Although unlikely, a malicious user could intentionally initiate a DoS attack using RF jamming devices that produce accidental interference. It is likelier that they will attempt to manipulate management frames to consume the AP resources and keep channels too busy to service legitimate user traffic.
Management frames can be manipulated to create various types of DoS attacks. Two common management frame attacks include:
- A spoofed disconnect attack - This occurs when an attacker sends a series of “disassociate” commands to all wireless clients within a BSS. These commands cause all clients to disconnect. When disconnected, the wireless clients immediately try to re-associate, which creates a burst of traffic. The attacker continues sending disassociate frames and the cycle repeats itself.
- A CTS flood - This occurs when an attacker takes advantage of the CSMA/CA contention method to monopolize the bandwidth and deny all other wireless clients access to the AP. To accomplish this, the attacker repeatedly floods the BSS with Clear to Send (CTS) frames to a bogus STA. All other wireless clients sharing the RF medium receive the CTS and withhold their transmissions until the attacker stops transmitting the CTS frames.
Figure 1 displays how a wireless client and an AP normally use CSMA/CA to access the medium.
Figure 2 illustrates how a CTS flood is created by an attacker sending out CTS frames to a bogus wireless client. All other clients must now wait the specified duration in the CTS frame. However, the attacker keeps sending CTS frames; thus, making the other clients wait indefinitely. The attacker now has control of the medium.
Note: This is only one example of a management frame attack. There are many others that exist.
To mitigate many of these attacks, Cisco has developed a variety of solutions, including the Cisco Management Frame Protection (MFP) feature, which also provides complete proactive protection against frame and device spoofing. The Cisco Adaptive Wireless IPS contributes to this solution by an early detection system where the attack signatures are matched.
The IEEE 802.11 committee has also released two standards in regards to wireless security. The 802.11i standard, which is based on Cisco MFP, specifies security mechanisms for wireless networks while the 802.11w management frame protection standard addresses the problem of manipulating management frames.