Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
Support Prevention Detection and Recovery
 

Security Disciplines for Objective 3: Detection and Recovery

3-1. Attack Detection and Prevention

Description

In regards to wireless security, it is not always easy to distinguish myth from reality. We often hear information in the media and even in the security community regarding what attacks are possible, and it is easy to wonder whether some of these claims are exaggerations. To complicate matters further, as technology improves over time, previously infeasible attacks become practical and worthy of attention. This section attempts to separate myth from reality by describing the major variations on each of the four types of wireless attacks (eavesdropping, modification, masquerading, and denial-of-service) and discusses their feasibility with current attack tools.

The most likely threats to public safety wireless deployments, especially those using 802.11 technologies, are passive eavesdropping, masquerading, and denial-of-service attacks. All of these are supported by widely available tools and can be difficult to detect. In addition, passive eavesdropping and denial-of-service can never be completely prevented.

Eavesdropping attacks are designed to expose protected information. Passive eavesdropping, the most likely eavesdropping threat, can be best prevented through the use of strong encryption.

Masquerading attacks involve attackers inserting themselves into the wireless network. In most of these attacks, the attacker simulates the wireless access point itself. Fortunately, the Wireless Protected Access (WPA) and 802.11i technologies are effective defenses against these attacks and are becoming widely available.

Denial-of-service (DoS) attacks can shut down a wireless network to some or all intended users or systems. DoS attacks are a common threat to all wireless technologies, but 802.11 networks are particularly vulnerable to these attacks. Although there are tools for detecting and triangulating the source of a DoS attack, there are no effective ways to prevent them, making these attacks virtually inevitable. Therefore, all public safety agencies should identify a backup communication mechanism to use in the event that the wireless network is unavailable.

Monitoring in a Peer-to-Peer Transaction

There are two consistent forms that communications can take on any data network: client/server and peer-to-peer. In either form, a public safety data network must retain the capability to monitor the communications occurring, both for reasons of security and nonrepudiation.

In client/server communications, monitoring transactions is trivial and is typically done at the server side of the communications, where resources available on the server allow for easy storage of any log files generated while monitoring the system. It is simple to add more resources to the server side of a client/server transaction to monitor the actions as the number and scale of the actions tracked grows.

In peer-to-peer communications, monitoring transactions is anything but simple. The form factor of the device used in public safety peer-to-peer communications (such as a PDA) makes creating and storing log files taxing from a processing and memory perspective. It presents a security risk that the only log for such a transaction resides on a device that is less physically secure than a server in a hardened data center. If a log were to be kept on a device other than those involved in the peer-to-peer transaction, some of the advantages to having peer-to-peer transactions are lost, such as no need for centralized service management. For instance, if each action required to be captured is saved to a database somewhere on the network, a vast amount of traffic traveling on the network will be associated with monitoring and nonrepudiation and not the primary mission of public safety. If, on the other hand, all of the information is collected locally to each communications device associated with the data to be collected, the overall network traffic decreases, but the local storage requirement for each device grows a great deal, in addition to the physical security issue.

Known Wireless Attacks (Myths and Reality)

There are four main methods of attacking a wireless network: modification, eavesdropping, masquerading, and denial-of-service. Each method of attack has several submethods, which will be described in the appropriate following section. In addition to describing the methodology behind each attack, the attacks will be analyzed for their feasibility from an attacker perspective, i.e., how difficult is the attack to implement and is there a justifiable return on the investment for each attack type?

Modification—There are two kinds of modification attacks that are pertinent to public safety wireless communications: packet modification and packet injection. Both attacks are also known as active eavesdropping. These types of attacks are intrusive attacks but are more subtle in their methodology than a masquerade or denial-of-service attack.

Eavesdropping—There are three kinds of eavesdropping attacks that are pertinent to public safety communications: traffic analysis, passive eavesdropping, and active eavesdropping. These types of attacks are the least intrusive of the four methods under analysis in this guide.

