Menu

Database

Disassociation Frame DoS

WVE ID: WVE-2005-0046

Type: Vulnerability

Status: Candidate

Classification:
Denial of Service
Design Flaw

Description:
802.11 networks are vulnerable to DoS attacks that involve sending Disassociate frames to a station or network.

Discussion:
802.11 networks utilize frames to manage connection and disconnection of stations from a wireless network. These are appropriately called management frames. One type of management frame, a disassociation frame is used to disconnect a station from a wireless network and can be sent by the station or Access Point.

There are several reasons for sending these frames, ranging from the station leaving the network to the station being inactive or the AP not being able to handle the number of stations associated with it. Once a station receives a disassociation frame from the AP it will disconnect from the network, but remain in the authenticated state.

However, a problem arises in that 802.11 management frames provide no authentication. Hence it is possible for an attacker to spoof a legitimate AP's BSSID to send disassociation frames to a station. This of course will cause the station to disconnect from the network at which point it will attempt to reconnect.

If the attacker sends the disassociation frames at a high rate the station will receive another disassociation before it finishes and re-associating with the legitimate AP though. Thus, the station is blocked from using the network until the attacker stops transmitting the disassociation frames.

It is also possible to target an entire wireless network by sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF) instead of directing them to an individual station. This will cause all stations on the network to be disconnected -- using only one disassociation frame.

This attack is similar to a deauthentication frame DoS, however this attack leaves the station authenticated, but unassociated.

Credits

References
WVE: WVE-2005-0019
URL: http://standards.ieee.org/getieee802/download/802.11-1999.pdf

Released: 2000-01-01

Submitter
Andrew Lockhart (alockhart@networkchemistry.com) : Network Chemistry

Submitted: Wed Nov 30 12:00:40 -0800 2005

Candidate Date: Wed Nov 30 12:01:32 -0800 2005


Recent Entries

Auto Immune Attack
WVE-2008-0011 9/17/2008
Marvell Null SSID Association Request
WVE-2008-0010 9/15/2008
Marvell EAPOL-Key Length Overflow
WVE-2008-0009 9/15/2008
Atheros IE Tag Overflow
WVE-2008-0008 9/15/2008
Weaknesses in the A5/1 Cipher
WVE-2008-0007 4/9/2008
Block ACK DoS
WVE-2008-0006 4/9/2008
GF Mode WIDS Rogue AP Evasion
WVE-2008-0005 4/9/2008
HT Intolerant Degradation of Service
WVE-2008-0004 4/9/2008
Sidejacking
WVE-2008-0003 4/2/2008
ZiPhone
WVE-2008-0002 4/2/2008
More Entries...

News

SANS Institute Sponsors WVE
4/19/2008
Wireless Attackers and Honeypot Technology
4/15/2008
High Speed Risks in 802.11n Slides Posted
4/11/2008
Vulnerabilities in 802.11n
4/9/2008
WVE Editors Speaking at SHARKFEST.08
1/3/2008
More News...