A new wireless LAN security threat has emerged involving a group of simultaneous, but geographically distributed, attacks that target a business`s authentication or network log-in structure, says Concillium Technologies security specialist Craig Rosewarne.
Dubbed "phlooding", the goal is to overload a business`s central authentication server, according to wireless LAN security maker AirMagnet, which coined the term. AirMagnet believes the new form of distributed wireless attacks appears to target central wired assets.
"In a phlooding attack, several attackers in different locations bombard wireless access points with login requests using multiple password combinations in what are known as dictionary attacks," says Rosewarne.
"This creates a flood of authentication requests to the company`s central authentication server. This could slow down logins and potentially interfere with broader network operations, since many different users and applications often validate themselves against the same identity management server for e-mail access, database applications and other corporate uses."
Phlooding could block broadband virtual private network or firewall connections that use a common authentication server to verify an incoming user`s identity, making it temporarily impossible for employees to access their corporate network, he says.
According to Rosewarne, AirMagnet recently identified two variants of a common attack model. The first was a series of simultaneous dictionary attacks against wireless access points in different locations, which involved a high rate of authentication or login requests. The second identified a variant that uses de-authentication attacks against stations in many locations, instead of a direct dictionary attack.
Rosewarne notes that although the first is not enough to disable any of the individual access points, it creates a 'phlood` of authentication requests to the central authentication server, which is near the core of the wired network.
The second attack also creates a sudden burst of authentication requests, hits local wireless users and threatens central authentication services.
Rosewarne, who maintains that other combinations are possible, says businesses with multiple office locations served by a single identity management server could be particularly vulnerable to phlooding. He spells out possible counter-measures, including regional or local authentication architecture.
"Single centralised authentication servers are generally easiest to maintain and manage, but are a single point of failure or attack. Even with a host standby system, these may be vulnerable, since phlooding a downed primary server will roll all phlood traffic to the secondary device," says Rosewarne.
"Regional or local authentication servers (slaves or distributed) reduce this risk. Another counter-measure involves certificate-based authentication. Some authentication protocols reject incorrect or incomplete logins more quickly since they are looking for certifications."
Share