Most WLAN interference is accidenta

Most WLAN interference is accidental. While an
attacker could use a high-powered RF signal
generator to "jam" transmissions, there are many
less expensive ways to intentionally DoS your
WLAN. For example: 802.11 Control frames can be used to "busy out"
a channel so that no other station can transmit.
Entering this continuous transmit mode is known
as a Queensland DoS attack. 802.11 Deauthenticate frames can be used to
disconnect an individual station, or every station
associated with a given AP. Sending a continuous
stream of these forged frames is known as a
Deauth Flood. 802.11 Associate frames consume AP resources
by creating entries in the AP's association table.
Flooding an AP with Associate frames from
random station MAC addresses can make the AP
too busy to service real users. Similar attacks can be launched using forged
802.1X packets -- for example, 802.1X EAP
Logoff Flood, EAP Start Flood, and EAP-of-Death
attacks. Spoofed Block Acknowledgement control frames
can be used to disrupt high-throughput multimedia
streams in WLANs that use this new 802.11n
feature. These and many other wireless DoS attacks are
possible because only 802.11 data frames can carry
cryptographic integrity check or authentication
codes used to detect forged messages. These
attacks can be launched using off-the-shelf wireless
cards and readily-available shareware or open source tools, like airereplay and void11. The
attacker just needs to be close enough to your
WLAN to capture a little traffic to identify victims. Fortunately, most WIPS can recognize these DoS
attack signatures. A WIPS can alert you to 802.11
or 802.1X floods, based on configured rate
thresholds. A WIPS can also help you establish a
performance baseline for your WLAN, so that you
can tune attack thresholds. For example, an Associate Flood alert will be generated when a
specific AP receives more than N Associates per
minute, when N depends on the normal user
behavior for your network. In addition, a WIPS can help you spot emerging
attack patterns. For example, an attacker may
precede an Evil Twin attack with a Deauth Flood. A WIPS can help you link these two attacks. An
attacker may move from AP to AP, performing
similar attacks, from different MAC addresses. A
WIPS can help you spot this behavior, generating
an escalated alert that draws more immediate
attention to the attack in progress. Without a WIPS, some DoS attacks might be chalked up to
intermittent performance problems. A WIPS gives
you the ability to look back to see whether
suspicious or known activity occurred around the
time a WLAN failure was reported. For immediate investigation of an attack on a
remote site, put a WIPS agent (i.e., an AP assigned
to operate in full-time WIPS mode or a dedicated
sensor) into capture mode. By capturing the attack
in progress, you can determine affected systems
and gather evidence to support disciplinary or legal actions. You may also want to put MAC addresses
involved in past attacks on a "watch list" so that
high priority alerts can prompt fast action if and
when the attacker returns. Some WIPS even
implement anti-DoS "strike back" actions that can
be automatically invoked to reduce the severity or duration of a detected DoS attack. As with interference, a WIPS can help you
physically locate DoS attack sources. However,
malicious attackers may not stick around long, so
on-site searches may prove futile unless conducted
quickly. Furthermore, decide in advance whether
search staff should attempt to identify the culprit, issue a warning, call security, etc. Remember, the
attacker may be operating from a public area, like a
nearby parking lot, where you really have no
authority. Conclusion These measures can be helpful to spot, diagnose,
and respond to radio interference and DoS attacks.
But none of these steps can completely insulate
your WLAN. If wireless is critical to your business, create a fallback plan. Wired networks routinely
employ high-availability measures like link diversity,
redundant routers, and uninterruptible power
supplies. Apply this thinking to your WLAN as well
by taking advantage of standard RF interference
avoidance techniques like Dynamic Frequency Selection (DFS) and considering where, when, and
how wired alternatives would be applied when all
wireless remedies have been exhausted.