12th Mar 2003 [SBWID-6053]
COMMAND
	802.11b Denial of Service
SYSTEMS AFFECTED
	All 802.11b networks
PROBLEM
	Mark Osborne found following  on  how  to  scramble  a  802.11b  network
	without high performance device.
	While working to develop code for WIDZ that is equivalent to a  standard
	Intrusion Detection system’s RESET or SHUN functionality,  an  effective
	802.11b disruption of service attack  has  been  discovered.  I  haven’t
	spotted any other postings so here we go….
	FATA-jack - a modified version of  the  Wlan-jack,  Fata-jack  sends  an
	Authentication-Failed  packets  (with  a   reason   code   of   previous
	authentication  failed)  to  a  Wireless  client  PC.  The  source   and
	destination macs have been spoofed so as to  appear  to  come  from  the
	Access- point. The original Wlan-jack  code  rate  of  transmission  has
	been significantly reduced to a meagre rate of 1 every 2.5  seconds,  so
	as to avoid any flood effect.
	In limited tests on  multiple  operating  systems  including  Windows98,
	Windows ME and  Linux,  FATA-jack  effectively  tears  down  any  active
	session and in many cases causing the client driver or  client  software
	to fail requiring a reboot.
	Apart  from  being  an  extremely  lethal  DoS  attack,   FATA-jack   is
	significant for a number of reasons:
	-As the transmission rate is very low, it is easy to see how a  low-spec
	PC and a standard 802.11 card could  disable a large wireless network.
	-As the malevolent packet are sent directly to  the  client  these  will
	not picked-up by logging functionality on the AP (if  you  have  any)  –
	this highlights the need for Wireless IDS.
	-As the malevolent packets are spoofed AND sent directly to  client  MAC
	protection or WEP protection will not prevent it.
	-Some workmates have suggested that it could be used  to  cause  IVs/WEP
	keys to be cycled. This would significantly reduce the time  for  a  WEP
	cracking exercise. This is yet to be verified.
SOLUTION
	Help people coding wireless IDS, and after, use it.