Denying the denial of service attack

Farpoint Group –

The denial-of-service (DoS) attack has become the stuff of legend as the Internet has grown, and it's actually a very real threat in both the wired and wireless world. While DoS attacks could, in theory, be used against any wireless installation, for the purpose of this article we'll focus on wireless LANs (WLANs).

A DoS attack could be quite easy to mount because wireless LANs use unlicensed spectrum and are based on inexpensive hardware. In comparision, attacking a cellular system would be much more complex and expensive, and, given the licensed nature of the cellular bands, would involve serious violations of federal law. So WLAN DoS attacks are where enterprises must focus.

In principle, a WLAN DoS attack could involve a transmitter simply blasting a given location with radiation covering the 2.4 or 5.2 GHz. bands. Given the fact that most WLANs operate at power levels below the maximum allowed under FCC rules, a malicious individual simply needs to turn the power up on their transmitter (perhaps even remaining below the maximum allowed level) to create enough interference so as to blind intended receivers. It's not even clear that this would violate spectrum regulations in and of itself, and likely wouldn't be a crime.

How to recognize a wireless DoS attack

A wireless DoS attack will show up initially as reduced throughput, and given the nature of radio propagation, might even be somewhat random in its effects. Throughput might drop and then recover, and this effect might move around the facility. It's therefore critical to use network management and monitoring tools, which are available in all enterprise-class WLANs, to look for and quantify strange behavior. At least that way you'll know there's a potential problem. And while DoS attacks are not security concerns in and of themselves, keep in mind that what's being attacked are access points (AP) and users on the protected side of your firewall - meaning it's a good idea to check and re-check your firewall settings in case the attackers decide to become hackers.

And there's another variant of the WLAN DoS attack that is potentially troublesome - a hacker could set up a phony AP that some user's nodes will associate with. Such an AP would look just like any other, but wouldn't be connected to the corporate network. Requiring users to authenticate with the corporate network and not just the AP will usually address this possibility. Finally, it's also possible to use a "forced disassociation" attack to cause clients to drop their connections with enterprise APs. Many wireless network management systems can detect this activity and alert staff to find the source of this attack.

Beyond this, additional tools are available to localize and isolate the interferer(s). A few firms and products to check out are AirDefense, AirMagnet, and almost any of the switched WLAN vendors, some of whom are incorporating many new sophisticated pattern-analysis tools to find out if suspicious activity on a WLAN is malicious, or (more likely) just anomalous. Some analysts have suggested putting in metalized glass and even metallic paint on the outside of a building, so as to at least partially block radio waves. I think such an approach, while valid, is a bit much - after all, it's really quite unlikely that any given firm will be hit by a wireless DoS attack. On the other hand, it's much more likely that any given firm will be hit by attempts to hack into the network, both through wired and wireless channels. Good authentication and encryption techniques are essential

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies