Most of us are familiar with Layer 2 DoS attacks such as deauthentication flood; most of us are also familiar with the 802.11 power saving mechanism used to reduce power consumption. But can you imagine a client station in power save mode may become the target of Layer 2 DoS attack?
A client working in power save mode has two states. When set in the awake state, the client could transmit and receive as normal. When set in the asleep state, the client couldn't transmit and receive. All of traffic transmitted to the client will be buffered in the AP (while BSS used) or other peer clients (while IBSS used).
AP employs the TIM (for unicast) or DTIM (for multicast or broadcast) to notify a client in asleep state to wake up to receive its buffered traffic. After the client receives the buffered data, it will go back to sleep again, and the AP will discard the buffered data.
Find something interesting? What will happen if an attacker transmits a spoofed TIM or DTIM to the client telling it 'no buffered frames for you currently, go sleep', while the AP does have something destined for the client? The client will ignore the buffered traffic and immediately go back to sleep, causing the buffered traffic to be dropped. The result is eventually a DoS.