Denial of Service (DoS)

Summary

Excerpt From wi-fi vulnerabilities part 1 Webinar
Learn More About Denial of Service (DoS) in the Brief Video Below.
Dr. Brett Walkenhorst, CTO, explains denial-of-service tactics in Wi-Fi networks while encompassing various methods such as deauthentication and jamming attacks. These attacks prevent users from accessing networks, either individually or as a whole. Learn more about implementing protected management frames and deploying Wi-Fi monitoring solutions are recommended to mitigate such threats by enhancing network security and enabling proactive response to abnormal activities in the video below.

Video Transcript

Let's talk for a minute about denial of service. So for Wi Fi, there's lots of ways to go about denying service to a network. That could be for an individual client, could be for a specific network, or it just could be a blast of a geographic area. So one of the more common things that we see is deauthentication and somewhat less commonly, disassociation attacks.

So I can spoof an access point and tell a client, hey. You're de offed. You're dropping off the network. And that there's all kinds of legitimate reasons that that could happen, but it could be forced by a spoofed packet from an attacker that just wants somebody to be disconnected.

And there might be many reasons for that. It could just be to be a jerk, but it's more likely that that kind of an attack is a prelude to something else. Most likely an evil twin attack. There's other types of attacks that seek to deny network service that abuse other management frames.

So wanna flood the airwaves with certain types of packets like a block act or an RTS, CTS, beacon, or probe requests. Those kinds of things not only tie up the airwaves, they tie up the common resource that everybody's trying to use, but they also tend to elicit a response from nearby devices that further tie up their resources and the airwaves and can back up things enough that in some cases, you might even be able to crash a device, cause it to reboot.

So we can cause a lot of damage, not permanent damage perhaps, but we can disrupt operations significantly with some of these attacks. There's another flavor of this that isn't quite the same, but it's a similar feel where we use the ea poll packets to do a similar thing.

So we're trying to get a response or disrupt a link between an AP and a client where, say, for example, if I'm a malicious actor, I'm gonna pose as a client. I just send a bunch of EA poll start messages to an access point. That access point is gonna try to initiate the four way handshake.

So its resources are getting tied up in this and and there's a fair bit of of time that's required to try to negotiate those handshakes and so it gets tied up in all this stuff and ultimately can cause an overflow and cause it to crash. Another thing I could do is spoof a client and send an EA pull log off message that will basically have the same effect as a d auth message.

It's gonna boot the client where the AP thinks the client did it on purpose, but I spoofed it and and made it happen. So a lot of these are are somewhat surgical. They can be directed at specific devices or networks. Or if I just want to be a jerk and make everything really difficult for anyone to hear anything, I'm just gonna jam the band.

So I'll jam the frequencies where the Wi Fi is operating. And basically anybody who can hear me is going to be disabled. And an analogy might be you've got some big space, you've got a big open room, like a ballroom kind of thing, and you've got a bunch of people that are congregated in different areas of the room, and they're talking together in huddles and whispers.

And, occasionally, you get people going from group to group, and there's they're having communications. Right. Nice little chat. And then I come into the middle of the room and I start yelling through a megaphone and no one can hear anything because I'm just too loud. I'm drowning out everybody within earshot.

That's the model that I want you to think about when you think about jamming. It's rough. I mean, there's different types of jamming that are more surgical, but in this case, most often, it's just gonna be this kind of barrage jamming where you're just sending out energy and you're just trying to prevent anybody from hearing anything.

So all these are possible attack methods to deny service. And the impact can just be annoying. You're gonna become unresponsive for a while, perhaps. Maybe you lose network resources. Definitely, you're gonna lose productivity in a professional environment. It could be annoying or it could be catastrophic depending on what you're doing and how long the attack goes on and how big of an impact it has.

So that's one dimension of the problem is you got the spectrum from how annoying is it. But then there's another piece of it that's orthogonal to that that says, well, I'm going to conduct this kind of an attack, but I'm not really interested in causing havoc immediately. What I wanna do is kick somebody off a network and use that as a prelude to something more vicious like an evil twin attack.

So what can you do about this? Denial of service, it's annoying. It could be really bad depending on what you're doing. I have two recommendations here. The first thing you can do is implement protected management frames. Now this is required for WPA three, which is the most recent encryption schema within Wi Fi.

This is required. So you have to do it there. But if you have an earlier version that you're implementing WPA two or WPA one, you should be able to implement it depending on the vendor that you're using to put your network together. This makes it more difficult for an attacker to spoof certain management frames like d auth or dissociation.

There's other packets a similar nature that it protects because it uses some form of integrity protection and or encryption to make sure that they're not spoofable. So this won't protect against every DOS attack, but it does prevent certain types of them from happening. So that's a really good idea to do.

It will help improve the security of your network if you implement that. And the other thing to consider is implementing some kind of a monitoring solution for Wi Fi because all of those attacks are chatty. There's lots of stuff going on over the airwaves that is creating problems that causes this DOS condition.

And because it's chatty, if I'm listening instead of monitoring for the purpose of conducting attacks, now I'm suggesting that, hey. On the blue side, we ought to be monitoring because there's some good things we can find out if we do that. So if you're monitoring the Wi Fi signals in your area, then you will be able to detect attacks like the d auth attack, like those other management frame abuse attacks, the e a pull start and the e a pull log off.

There's things that you'll be able to see because you're looking at the Wi Fi itself. So when you detect some kind of behavior that deviates from normal healthy behavior, you can issue an alert, and you can even give as part of the alert the location of the attacker.

So now you have real intel. You can go do something about it. If if something is taking down your network and you're monitoring the environment, you localize it. Now you can go find the device that's causing problems and do something about it.