Success Stories
"I am impressed with WiFi Manager's features, given its reasonable cost."
- Alan Ballenberger, Siena Heights University.» Download free edition | 30-day trial
Once a rogue AP is discovered the next immediate step is
to block the AP from the network so that the authorized clients
don’t associate with it. There are two ways of blocking
the rogue APs.
Tit for Tat: Launch a Denial-of-service (DoS) attack
on the rogue AP and make it deny wireless service to any
new client.
Pull it out of the network, manually
Blocking the switch port to which the AP is connected.
Launching a DoS attack on the rogue
AP Most Wireless IDS vendors follow this practice. This
is kind of using offense for defense. Once a rogue AP is detected
the WLAN administrator can use the sensor to launch a DoS
attack on it by sending numerous disassociation packets.
Figure 1: Rogue blocking by sending disassociation
packets
How disassociation attack works?
IEEE 802.11 defines a client state machine for tracking
station authentication and association status. Wireless
clients and APs implement such a state machine (refer
illustration below) based on the IEEE standard. A successfully
associated client station stays in State 3 in order
to continue wireless communication. A client station
in State 1 and State 2 cannot participate in the WLAN
data communication process until it is authenticated
and associated. IEEE 802.11 also defines two authentication
services: Open System Authentication and Shared Key
Authentication. Wireless clients go through one of the
two-authentication process to associate with an AP.
Disassociation Flood Attack is a form of denial of
service attacks that forces a client to the unassociated/authenticated
state (State 2) by spoofing disassociation frames from
the AP to a client. Typically, client stations would
re-associate to regain service until the attacker sends
another disassociation frame. An attacker would repeatedly
spoof the disassociation frames to keep the client out
of service.
Figure 2: Disassociation Attack
Model Diagram
Pulling an AP off the LAN
This is manual work. The administrator can walk up to the
rogue AP and pull it off the LAN. In many cases it would be
an over enthusiastic employee who has installed the AP for
wireless communication.
Blocking the switch port
Wireless network management software offers this functionality.
Once the rogue AP is detected the software will look for the
rogue AP’s MAC address in all the switches connected
in the LAN. The port at which the MAC is connected can then
be blocked for any LAN traffic. This would automatically prevent
the clients connected to the AP from dropping the connection
and get associated to the nearest AP. This is a very effective
technique.
