Client-based intrusion prevention system for 802.11 wireless LANs

Denial of Service (DoS) attacks on 802.11 wireless LANs can be caused by management frames sent by rogue access points. Unfortunately, such attacks can be successful even if the wireless network is protected by a high-level security protocol such as WiFi Protected Access Version 2 (WPA2). We present a novel client-based scheme for the prevention of such intrusions. By using a Medium Access Control (MAC) filtering mechanism, the “smart” client is able to differentiate between legitimate and forged management frames. The proposed mechanism is non-cryptographic, has low overheads and can be deployed in existing IEEE 802.11 WLANs. We have built and tested a prototype of our scheme. We demonstrate that our mechanism can protect wireless clients against management frame DoS attacks launched at the MAC layer.

[1]  William A. Arbaugh,et al.  Real 802.11 Security: Wi-Fi Protected Access and 802.11i , 2003 .

[2]  S.A. Khan,et al.  802.11 Disassociation DoS Attack and Its Solutions: A Survey , 2006, 2006 Proceedings of the First Mobile Computing and Wireless Communication International Conference.

[3]  David R. Cheriton,et al.  DoS and authentication in wireless public access networks , 2002, WiSE '02.

[4]  Ramiro Jordan,et al.  Wireless communications and networking: an overview , 2002 .

[5]  Yi Pan,et al.  Vulnerabilities and security enhancements for the IEEE 802.11 WLANs , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[6]  Songwu Lu,et al.  Securing a Wireless World , 2006, Proceedings of the IEEE.

[7]  Stefan Savage,et al.  802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions , 2003, USENIX Security Symposium.

[8]  Jing Li,et al.  Prevention of management frame attacks on 802.11 WLANs , 2009, Int. J. Wirel. Mob. Comput..

[9]  Wenyuan Xu,et al.  Channel surfing and spatial retreats: defenses against wireless denial of service , 2004, WiSe '04.