Fighting wireless DoS attacks

Wireless Security Lunchtime Learning

Despite recent 802.11 security advances, WLANs remain very vulnerable to denial-of-service (DoS) attacks. While you may not be able to prevent DoS attacks, a wireless intrusion detection system (WIDS) can help you detect when DoS attacks occur and where they come from, so that you can bring the intruder to justice -- or at least scare him away. This tip offers practical advice on how to recognize and respond to DoS attacks launched against your WLAN.

Crowded skies

Every wireless network is subject to radio interference, accidental and intentional. Because 802.11b/g networks use the crowded 2.4 GHz band, interference from other radio devices is common, including Bluetooth, cordless phones, microwave ovens and neighboring WLANs. 802.11a networks use the 5 GHz band, which is bigger and lightly used, thus less vulnerable to interference. Nonetheless, any company using a WLAN for mission critical applications should be prepared for possible radio interference.

Fighting interference can be difficult. These frequency bands are unlicensed, which gives everyone the same right to use them (subject to regulatory rules regarding power limits, etc). While some building materials and paint offer RF shielding, they may be impractical for existing facilities or interfere with operation of your own WLAN. Interference avoidance is therefore the strategy of choice for most WLAN administrators:

1. Use a WIDS to spot the appearance new devices that transmit 802.11 on the bands and channels used by your WLAN.
2. Use WIDS alerts to flag over-loaded channels (too many APs or Ad Hocs operating on a given frequency) or excessive error or retransmission rates (possible non-802.11 interference).
3. Track down interference sources by using a WIDS to plot an approximate location on a floorplan. Then use a mobile tool (stumbler or WLAN analyzer) to search that area and isolate the device's location.
4. For non-802.11 interference sources, use a spectrum analyzer to monitor transmissions and fingerprint the type of device you should be looking for.
5. If you can't eliminate the culprit, reconfigure your APs to use less congested channels. Some WLAN switches even automate channel assignment when interference is detected. Consider moving to 802.11a in repeat problem areas, like densely-populated multi-tenant office buildings.

DoS happens

Most WLAN interference is accidental. While an attacker could use an RF jammer, like a high-powered RF signal generator, there are many less expensive ways to intentionally DoS your WLAN. For example:

• 802.11 Control frames can be used to "busy out" a channel so that no other station can transmit. Entering this continuous transmit mode is known as a Queensland DoS attack.
• 802.11 Deauthenticate frames can be used to disconnect an individual station, or every station associated with a given AP. Sending a continuous stream of these forged frames is known as a Deauth Flood.
• 802.11 Associate frames consume AP resources by creating entries in the AP's association table. Flooding an AP with Associate frames from random station MAC addresses can make the AP too busy to service real users.
• Similar attacks can be launched using forged 802.1X packets -- for example, 802.1X EAP Logoff Flood, EAP Start Flood, and EAP-of-Death attacks.

These and many other wireless DoS attacks are possible because only 802.11 data frames carry integrity check codes used to detect forged messages. These attacks can be launched using off-the-shelf wireless cards and readily-available shareware or open source tools, like airjack and void11. The attacker just needs to be close enough to your WLAN to capture a little traffic to identify victims.

Fortunately, most WIDS can recognize these DoS attack signatures. A WIDS can alert you to 802.11 or 802.1X floods, based on configured rate thresholds. A WIDS can also help you establish a performance baseline for your WLAN, so that you can tune attack thresholds. For example, an Associate Flood alert will be generated when a specific AP receives more than N Associates per minute, when N depends on the normal user behavior for your network.

In addition, a WIDS can help you spot emerging attack patterns. For example, an attacker may precede an Evil Twin attack with a Deauth Flood. A WIDS can help you link these two attacks. An attacker may move from AP to AP, performing similar attacks, from different MAC addresses. A WIDS can help you spot this behavior, generating an escalated alert that draws more immediate attention to the attack in progress. Without a WIDS, some DoS attacks might be chalked up to intermittent performance problems. A WIDS gives you the ability to look back to see whether suspicious or known activity occurred around the time a WLAN failure was reported.

For immediate investigation of an attack on a remote site, put a WIDS sensor into capture mode. By capturing the attack in progress, you can determine affected systems and gather evidence to support disciplinary or legal actions. You may also want to put MAC addresses involved in past attacks on a "watch list" so that high priority alerts can prompt fast action if and when the attacker returns.

As with interference, a WIDS can help you physically locate DoS attack sources. However, malicious attackers may not stick around long, so on-site searches may prove futile unless conducted quickly. Furthermore, decide in advance whether search staff should attempt to identify the culprit, issue a warning, call security, etc. Remember, the attacker may be operating from a public area, like a nearby parking lot, where you really have no authority.

Conclusion

These measures can be helpful to spot, diagnose, and respond to radio interference and DoS attacks. But none of these steps can completely insulate your WLAN. If wireless is critical to your business, create a fallback plan. Wired networks routinely employ high-availability measures like link diversity, redundant routers, and uninterruptible power supplies. Apply this thinking to your WLAN as well by considering where and how wired alternatives should be applied.

>> Read the next tip: To block or not to block: Rogue containment methods