Denial of Service (DoS) attacks on wireless networks are almost impossible to stop. Some attacks can be mitigated, but ultimately, the goal is to find the device causing the DoS and break it into a million pieces.
Mainly, DoS attacks in wireless networks occur because of deauthentication. Deauthentication attack is a type of denial of service attack that targets communication between a user and a wireless Wi-Fi access point. Simply put, authentication refers to validating usernames and passwords with an IP address. Conversely, deauthentication is a request that involves a router or AP telling a Wi-Fi user to disconnect from it. The process features deauthentication packets that cause the targeted client to lose connectivity to an AP. It requires authenticating again to gain access, which means sending the login credentials.
How Does a Hacker Cause a DoS Attack?
1. Client Deauthentication
An attacker can disguise their device with the same MAC address as a user’s device connected to a network. Next, the attacker sends a request to the connected device’s Access Point (AP), requesting the AP to de-authenticate the connected device.
Typically, there isn’t a limit to the number of de-authentication packets that can be sent. As a result, an attacker can forward infinite de-authentication packets. Meanwhile, the user’s device receiving de-authentication response packets from the AP will not be able to send packets to authenticate to the same AP simultaneously. This process makes it impossible for the device to reconnect to that AP. The result is a Denial of Service (DoS) attack.
2. Access Point/Network Deauthentication
Apart from deauthenticating a device, an attacker can send a deauthentication request to an access point (AP). The action results in the AP sending a deauthentication response to all devices connected to the wireless network. Similar to client deauthentication, there is no limit to the number of deauthentication requests that an attacker can send. This means that a malicious actor can forward unlimited deauthentication requests. A device receiving deauthentication responses from the AP will not be able to send authentication requests to the same AP simultaneously. Subsequently, the devices will not be able to reconnect to the AP, resulting in a DoS attack.
3. Authentication/Association Flooding
This attack requires the adversary to know the wireless network’s password. Typically, an AP allows many devices to connect at any given time. The AP uses an Association Identifier (AID) to achieve this capability – an AID is a table that stores details of all connected devices. Unless the AP receives a deauthentication request (either from the client or an attacker), the AID record will retain the information for that device. Designedly, the device continuously associates to the network without sending a deauthentication request until the AP reaches the maximum number of devices to be connected at a given time. Then it becomes impossible for the AP to accept connections from other devices.
Hackers exploit this setup to cause DoS attacks. First, they send multiple association requests to AP to connect to a network. Then, they keep sending the requests to flood the AID table. Once AID is flooded, the AP drops connections with all connected devices. What’s worse, previously connected devices are unable to reconnect.
3. Nearby WIPs Deauthenticating Clients
This issue is not a direct result of a hacker’s action but a design flaw in modern AP solutions. Today, there are different AP technologies with Wireless Intrusion Prevention Systems (WIPS) features to prevent connected devices from connecting to rogue access points. Examples of technologies with the WIPS feature include Aruba Networks, Cisco Meraki, and Ubiquiti. Indeed, the features are essential for companies looking for Layer 3 (Network) type defenses.
However, they can be problematic for nearby networks with the same network name as one restricted by the WIPS. By design, WIPS only focuses on the network name when acting on security threats. Therefore, a neighboring wireless AP can disconnect and keep deauthenticating clients attempting to connect to another AP with the same network name restricted by the WIPS feature.
Detecting the Above DoS Attacks with Sonar
Unquestionably, every wireless network is subject to DoS attacks, intentional (attacks) and accidental (WIPS in proximity). Thus, every company using a Wi-Fi network for mission-critical and business applications should be prepared for possible interference.
We can monitor signal strength, which isn’t the best way to identify a device’s location, but it is a start. There is a need for more capabilities to discover the traffic that signifies a DoS attack.
Sonar, Pulsar Security's proprietary device for continuous wireless monitoring, can pick up the traffic on the radio frequency that signifies this type of attack. When an attack like DoS happens, there are ways to reduce the damage, which the Pulsar Security team consults with the customer on fixing. While you may not be able to block DoS attacks entirely, the Sonar service helps you detect when such attacks occur and their origin. Such discoveries help you track the intruder down and bring him to justice, or at least scare hackers away.
Sonar detects the appearance of new Wi-Fi devices and connections transmitting 802.11 on the bands and channels used by your company’s wireless network. With Sonar alerts, security teams can flag overloaded channels or excessive errors and retransmission rates that signify DoS attacks. What’s more, with Sonar insights, the team can track down interference sources by identifying the approximate location on the network bands and channels.
If we discover it’s challenging to eliminate the culprit causing the DoS attacks, we reconfigure the APs to use different SSIDs, strong authentication means, and less congested channels. Preferably, we set network controllers and APs to automate mitigation controls when interference is detected.