偶然间看到一份文档,内容如下:


802.11b Firmware-Level Attacks

Mike Kershaw <dragorn@kismetwireless.net>

Joshua Wright <jwright@hasborg.com>

September 29, 2006

1 Abstract

Denial of Service (DoS) attacks are a common threat to 802.11 wireless networks. Using widely available software and an inexpensive wireless LAN card, an attacker can halt the service of a wireless LAN at their whim. While very effective, these tools lack persistence in their operation – when the attacker stops the attack or leaves the range of the victim network, client workstations automatically resume their connectivity to the network.

This paper describes a new style of DoS attack against 802.11 networks that abuses flaws in the firmware of popular 802.11 wireless cards. The impact of this attack is more damaging than other 802.11 DoS attacks, requiring as few as two packets from an attacker to deny service to all target users,  often requiring a system restart to recover from the attack. It is the author's hope that the public disclosure of this flaw will motivate 802.11 product manufacturers to resolve firmware flaws in their products, and to make those updates freely available to customers.

2 Summary

When an 802.11b wireless card from a variety of manufacturers is in a state where it expects a probe response packet, a bug exists in the firmware by which a maliciously injected probe response with the SSID tag length set to 0 can cause a lockup of the card itself, and depending on the platform and drivers, of the host operating system. Once the 802.11b card has locked, it nearly always requires a reset of the adapter (via eject/insert for PCMCIA and USB adapters or a full reboot for PCI or other adapters).Some operating systems and drivers require a full reboot to reinitialize the driver.

3 Details

The 802.11 specification makes extensive use of management frames for a variety of functions including controlling access to the medium,  advertising wireless service availability, station authentication and association, and power man-agement.  All 802.11 frames use the same standard header to identify packet source, destination, network identification information and frame type (data, management or control).  Management frames utilize fixed or variable length fields in the packet payload to identify the various functions they perform.

When a wireless client or station (STA) wishes to communicate on the network, they first complete the active scanning procedure defined by the IEEE 802.11 specification.When seeking wireless network access, the STA will initially send frames requesting access to any available network in the form of probe request management frames.Available access points (AP's) will respond with probe response management frames, giving the station the necessar information to begin the authentication and association process.

…… 省略 ……

完整 PDF 文档下载地址:802.11b Firmware-Level Attacks (firmware_attack.pdf)


文章大概是这样讲的(上边内容的翻译):

1、摘要

拒绝服务(DoS)攻击是一种常见的802.11无线网络的威胁。利用广泛使用的软件和廉价的无线LAN卡,攻击者可以在他们心血来潮的时候,停止无线局域网服务。

虽然非常有效,但是这些工具缺乏持久的运作,当攻击者停止攻击或离开受害者网络的范围,客户端工作站会自动恢复它们的网络连接。

本文介绍了一种针对802.11网络DoS攻击的新方法,利用流行的802.11无线网卡的固件缺陷。

这种攻击的影响超过其他任何 802.11 DoS 攻击的破坏,使用尽可能少的数据包攻击所有目标用户,并且通常要重新启动系统才能恢复运行。

2、总结

当各种厂家的802.11b无线网卡在它希望一个探测响应包的状态时(监听状态),由于一个存在于固件中的错误,使攻击者可以通过恶意注入探测响应(将这个SSID标签的长度设置为0),可以导致网卡本身死机。

并且根据主机操作系统的平台和驱动程序,一旦802.11b无线网卡被锁定,它几乎总是需要该适配器重置(通过弹出/插入PCMCIA和USB适配器,或PCI或其他适配器重新启动)。

有些操作系统和驱动程序,甚至需要一个完整的重新启动来初始化该驱动程序。

3、详情

802.11规范广泛用于各种管理框架,其中包括控制访问介质功能,无线广播服务的可用性,站点身份验证与相关服务,以及电源管理。

所有802.11帧使用相同的标准头,以确定数据包的源、目的地、网络标识信息与帧类型(数据,管理或控制)。

管理帧在数据包有效负载中采用固定或可变长度的字段,以确定它们执行各种功能。

当无线客户端或工作站(STA)希望在网络上通信时,他们首先要完成由IEEE 802.11规范定义的主动扫瞄步骤。

当寻找无线网络接入的时候,STA 首先会将请求访问帧以探测请求管理帧的形式发送到任何可用的网络。

可用的网络接入点(AP的)会回应探测响应的管理帧,站点开始进行身份验证和连接过程的必要信息。


亮点是,作者在文中最后提到,如果加上一个高功率、大范围的天线,然后实施无线Dos攻击,哦呵呵呵呵呵,你懂的……

方圆几公里的无线网络都要瘫痪啦,而且必须重启设备才可以恢复哟,亲……

╮(╯_╰)╭

提示:

本文与此有关:利用电磁波进行入侵、原子级的黑客入侵、利用电磁波毁坏物理设备

留言评论(旧系统):

Zypeh @ 2012-06-06 13:32:12

吼吼吼!核总把那篇文章放到网上啦,哈哈

本站回复:

我靠,那个PDF文档本来就是网上的啊,你谷歌搜搜,很多……

【匿名者】 @ 2012-06-06 19:24:50

= =服务器的速度不错,请问你的服务器在哪里买的,我也想要买一个

本站回复:

你指的本站服务器吗?就是一普通美国 VPS,淘宝一搜一堆,VPS 选购请参考留言 ID:1086、1081。