Layer 1 DoS Attacks

A particularly troublesome issue for Wi-Fi security is the denial of service (DoS) attack. In a DoS attack, the goal of the attacker is not to penetrate or steal data from the network it is simply to disable the network. For mission-critical systems, this is a serious security concern. If the WLAN goes down, then any application or network resource being accessed through the WLAN is now no longer available. The wireless VoIP phone conversation comes to an abrupt end, communications with your database server are no longer possible, and wireless access to an Internet gateway has been closed.

Many denial of service attacks exist at layer 2 and occur when an attacker manipulates information in the layer 2 header of an 802.11 management frame and then retransmits the edited frames into a wireless environment with some sort of packet generator. Numerous published layer 2 DoS attacks exist. The most common is achieved by manipulating de-authentication or disassociation management frames. Currently, layer 2 DoS attacks cannot easily be prevented, but can be easily detected.

The 802.11w Task Group is addressing methods to also prevent many layer 2 DoS attacks. This method has been driven by Cisco’s Management Frame Protection under the Unified Wireless vision. In the meantime, wireless intrusion detection systems can detect and locate the radio card that is the source of a layer 2 DoS attack. But denial of service attacks to wireless networks can even more easily occur at layer 1 in the RF environment.

Layer 1 DoS attacks are a result of radio frequency interference interference. 802.11 WLAN radio cards use a medium access method called carrier sense multiple access/collision avoidance (CSMA/CA). This medium access method ensures that only one single radio card is transmitting at any given time in the half-duplex radio frequency medium. Part of the CSMA protocol is the clear channel assessment (CCA).

The simplest explanation of clear channel assessment is that 802.22 radio cards listen before they transmit. if an 802.11 radio is about to transmit, it will perform a CCA and listen of current RF transmissions in the same frequency space. If the RF medium is clear, the radio card will transmit. However, if the medium is not clear (based on sensing RF transmissions that exceed pre-defined energy thresholds), the 802.11 radio will defer for a defined amount of time and then perform the CCA once again to listen for a clear medium before transmitting.

But if there is a “continuous” RF transmission that is constantly heard during the CCA intervals, 802.11 transmissions will completely cease until the signal is no longer present. If 802.11 transmissions cease due to an interfering RF signal, the result is a denial of service to WLAN. What can cause layer 1 DoS? Layer 1 DoS can be a result of either intentional or unintentional interference.