While most penetration tests tend to focus on the exploitation of networks and the extraction of sensitive data, the loss of service and the inability of an organization to utilize its own wireless network can also have a significant impact on their productivity. Denial of Service attacks on wireless networks are typically given less importance compared to other attacks; however, they can still pose a very credible threat to the network, and the identification and response to such attacks need to be a part of the administrator's repertoire. Attackers can temporarily disable a wireless network using various techniques and can render the network unavailable to legitimate users.
In this chapter, we will look at some common techniques that can be deployed by the attacker to degrade or potentially render the wireless network unusable. We will discuss the following four major techniques to perform DoS attacks on the target wireless network:
- The authentication flood attack
- The fake beacon flood attack
- The deauthentication flood attack
- The CTS/RTS flood attack
Denial of Service attacks do not reveal any sensitive information to attackers. Rather, they disable access to critical resources and cause inconvenience to administrators and users alike. These attacks can also be combined with other attack techniques in order to make them more devastating and efficient.
As with most Denial of Service conditions, there are no hard and fast solutions to prevent them. However, it is possible to detect the attacks when they are occurring and have an appropriate procedure in place in order to respond to them and mitigate them. Most wireless Intrusion Detection Systems (IDS) and other monitoring systems can detect and alert about DoS attacks, making them an essential tool for protecting your wireless network.
A Denial of Service attack
When compared to a wired Ethernet scenario, DoS attacks are easier to perform on wireless networks. On networks that fail to protect management frames—read nearly every wireless network—a single packet from the attacker machine can disconnect a client connection from the access point. The common way to prevent these attacks is physical security and attempting to limit access to the RF spectrum of the wireless network. However, in the absence of constructing a Faraday cage around your building, this is rarely successful when attackers may have technologies that allow them to see and access the RF at great distances using advanced wireless adapters and direction antennas, as discussed in Chapter 1, Wireless Penetration Testing Fundamentals.
Some wireless vendors have attempted to mitigate these DoS attacks by leveraging MFP, or Management Frame Protection, and other, similar protection techniques. These techniques have been ratified by the IEEE as 802.11w in an attempt to add additional security to the usually clear-text management frames used to set up and maintain wireless connections between clients and APs. We will read more about these frames in the next section.