Management frames and control frames in wireless networks are used to establish and maintain communication between two wireless devices. Typically, wireless clients send probe request frames to check for the presence of preferred networks. Once the preferred wireless network is identified, authentication takes place and then the association frames are used to complete the joining process. Even if encryption techniques, such as WEP, WPA, or WPA2, are configured and utilized on the wireless network, management frames are not encrypted, and thus, anyone in range of the AP and capable of sniffing can capture the traffic and analyze it later. Management frames do not contain sensitive information, nor is any client data passed using them. You would then assume that there is no harm in sending these frames, which handle the setup and teardown of connections, in the clear. This assumption is false, and these frames can be spoofed and manipulated by an attacker, which can then lead to a denial of the service condition.
The following table highlights several management frame subtypes:
|
Frame |
Description |
|---|---|
|
Beacon frames |
They broadcast from the access point to announce their presence and advertise information about the configured networks. |
|
Probe requests |
These are sent by a station in an attempt to contact another station and gather information about it. An example of this is when a client is looking for an access point. |
|
Probe responses |
These are responses to probe requests; a station sends out information about its capabilities. |
|
Authentication |
This unicasts frames from a station used to determine whether the client has the appropriate capabilities to join the wireless network. |
|
Deauthentication |
This is sent when communication has concluded between stations, such as if the wireless network device needs to disconnect clients or the client has concluded its session. |
|
Association requests |
This is sent from the client to ask the AP to join a particular SSID and send over information about the capabilities of the client. |
|
Association responses |
This is sent from the station in response to the authentication request frame. |
|
Reassociation requests |
This is sent when a client is moving between APs in a given ESSID or when it rejoins a given AP after a period of time. |
|
Reassociation responses |
This is similar to association responses, and it verifies the requested action to the client. |
As there is no way to authenticate management frames without the before mentioned 802.11w, anyone can send maliciously crafted management frames and inject them into a wireless network. Wireless clients accept the fake management frames originating from an attacker machine and become victims of the attack. To perform Denial of Service attacks, we are particularly interested in Beacon, authentication, and deauthentication frame subtypes of Management frames. A single deauthentication packet from an access point to a wireless client is enough to disconnect the client from the network. The attacker can spoof the access point and send deauthentication packets to disconnect all or selected clients from the network.