Subscribe
About

Beware of 'phlooding` attacks

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 05 Oct 2005

A new wireless LAN threat has emerged involving a group of simultaneous, but geographically distributed, attacks that target a business`s authentication or network log-in structure, says Concillium Technologies security specialist Craig Rosewarne.

Dubbed "phlooding", the goal is to overload a business`s central authentication server, according to wireless LAN security maker AirMagnet, which coined the term. AirMagnet believes the new form of distributed wireless attacks appears to target central wired assets.

"In a phlooding attack, several attackers in different locations bombard wireless access points with login requests using multiple password combinations in what are known as dictionary attacks," says Rosewarne.

"This creates a flood of authentication requests to the company`s central authentication server. This could slow down logins and potentially interfere with broader network operations, since many different users and applications often validate themselves against the same management server for e-mail access, database applications and other corporate uses."

Phlooding could block virtual private network or firewall connections that use a common authentication server to verify an incoming user`s identity, making it temporarily impossible for employees to access their corporate network, he says.

According to Rosewarne, AirMagnet recently identified two variants of a common attack model. The first was a series of simultaneous dictionary attacks against wireless access points in different locations, which involved a high rate of authentication or login requests. The second identified a variant that uses de-authentication attacks against stations in many locations, instead of a direct dictionary attack.

Rosewarne notes that although the first is not enough to disable any of the individual access points, it creates a 'phlood` of authentication requests to the central authentication server, which is near the core of the wired network.

The second attack also creates a sudden burst of authentication requests, hits local wireless users and threatens central authentication services.

Rosewarne, who maintains that other combinations are possible, says businesses with multiple office locations served by a single identity management server could be particularly vulnerable to phlooding. He spells out possible counter-measures, including regional or local authentication architecture.

"Single centralised authentication servers are generally easiest to maintain and manage, but are a single point of failure or attack. Even with a host standby system, these may be vulnerable, since phlooding a downed primary server will roll all phlood traffic to the secondary device," says Rosewarne.

"Regional or local authentication servers (slaves or distributed) reduce this risk. Another counter-measure involves certificate-based authentication. Some authentication protocols reject incorrect or incomplete logins more quickly since they are looking for certifications."

Share