Traffic Analysis—Traffic analysis is a technique in which the attacker discerns information about the traffic traversing a communications network by analyzing the unencrypted portions of the traffic. A now classic example of traffic analysis can be shown with respect to the start of the second Gulf war. Several hours prior to the commencement of military strikes against Iraq, the Pentagon ordered several thousand pizzas from local pizza shops. An attacker need not have listened in on the actual conversation or been inside the Pentagon, thus making the confidentiality of the messages irrelevant. Instead, the attacker only needed to be cognizant of the fact that there was an impending invasion being planned to figure out what was going on.

In an Internet Protocol (IP) network, there are four pieces of information that can be used for basic traffic analysis: the number of packets traversing the network, their size, the source of the traffic, and the destination of the traffic. These pieces of information are open to analysis for all IP traffic, as it is required for intermediate routers to ensure delivery of the traffic from source to destination. So, as in the example provided above, breaking the confidentiality of the messages is unnecessary for basic traffic analysis.

In a public safety environment, there are additional types of information that can be gathered with this type of attack. Through the use of a yagi, or helical directional antenna, the attacker can not only increase the distance from which this attack can be performed, but information as to the geographical location of transmission can also be gathered. This holds true for both the public safety first responders themselves as well as pieces of infrastructure, whether fixed or mobile. The feasibility of such an attack is simple. Creation of a yagi antenna involves nothing more than a Pringles can, a steel rod, and a few washers. In fact, this technique is the same technique used by the military to triangulate the position of radio communications in the field for calculating firing positions for aircraft or artillery (but without the Pringles can).

Passive Eavesdropping—Passive eavesdropping will also benefit from some of the same techniques used in traffic analysis, such as the use of a yagi antenna, to increase the distance from which the eavesdropping can be performed. With this type of attack, the attacker simply monitors traffic traversing a particular link. There are two types of information that can be garnered from this type of attack: analysis of the data transmitted during a particular session and information that could be used for basic traffic analysis. In an unencrypted channel, where the public safety first responder does not have another layer of security added through some other mechanism, this type of attack can be particularly damaging, not to mention trivial to carry out. From a public safety standpoint, this type of attack will be nearly impossible to prevent and trivial to attempt. The only real way to mitigate the effects of such an attack is to use strong encryption. Depending on the security system deployed, this encryption can be broken as a function of the rate of traffic transmitted on the transport. As such, extra security measures would necessarily need to be deployed.

Active Eavesdropping—The name of this method sounds counterintuitive. In fact, the name is very appropriate. This type of attack involves the attacker invoking a passive eavesdropping attack against a network, but in addition to simply monitoring the network, the attacker will inject bogus traffic into the network from time to time to help decrypt the data, if it is encrypted at all.

This type of attack can take one of two different forms: the attacker can modify a packet in transit, or the attacker can inject a new packet into the network. Modification of a packet while in transit is not a trivial attack. In order to effectively perform this kind of attack, the attacker must prevent the packet’s destination from receiving the packet intended for modification, while modifying the packet in such a way as to generate an unencrypted packet sent to itself. One method of accomplishing this is to modify a packet’s destination IP address while in transit. This is shown in the diagram below.

Figure 3 - IP Spoofing

    Figure 3–1: IP Spoofing

Using an 802.11 Wireless Local Area Network (WLAN) as an example, the original source of the data that is being attacked is sent through the attacker on the WLAN. If the packet is encrypted because Wired Equivalent Privacy (WEP) uses a cyclical redundancy check (CRC) for maintaining the integrity of the data, the attacker can modify the destination IP address to one that the attacker controls, modify the CRC accordingly, and retransmit the packet to the access point. With 802.11i, this attack becomes nontrivial to implement and will most likely not be encountered with 802.11i deployed in the near term. The access point that receives the modified packet then decrypts the packet and sends it unencrypted to the modified destination. This type of attack actually accomplishes two things. First, the modified destination now has an unencrypted portion of data, and second, it provides the attacker with the ability to perform a known plaintext attack against the key used in encryption. This type of attack is easier than a brute force attack.

In the case where the attacker cannot implement this “man-in-the-middle” style of attack, modifying traffic in transit becomes even more difficult. Generally speaking, attackers will not have the technical sophistication to implement this type of attack. It involves radiating a signal at the wireless access point at the same time that the source is transmitting its data. While the source is transmitting its data, the attacker radiates only when it intends to change a particular bit that the source is sending. This involves incredibly precise timing in order to achieve success.

