Introduction
Wireless networks in unlicensed bands like Wi-Fi are more vulnerable because of their “open” or accessible “to all” nature, unlike a wired network in a building or an underground duct, where we can protect it by limiting the access to the building or duct physically.
Security Threats
The security threat to Wi-Fi networks are primarily two types.
- The bad actor can break the confidentiality/integrity algorithms and get access to data exchange and steal valuable information (Ex: Passwords, Credit card numbers). [reference]
- The bad actor can inject some malicious packets and prevent the network from functioning normally (called Denial of service DOS).
Probe Flooding
In the previous blog, we had suggested that the ability to handle a large number of probes is a key performance metric for an Access Point. The same feature can also be used to make the network vulnerable to denial of service. If the bad actor sets up a number of clients that would constantly send broadcast or unicast probes targeting a set of Access Points in the network, the APs would not be able to service genuine clients. This can lead to network efficiency problems and ultimately lead to denial of service. It is also possible that this scenario exposes other problems in the AP (out of memory situation or a crash).
Authentication flooding
In this type of denial of service, the rogue clients try to authenticate with the network with an incorrect password. Since the whole of Authentication, Association, 4 way handshake takes a significant amount of time. This would also lead to reservation of resources on the AP until the 4 way Handshake fails. Many such rogue clients and repetition of these attempts with different MAC addresses (MAC spoofing) can lead similarly to denial of service for genuine clients.

Deauthentication Attack
This attack has been well known in Wi-Fi networks [reference] for a while. This classic form of this attack uses the MAC addresses of clients already authenticated with the AP to send a deauthentication message to AP. This would make the real clients to be deauthenticated by the AP and they would now need to go through the full authentication and 4 way handshake cycle. This attack is not possible if the network uses 802.11w (Protected management frames). However, many access points are shipped with 802.11w turned off by default to be able to interoperate with older Wi-Fi clients.SWAT WiCheck Multiclient Simulator can be used to generate many such scenarios using the inbuilt packet injection feature together with robot framework scripts. This would lead to an efficient and automated way of testing the APs for these kinds of attacks at scale.
References:
[1] http://users.csc.calpoly.edu/~bellardo/pubs/usenix-sec03-80211dos-html/aio.html
[/vc_column_text][/vc_column][/vc_row]
Really informative article post. Thanks Again. Great. Sung Pershall
I appreciate you sharing this blog. Really thank you! Cool. Agustin Angus
I think this is a real great blog post. Really thank you! Really Cool. Garrett Stridiron
I have recently started a blog, the information you offer on this site has helped me greatly. Thanks for all of your time & work. Lane Kuyper
Ahaa, its nice dialogue concerning this paragraph here at this web site, I have read all that, so at this time me also commenting here. Jed Denio
You completed certain nice points there. I did a search on the subject and found nearly all folks will go along with with your blog. Darell Duitscher
Good article! We are linking to this great post on our website. Keep up the good writing. Kenneth Shugrue
Fastidious answer back in return of this query with firm arguments and telling the whkle thiing regarding that. Val Saintlouis
A round of applause for your blog. Really looking forward to read more. Much obliged. Cletus Neve
I have recently started a blog, the information you offer on this site has helped me greatly. Thank you for all of your time & work. Danny Delcarlo