Jim Thompson jim at netgate.com
Fri May 14 10:34:13 EDT 2004

On May 14, 2004, at 1:04 AM, Motonori Shindo wrote:

> From: Jouni Malinen <jkmaline at cc.hut.fi>
> Subject: Re: PCF?
> Date: Thu, 13 May 2004 09:03:15 -0700
>>> http://www.auscert.org.au/
>> Is there something new about this "new" attack? There are many ways to
>> DoS 802.11 networks.
> Agreed. While I admit that bringing a microwave in the area where you
> want to mount an attack is not so trivial(:-)), the method described
> in AUSCERT page isn't really new and has little point to bring it up
> now, I think.

Well, I think it is new.  (See below.)  Or at least "newish", but I do 
agree that the media is hyping it.

>> The auscert page or couple of other links from
>> slashdot did not really give much details, but I would assume the 
>> attack
>> was to reserve the channel by increasing NAV counters in the stations 
>> to
>> prevent them from transmitting frames.
> I don't know the detail of this reported attack, but if it is based on
> NAV, I'm not certain why OFDM is immune to this attack.

The authors haven't described the attack, exactly, I believe, because 
there is a paper coming out in a couple days, and there are 
pre-publication issues.  That stated, the Australian CERN report does 
provide clues.  The "problem isn't as bad with 802.11g or 802.11a at 
speeds over 20Mbps" may provide a hint.

The "vulnerability" may have to do with the longer slot time of DSSS 
modulation in 802.11b (20us) in comparison to that in OFDM modulations 
(9us) of 802.11a, and, in particular, values derived from the slot 
such as DIFS (50us)

	• 	SIFS = 10 µs
	• 	Slot time = 20 µs
	• 	DIFS = 2 x Slot time + SIFS = 50 µs

	• 	SIFS = 16 µs
	• 	Slot time = 9 µs
	• 	DIFS = 2 x Slot time + SIFS = 34 µ

  802.11g SIFS = 10 µs
  802.11g short slot time = 9 µs (802.11g-only mode with no legacy 
  802.11g long slot time = 20 µs (mixed mode requires slow slot time)
(I'll leave it to the reader to calculate DIFS for each of the two 11g 
modes  (2 x slot time + SIFS))

Now, whats the throughput for 54Mbps station in a mixed-mode 802.11b/g 
network?  Well, with an 802.11b station associated, but idle (such that 
protection is enabled, but the 11b STA isn't tying up the air), the 
(calculated)UDP throughput is .. 19.6Mbps.  So once you're "over 
20Mbps" then you don't have any 11b STAs associated.  And lets not 
forget that these protection frames have to be sent modulated with DSSS 
(so the 11b stas can grok them), and thus, it "only affects DSSS" 

BTW max theoretic TCP throughput for 11g with a 11b client associated 
to the AP is around 13.5Mbps (if the AP and STA are both sending @ 

Its not proof, but it does 'fit', given what they've released.  I'll 
also guess out loud that the 'attack' has to do with setting (or 
resetting) CWmin (15us for 11a/11g, 31us for 11b), an causing 
overly-long NAVs to be set.

Again, this is just off the top of my head (and from memory).  And all 
of the above is DCF, not PCF or EDCF.

> BTW, generally speaking, is NAV controllable from the host? If it is
> under the control of firmware, it is relatively hard to mount the
> attack, isn't it?

no, but a timing attack might work, and you might be able to tweak 

More information about the HostAP mailing list