computer or network from providing normal service or resource access, stop the target system service from responding to or even crashing. In this attack, the target server or network device is not intruded. These service resources include network bandwidth, system stacks, and open processes. Or allowed connections. This attack will cause resource depletion. No matter how fast the computer processes, how large the memory capacity is, and how fast the network bandwidth is, the consequences of this attack cannot be avoided. Any resource has a limit, so you can always find a way to make the request value greater than the limit value, resulting in the depletion of the provided service resources.

Here we will talk about an extension of Wired D. O.S attacks-one of the types in wireless D. O.S: associated flood attacks.

1. Principles of associated flood attacks

The Wireless Access Point has a built-in list, that is, the "connection status table", which displays the statuses of all wireless clients that have established connections with the AP.

Associated Flood attacks are internationally referred to as Association Flood Attack, which is short for associated Flood attacks. generally referred to as Asso attacks, are a form of wireless network Denial-of-service attacks. It tries to fill the client Association Table of the AP by using a large number of simulated and forged wireless client associations, so as to drown the AP. At Layer 3, shared decryption authentication is flawed and is difficult to reuse. Only other standby options are open authentication (empty authentication), which relies on higher level authentication, such as 802.1x or VPN.

Open Authentication allows any client to pass authentication and then associate. Attackers can create multiple connected or associated clients to imitate many clients, so as to drown out the client Association Table of the target AP, as shown in figure 1. After the client Association Table overflows, the valid client cannot be associated again, so the Denial of Service Attack is completed. This type of Attack is similar to the Authentication Flood Attack mentioned earlier, but it works differently.

Figure 1 Asso flood attack of wireless DOS

2. attack tools and Performance

Once the connection list of the wireless access point is under flood attack, the Access Point will no longer allow more connections, and thus reject connection requests from legal users. There are many tools available, such as the well-known Void11 in Linux. in Windows, we can also use one of the parameters in the latest version of aireplay-ng for implementation, the example is no longer used here.

Of course, there is also a possibility that attackers can collect a large number of wireless network cards, or a modified bundle-type transmitter that integrates a large number of wireless network card chips (similar to what we often call "text message repeater "), large-scale connection attacks will also be very effective for widely used wireless access devices. 2. Network Data of access points under flood attacks captured by Omnipeek. Numerous unverifiable wireless clients are displayed.

Figure 2 network data of access points under flood attacks captured using Omnipeek

It should be noted that the attack mainly works at the link layer, and many Enhanced authentication systems, such as 802.1X or VPN, operate on the high protocol layer. If we have to adopt pre-shared verification or open verification for some reason, there is no particularly effective way to defend against the 802.11 protocol layer.

3. Countermeasures

The best way is to monitor the connection status of the wireless network. When there are a large number of connection requests and many fast-disappearing processes, you should immediately start wireless detection of the source. Wireless IDS or some management modules should be configured to automatically complete the above content, and the Administrator should be notified immediately when potential risks occur.