With the injection of a new packet into the network, the attacker is trying to take advantage of weaknesses in WEP and other symmetric ciphers. In order to achieve success in this type of attack, the attacker usually must be an insider. This will allow the attacker to transmit encrypted traffic to the access point. In this fashion, the attacker will now have a copy of its encrypted traffic and the traffic prior to encryption that is resident on its attack platform. With this information, it will be trivial to obtain other encrypted traffic due to the following: C1 XOR C2 = P1 XOR P2. The attacker has C1, which is the cipher text of its transmission, as well as P1, which is the plaintext involved in its transmission. It obtains C2, which is the data under attack. If the initialization vector has not changed between the transmissions, then obtaining P2 is trivial. The only real method to mitigate this attack is to change the initialization vector frequently. Even then, rotating the initialization vector only becomes a race with the attacker, not a sure form of security. Again, the use of an 802.11i protected system will make this attack virtually impossible to perform effectively with today’s computing systems, if at all.

Are these types of attacks feasible, with or without regard to public safety? In the case of in-the-air modification, the engineering resources necessary to carry out such an attack make it infeasible. In fact, though technologies such as software defined radio (SDR) are commonly discussed as a platform with which to carry out such an attack, the availability and cost of such devices are rare and expensive. Additionally, should an attacker acquire one of these devices, the technical expertise required to instigate an attack with the device is nontrivial. While this problem will continue to grow with the increasing availability of such radios, the security against such attacks is also expected to grow, hopefully keeping pace with or staying ahead of their deployment.

Masquerading—For our purposes, masquerading is the attempt of an attacker to create a deceptive appearance, where in most cases that appearance was of a trusted wireless access point. It is somewhat indicative of the methodology employed by attackers performing masquerade attacks. One of the most common masquerade attacks is the man-in-the-middle attack. One subset of the man-in-the-middle attack is the ARP Cache Poisoning attack. Another type of man-in-the-middle attack is a replay attack. The last masquerade attack that will be covered in this section will be session hijacking.

Man-in-the-Middle-Attack—A successful man-in-the-middle attack is really about the attacker attempting and succeeding at masquerading as the wireless access point with which the user is trying to maintain a session. Figure 3–2: Man-in-the-Middle Attack Stage 1 depicts the first stage in the man-in-the-middle attack. The attacker sends 802.11 disassociate messages to the source under attack. Once the source has successfully been disassociated with the access point, the attack progresses to Stage 2.

Figure 4 - Man-in-the-Middle Attack Stage 1

        Figure 3–2: Man-in-the-Middle Attack Stage 1

In Stage 2 of the attack depicted in Figure 3–3: Man-in-the-Middle Attack Stage_2, the attacker masquerades as a wireless access point so that the source under attack will attempt to associate itself with the attacker. The attacker will also seek to associate itself with the original access point. Once the association is completed, the attacker will relay all of the traffic from the source to the original access point but only after having complete access to all of the source’s traffic.

Figure 5 - Man-in-the-Middle Attack Stage 2

        Figure 3–3: Man-in-the-Middle Attack Stage 2

These types of attacks could be particularly damaging to a public safety user due to the power that the attacker can exercise with respect to the traffic the source sends and receives. For instance, if a user is trying to send a distress call to an incident commander during a particular emergency, the attacker can choose to not relay that particular message on to the incident commander and can then respond with a message as if the incident commander did indeed acknowledge the message, giving the user a false sense of security and safety in an otherwise dangerous situation.

The feasibility of such an attack is known. There are software packages that provide the fundamental tools necessary to perform this attack on 802.11 networks. The code in the tool does not actually work properly at the time of writing, but it is only a matter of time before a working version of the code becomes widely available. If public safety were to deploy an 802.11 network, the network would necessarily inherit this vulnerability.

ARP Cache Poisoning Attack—Address Resolution Protocol (ARP) attacks are a subset of the attacks described in a man-in-the-middle attack. These attacks differ from traditional man-in-the-middle attacks in that the attacker is not trying to masquerade as the source under attack. Instead, the attacker is trying to reroute all traffic of the source through itself. This is accomplished by taking advantage of the ARP cache on the source’s radio.

