Wireless solutions are in great demand as businesses seek to become more flexible and productive. Employees are increasingly accessing their company networks through their home wireless networks or public wireless 'hotspots'. Stuart Compton, from Verizon Business, examines the darker side of all this easy access.

Businesses today are increasing their dependence on wireless networks to become more productive and operate and maintain a cost effective and competitive advantage. However, businesses need to control and prevent their network and systems from being exposed to wireless attacks.

Many businesses overlook the potential impact of a denial of service (DoS) attack against their wireless network. Wireless networks are vulnerable to DoS attacks and the results can be anything from degradation of the wireless network to a complete loss of availability of the wireless network within the business.

To launch a DoS attack against an organisation it does not require a very sophisticated attacker with expensive equipment. They can be launched from inside an organisation or from the outside at a distance using readily available standard wireless equipment. These attacks could be launched by competitors, for political reasons, as part of a combined attack or just for malicious reasons.

This article explores DoS attacks against wireless networks, introducing some examples of DoS attacks and some of the techniques available that attackers can make use of. We will discuss some of the available defensive measures that can be adopted by an organisation to protect their business and what the Institute of Electrical and Electronics Engineers (IEEE) is doing to help mitigate DoS attacks.

Background

Since the ratification of the IEEE 802.11i in 2004, organisations have been able to improve the security on their wireless networks by making use of the Advanced Encryption Standard (AES). However, the protection offered by 802.11i only applies to data frames and does not provide any protection over management frames.

It is these management frames that can be insecure and lead to DoS attacks. At this stage it is important to classify the types of wireless DoS attacks that an attacker can carry out against an organisation's wireless network. Attackers can target the physical medium itself (layer 1), the media access control (MAC) layer (layer 2) or the wireless clients themselves.

Physical medium (layer 1) attacks

Any network that relies on a shared medium is subject to DoS attacks from other devices sharing the same medium. When one device saturates the medium, other clients will find it difficult to communicate.

An attacker using a laptop equipped with a high output wireless client card and a high gain antenna can launch a physical medium attack on an organisation's wireless network. This is achieved by generating enough RF noise to reduce the signal-to-noise ratio to an unusable level by saturating the 802.11 frequency.

Disruptions to organisations can also be caused by noise from everyday household items such as microwave ovens, cordless phones, or any other appliance that operate on the 2.4 GHz or 5 GHz radio frequency used by 802.11 networks. If the access point of an organisation can be physically located by an attacker, this or the antenna can also be the target of a physical attack leaving the clients with little or no connectivity. 

MAC (layer 2) attacks

On an 802.11 network, an attacker can transmit packets using a spoofed source MAC address of an access point. The recipient of these spoofed frames has no way of telling if they are legitimate or illegitimate requests and is likely to process them.

The ability to transmit spoofed management frames allows MAC (layer 2) attacks to take place. Two such layer 2 attacks are the authentication/association flood attack and deauthentication / disassociation flood attack.

Authentication / association flood attack

During the authentication / association flood attack, an attacker uses spoofed source MAC addresses that attempt to authenticate and associate to a target access point. The attacker repeatedly makes authentication / association requests, eventually exhausting the memory and processing capacity of the access point leaving clients with little or no connectivity.

Deauthentication / disassociation flood attack

In a deauthentication / disassociation flood attack, an attacker transmits spoofed frames with the source address of the access point. When the recipient receives the frames, they will disconnect from the network and attempt to reconnect.

If the attack is sustained, the clients will be unable to maintain a connection to the wireless network. The deauthentication / disassociation flood attack targets one or all users on a specific BSSID (MAC address of the access point).

Client attacks

Client attacks are attacks against the wireless stations themselves. For example, an attacker can set their service set identifier (SSID) to be the same as an access point located at a wireless hotspot or a corporate wireless network.

Then by directing a DoS attack against the access point, for example, by creating RF interference around it, legitimate users will lose their connections to the wireless hotspot or an organisation's wireless network and re-connect to the attacker’s access point. This is known as the 'evil twin' attack.

The outcome of an evil twin attack can vary. As the attacker's access point is not connected to the organisation's network, the victims will lose their connections to the legitimate access point when it re-connects to the attacker's access point.

Additionally, an evil twin can present users with fake login pages, allowing the attacker to collect user credentials and intercept all the traffic to that device, potentially stealing sensitive data belonging to an organisation. 

Defensive measures

The protection offered by 802.11i does not defend against the attacks that we have discussed so far in this paper. By deploying wireless LAN intrusion detection systems (WLAN IDS) this will go some way towards helping to identify DoS attacks but not actually stop the attack that is taking place. 

To defend against physical attacks, strategic placement of access points is crucial. Mounting access points at a sufficient height will at least prevent attackers from easily reaching and destroying the access point. Aiming directional access point antennas towards the inside of the building will help to contain the radio frequency (RF) signal.

Organisations can help to protect a wireless network against DoS attacks by making the buildings as resistive as possible to incoming radio signals. Installation of metallic window tint instead of blinds or curtains can help prevent RF leakage and incoming radio signals. Also the use of metallic based 'Wi-Fi proof wallpaper' and 'Wi-Fi paint' on the interior parts or the exterior walls will reduce RF leakage and incoming radio signals.

It is always good security practice for an organisation to carry out wireless auditing on its wireless network. This will determine how far the RF signal actually extends outside of the organisation and the RF signal power levels can be adjusted accordingly.

Improving the security of wireless networks by protecting the vulnerable management frames is essential to preventing many of the wireless DoS attacks that we have discussed in this article so far. With this in mind, the IEEE formed the 802.11w working group in February 2005 to address these issues. 

802.11w to the rescue?

The IEEE's goal with 802.11w is to protect management frames in 802.11 networks. This, therefore, will provide wireless networks within organisations with the protection against numerous DoS attacks targeted at layer 2.

The 802.11w standard is designed to provide protection by encrypting the unicast management frames between an access point and the client, as well as protecting broadcast management frames and deauthentication and disassociation frames from forgery attacks.