We will take a look at denial-of-service (DoS) attacks against wireless. Part of all 802.11 networks is the existence of management frames. These frames tell clients that they can connect or must disconnect. As learned in the management frame section, the de-authentication frame will disassociate a wireless end device from an access point. These frames, like all management frames, are in cleartext even when WEP is applied. This means they can easily be faked to force legitimate users off the network. This can be accomplished in a number of ways. The first way to look at it is to replay a previous disassociation frame with a wireless sniffer. An easier method is to use a tool called WLAN-JACK, which can do this for you. Either way, all that is required is the ability to send a de-authentication frame to a wireless client.
On May 13, 2004, a major attack on 802.11/b/G and mixed mode G was found. The flaw affects the clear channel assessment (CCA) procedure, which minimizes the probability that two wireless devices will broadcast on the same frequency at the same time. This attack can cause all devices in range to stop working until the attacker stops releasing the malicious frame. Any device is capable of this attack; and even with most of the current security standards out today, no 802.11, 802.11b, or 802.11g in mixed mode network is safe. The way to prevent this risk is to use a system that performs encryption on all traffic at layer two.
EAP DoS Attacks
Some of the DoS attacks existing today take advantage of weaknesses in the EAP architecture. These involve sending corrupt frames or engaging the access points in unnecessary processing. Following are some of the types of attacks that can be performed.
The first attack involves sending EAP Stat frames to an access point. If the access point cannot properly process all these frames, there is the chance that it might reboot or become inoperable. This is when an attacker would try to flood traffic past the device as it reboots or malfunctions. Another attack against the access point involves sending malformed EAP messages. Some types of malformed EAP messages can take down an access point or a RADIUS server. This has been proven on Free RADIUS when one sends an EAP-TLS frame with the flags set in a certain way. One of the latest attacks against the access point involves filling up the EAP identifier space. EAP allows 255 ID tags to keep track of each client instance. If an attacker can flood the access point with a large number of connections filling this counter, a DOS attack may be possible.