ARP is a method of mapping Layer 2 Medium Access Control (MAC) addresses to Layer 3 IP addresses. Every time the source issues an ARP request for traffic that it wants to send to the specified destination, the attacker will respond with its MAC address mapped to the particular IP address, as opposed to the true MAC address associated with the IP address in question. This will enable the attacker to effectively serve as a repeater for all traffic between the source and its destination. One additional and powerful effect of this type of attack is that it is not limited to the wireless clients associated with a particular wireless access point. The attacker can also effectively present modified ARP replies to wired clients as well. The traffic that is routed through the attacker can be used for all of the eavesdropping attacks.

This attack will be possible with an 802.11 deployment that uses WEP as security for the system, but as WPA and RSN (802.11i) become more widely deployed, the ARP traffic will become much more difficult to poison, as the traffic will be encrypted beyond a point that is trivial to crack. Up until that point, this attack could significantly hobble a public safety network.

Replay Attack—Replay attacks are attempting to get the same type of network access. The primary difference is that in session hijacking, the attacker is trying to wrest control of a session from the user in real time; in a replay attack, the attacker is trying to gain network access after the original session between the authenticated user and the network has expired.

First, the attacker must engage in passive eavesdropping on a session or group of sessions. Timing is important in this aspect of the attack, as the attacker must be able to catch a user authenticating into the system, not capture data in the middle of a session. The next part of this attack involves the decryption and/or modification of the authentication packets that were captured in the first part of the attack. If the authentication packets are encrypted and the attacker cannot decrypt the packets, this does not prevent the attacker from making modifications to the packets. Once the attacker has the authentication packets ready, the attacker will send them to the wireless access point, gaining entrance to the network with a new session.

Just as in the session-hijacking attack, this attack could be particularly damaging to public safety, in that an attacker could gain access to resources that would undermine the ability of the users to do their jobs. These types of attacks are also feasible when used against a WEP network but become ineffective with 802.11i.

Session Hijacking—Session hijacking is an attack in which the attacker takes control of a validated, authenticated session. The original user of the session may become aware that the session is no longer available but will most likely not know the reason behind the loss of the session. This attack must occur while the session is active on the part of the original user, but due to the nature of the attack, it can continue long after the original user is on the network.

There are two steps to successfully completing a session hijacking. The first step is that the attacker must represent itself to the network as the user from which it is trying to gain control of the session. This is accomplished by having first performed a successful eavesdropping attack against the user to gain access to any encryption used, which will garner authentication tokens for use in maintaining the session. The second step is that the attacker must force the user to stop using the session. Much like the man-in-the-middle attack, the attacker can issue a series of disassociate messages to the user to force them off the session under attack.

This type of attack could cause significant headaches within a public safety network. Effectively, the attacker would “become” an authenticated user on the network, with full access to network resources.

The feasibility of such an attack is the same as with the previous ARP poisoning attack, where the vulnerability exists in WEP-protected systems but becomes mitigated with the use of WPA and RSN (802.11i).

Denial-of-Service (DoS) Attack—A denial-of-service attack can be the most damaging of the attacks discussed thus far. The obvious reason for this is that it completely denies authorized users access to the network resources necessary to do their job. This does not mean that the attacker cannot use the network either. On the contrary, depending on the method of denial-of-service used, the attacker could deny service to all authorized users, while allowing access for itself to the network.

Additionally, these types of attacks are commonly misunderstood to be attacks in which the attacker floods the network with so much traffic that authorized users cannot access the medium to transmit valid traffic. The DoS methods described in this section do not flood the network with traffic in an attempt to deny service, instead taking advantage of security vulnerabilities in the network management itself.

There are three main types of denial-of-service attacks that will be covered in this guide:_routing attacks, identity attacks, and medium access control attacks.

Routing Attacks—A routing attack is an attack against a mobile environment’s routing tables. These routing tables are used by a network to create a mechanism to get traffic to its intended destination, as well as can be done, measured against the particular metric used by the routing protocol selected for the network.

An attacker in this type of network can operate in one of two modes:_it can be an active participant in the network, thus enabling itself to act as a repeater when needed, or it can operate outside of the authenticated network.

