Re: Continous Preamble DoS?

Asier is right.

I would point out that the functionality was created by wireless
engineers as a debug option to test the transmission capabilities of
the WiFi cards and tune the chipset. Wireless cards check if the radio
link is clear before transmitting, but when this option is used, it
transmits constant energy in a specific 802.11 channel, so nobody
using that frequency can connect to the network.

We cover this attack in the SANS wireless security course [1], and
unfortunately, there are Windows-based GUI tools that implement this
functionality for specific drivers (sorry, no names here), and can be
used as point-and-click DoS tools :(

When testing it, be careful and check the card temperature. It is
going to become dangerously hot!!
--
Raul Siles
GSE
www.raulsiles.com

[1] Shameless plug :)
http://www.sans.org/brussels07/description.php?tid=343


On 5/2/07, Asier Martinez <axierr-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> 
wrote:
> Yes,
> check this http://www.auscert.org.au/render.html?it=4091
>
> It exist because it's usefull for network problem debugging, initially
> it exists as PLME.DSSSTESTMODE primitive in 802.11b standard and
> because it's obvius potential damage it was removed from comercial
> driver versions.
>
> 2007/5/2, Seth Fogie <seth-9/fkfX+J4VRfOZc0+OmrVg@xxxxxxxxxxxxxxxx>:
> > I recently came across this driver that allows the Linksys WCF54G card
> > to support wireless sniffing from WM5. Typical stuff...except then I
> > noticed something called ' Continuous preamble mode ', which I had never
> > heard before...
> >
> > I asked the creator about it and this was his response:
> > Primary I needed WM5.0 driver for WCF54G card.
> > Driver was written with Linux similar driver sources information.
> > In these sources I found continuos preamble debug option.
> > I had only mode Name and Comments...
> >
> > Possible GPL issues aside, when I enable this mode my network goes down.
> > However, no packets are detected using Airmagnet, Wireshark, or any
> > other program. AirPCap does pickup something...but it is like random data.
> >
> > I used an RF analyzer to see if it was doing something odd and sure
> > enough, when I enabled the mode I saw a HUGE spike in RF around channel
> > 6 (current channel) and then a constant RF emission from then on spread
> > across the entire 2.4 range.
> >
> > Has anyone seen anything like this or know what it could be or why it
> > exists?
> >
> > Thanks
> > Seth
> >