Despite today's 802.11i robust security network (RSN) advances, WLANs remain very vulnerable to denial-of-service (DoS) attacks. While you may not be able to prevent DoS attacks, a wireless intrusion prevention system (WIPSWIPS) can help you detect when DoS attacks occur and where they come from, so that you can bring the intruder to justice -- or at least scare him away. This tip offers practical advice on how to recognize and respond to DoS attacks launched against your WLAN.
Crowded skies
Every wireless network is subject to radio interference, accidental and intentional. Because 802.11b/g (and sometimes 802.11n) networks use the crowded 2.4 GHz band, interference from other radio devices is common, including Bluetooth, cordless phones, microwave ovens and neighboring WLANs. 802.11a/n networks can use the 5 GHz band, which is far bigger and more lightly used, thus less vulnerable to interference. Nonetheless, any company using a WLAN for mission critical applications should be prepared for possible radio interference.
Fighting interference can be difficult. These frequency bands are unlicensed, which gives everyone the same right to use them (subject to regulatory rules regarding power limits, etc). While some building materials and paint offer RF shielding, they may be impractical for existing facilities or interfere with operation of your own WLAN. Interference avoidance is therefore the strategy of choice for most WLAN administrators:
- Use a WIPS to spot the appearance of new Wi-Fi devices that transmit 802.11 on the bands and channels used by your WLAN.
- Use WIPS alerts to flag over-loaded channels (too many APs or Ad Hocs operating on a given frequency) or excessive error or retransmission rates (possible indications of non-802.11 interference).
- Track down interference sources by using a WIPS to plot an approximate location on a floorplan. Then use a mobile tool (stumbler or WLAN analyzer) to search that area and isolate the device's location.
- For non-802.11 interference sources, use a spectrum analyzer [link] to monitor transmissions and fingerprint the type of device you should be looking for.
- If you can't eliminate the culprit, reconfigure your APs to use less congested channels. Some WLAN controllers and APs even automate channel assignment when interference is detected. Consider moving to 5GHz in repeat problem areas, like densely-populated multi-tenant office buildings.
DoS happens
Most WLAN interference is accidental. While an attacker could use a high-powered RF signal generator to "jam" transmissions, there are many less expensive ways to intentionally DoS your WLAN. For example:
- 802.11 Control frames can be used to "busy out" a channel so that no other station can transmit. Entering this continuous transmit mode is known as a Queensland DoS attack.
- 802.11 Deauthenticate frames can be used to disconnect an individual station, or every station associated with a given AP. Sending a continuous stream of these forged frames is known as a Deauth Flood.
- 802.11 Associate frames consume AP resources by creating entries in the AP's association table. Flooding an AP with Associate frames from random station MAC addresses can make the AP too busy to service real users.
- Similar attacks can be launched using forged 802.1X packets -- for example, 802.1X EAP Logoff Flood, EAP Start Flood, and EAP-of-Death attacks.
- Spoofed Block Acknowledgement control frames can be used to disrupt high-throughput multimedia streams in WLANs that use this new 802.11n feature.
These and many other wireless DoS attacks are possible because only 802.11 data frames can carry cryptographic integrity check or authentication codes used to detect forged messages. These attacks can be launched using off-the-shelf wireless cards and readily-available shareware or open source tools, like airereplay and void11. The attacker just needs to be close enough to your WLAN to capture a little traffic to identify victims.
Fortunately, most WIPS can recognize these DoS attack signatures. A WIPS can alert you to 802.11 or 802.1X floods, based on configured rate thresholds. A WIPS can also help you establish a performance baseline for your WLAN, so that you can tune attack thresholds. For example, an Associate Flood alert will be generated when a specific AP receives more than N Associates per minute, when N depends on the normal user behavior for your network.
In addition, a WIPS can help you spot emerging attack patterns. For example, an attacker may precede an Evil Twin attack with a Deauth Flood. A WIPS can help you link these two attacks. An attacker may move from AP to AP, performing similar attacks, from different MAC addresses. A WIPS can help you spot this behavior, generating an escalated alert that draws more immediate attention to the attack in progress. Without a WIPS, some DoS attacks might be chalked up to intermittent performance problems. A WIPS gives you the ability to look back to see whether suspicious or known activity occurred around the time a WLAN failure was reported.
For immediate investigation of an attack on a remote site, put a WIPS agent (i.e., an AP assigned to operate in full-time WIPS mode or a dedicated sensor) into capture mode. By capturing the attack in progress, you can determine affected systems and gather evidence to support disciplinary or legal actions. You may also want to put MAC addresses involved in past attacks on a "watch list" so that high priority alerts can prompt fast action if and when the attacker returns. Some WIPS even implement anti-DoS "strike back" actions that can be automatically invoked to reduce the severity or duration of a detected DoS attack.
As with interference, a WIPS can help you physically locate DoS attack sources. However, malicious attackers may not stick around long, so on-site searches may prove futile unless conducted quickly. Furthermore, decide in advance whether search staff should attempt to identify the culprit, issue a warning, call security, etc. Remember, the attacker may be operating from a public area, like a nearby parking lot, where you really have no authority.
Conclusion
These measures can be helpful to spot, diagnose, and respond to radio interference and DoS attacks. But none of these steps can completely insulate your WLAN. If wireless is critical to your business, create a fallback plan. Wired networks routinely employ high-availability measures like link diversity, redundant routers, and uninterruptible power supplies. Apply this thinking to your WLAN as well by taking advantage of standard RF interference avoidance techniques like Dynamic Frequency Selection (DFS) and considering where, when, and how wired alternatives would be applied when all wireless remedies have been exhausted.
>> Read the next tip: Rogue AP containment methods
