Wireless LAN Security and IEEE 802.11w

Wireless LAN Security and IEEE 802.11w

By CWNP On 10/23/2009 - 21 Comments

As Wireless LANs (WLANs) have been increasingly entrusted to carry mission critical enterprise data and voice communication, the impact of Wireless LAN (WLAN) Denial of Service (DoS) attacks has increased manyfold. The recently ratified 802.11w standard that provides Management Frame Protection (MFP) does provide some help in fighting WLAN DoS attacks. But, if you think that 802.11w can put an end to all of your WLAN DoS problems, I beg to differ. Please read on to find out why.


Ever since inception, wireless LANs have been known to be susceptible to Denial of Service (DoS) attacks. Example DoS attacks include radio-level DoS attacks such as RF jamming and MAC-level DoS attacks such as deauthentication flood, disassociation flood, association flood, and virtual (802.11-NAV-field based) jamming. Tools to launch these DoS attacks are freely available on the Internet. There are 2 main reasons as to why WLANs have been vulnerable to DoS attacks. First, the wireless medium is not confined to physical boundaries such as wires and buildings. Hence, attacks can be potentially launched from outside an enterprise (e.g., from parking lots). Second, authentication/encryption of management and control plane frames was never a part of the original 802.11 specification. This makes it is easy for an attacker to transmit spoofed attack packets that appear legitimate.  

The IEEE 802.11w standard aims to mitigate certain types of WLAN DoS attacks. 802.11w extends strong cryptographic protection to specific management frames (in a manner that is similar to what 802.11i/RSN defines for data frames). A select set of management frames transmitted after 802.11i/RSN key derivation is protected. MFP is provided for a category of management frames called “Robust Management Frames”. Deauthentication frames, Disassociation frames, and certain categories of Action Management frames are defined as Robust Management Frames. Action Management Frames are special types of management frames that carry WLAN operation related information – e.g., QoS Management, Spectrum Management or BlockAck session management.  Note that management frames transmitted before the derivation of 802.11i/RSN keys are unprotected. 

802.11w provides data integrity and replay protection for broadcast/multicast Robust management frames. Additionally, data confidentiality is provided for unicast management frames. A new protocol “Broadcast Integrity Protocol” (BIP) is defined for achieving integrity of broadcast/multicast management frames. BIP makes use of a Message Integrity Code (MIC) that is calculated over the frame body to detect tampering of management frames. A receiver silently drops all tampered frames. The basic premise here is that the MIC computation uses a shared-secret that is available only to authorized WLAN users (and not to an attacker). I will explain this further using a deauthentication attack. An attacker launching a deauthentication attack cannot compute the correct MIC for the spoofed deauth packets. Hence, his or her deauth packets will be silently rejected by the 802.11w AP/clients in a WLAN. Alternately, he cannot replay any legitimate deauth packets due to replay protection. Thus, 802.11w can protect a WLAN against deauthentication attack.   

802.11w definitely helps mitigate certain classes of DoS attacks on WLANs – e.g., deauthentication attack, dis-association attack. However, the following are the limitations of 802.11w in fighting WLAN DoS attacks: 

-          802.11w provides protection for certain specific 802.11 management frames only, specifically, deauthentication frames, disassociation frames, and action management frames. Hence, DoS attacks based on management frames not protected by 802.11w are still possible (e.g., association based attacks, beacon based attacks).

-          DoS attacks based on 802.11 data and control frames are outside the scope of 802.11w and still continue to be a pain.

-          RF jamming based DoS attacks cannot be mitigated via 802.11w.

-          Certain logistical issues exist with the 802.11w solution

     o        802.11w requires a code change/software upgrade on not just an AP, but also on clients

     o        802.11w cannot protect the large number of legacy devices that exist today.

Hence, 802.11w is a good first line of defense in mitigating WLAN DoS attacks and you should adopt it. However, for more robust protection, it should be complemented by a DoS detection and mitigation strategy based on a Wireless Intrusion Prevention System (WIPS). Further, WIPS can help you protect against other wireless security threats that are completely outside of the scope of 802.11w – AP based threats (e.g., Rogue APs), client based threats (e.g., Evil Twins) and threats on WLAN infrastructure (e.g., Skyjacking). 

I look forward to hear your views. 


Tagged with: gopi

0 Responses to Wireless LAN Security and IEEE 802.11w

Subscribe by Email
There are no comments yet.
<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More