In the first mode of operation, the attacker must gain access to the system if it is encrypted. Once access to the system has been achieved, the attacker can begin decimating any traffic that is routed through it. This will result in an overall decrease in the quality of service available on the network (with traffic routed through that particular node).

In the second mode of operation, the attacker must also gain access to the system. Once the attacker has access to the system, it can begin poisoning the routing tables of nodes on the network by sending out spurious routing tables. This will effectively force the nodes on the network to transmit traffic with routing information that is in error, resulting in lost traffic.

Identity Attacks—Identity attacks are attacks that take advantage of the trust automatically generated between a user on the network and the wireless access point on the network. Management traffic sent from the wireless access point to the user nodes is sent in the clear, making it relatively easy to generate an attack based on this traffic. There are three main types of identity attacks that can be used on an 802.11 system: disassociation, deauthentication, and power-saving attacks.

All three of these attacks have the same potential for damage to a public safety user network. Each of these attacks is a feasible attack, and trivial due to the fact that, if encrypted, the network key need not be known to implement these attacks. These attacks can effectively shut down the entire network for any number of users that are targeted by the attacker.

Public safety networks that take advantage of 802.11, even with WPA and RSN, will be continuously vulnerable to these types of attacks, as the ability to forge management frames within the network will still be possible. This type of attack will require that extreme caution be used during deployment of any public safety 802.11.

Disassociation—The 802.11 standard provides for a disassociation message that is unauthenticated between the user and its associated wireless access point. The standard clearly states that neither the user nor the access point can ignore a disassociation message that is sent. There are nine different reasons that can be used for disassociation, any of which will cause the state of the machine of the recipient to change to disassociated.

While this attack can be effective, it is less efficient than the deauthentication attack because the disassociation attack just causes the user to do extra work in order to reassociate with the access point. In order to effectively deny service to the user under attack, the attacker must scan the network, listening for each reassociation attempt by the user (or association attempt if it is the first try by the user) and actively disassociate the user after each successful association.

Deauthentication—Much like the disassociation attack, deauthentication messages are not authenticated between the user and the wireless access point. This allows for deauthentication messages to be forged by an attacker. How fast a user begins the process of reauthenticating into the network will determine how often the attacker needs to undergo the process of deauthenticating the user.

Figure 6 - Deauthentication Denial-of-Service Attack

       Figure 3–4: Deauthentication Denial-of-Service Attack1

Because association is a prerequisite of authentication in 802.11, deauthenticating a user will also necessarily disassociate the user as well.

Power-Saving—A power-saving attack stems from the functionality built into 802.11 that allows a user device to sleep for a period of time, waking and polling the access point to send any data that has been queued for the particular user device. There are three main attack methods with regard to power saving.

The first and easiest to implement is an attack in which the attacker masquerades as the user, periodically polling the access point for the user’s data, effectively preventing the user from receiving any data. After each polling message sent by the attacker, the access point will transmit the data and then discard it.

The second type of attack mimics the first attack somewhat, but in this case, instead of convincing the access point that the attacker is a user, the attacker convinces the user that it is the access point. This is accomplished through the transmission of a traffic indication map (TIM) packet to the user. This type of packet could be spoofed by the attacker, convincing the user that there is no data available for it, which effectively puts the user back to sleep again.

The third type of power attack revolves around the time synchronization between the user and the access point. The timing messages transmitted by the access point to the user are sent in the clear. The attacker could spoof these packets so that the user falls out of synchronization with the access point, effectively denying the user access to any buffered data.

While this type of attack could prove effective against public safety, it is unknown at the time of writing whether or not this type of attack is feasible with commercial off-the-shelf (COTS) equipment and software.

Management Attacks—Management denial-of-service attacks focus on the management frames that are used to manage an 802.11 network. These frames, for a DoS attack, typically consist of disassociation and deauthentication frames. These attacks are also known as identity attacks.

Medium Access Control Attacks—Medium Access Control (MAC) attacks are possible due to the assumption of universal cooperation between all nodes on the system. The cooperation is, in effect, a method of avoiding transmission collisions between users in the same spectrum. There are two main methods of collision avoidance: the first employs the standard MAC mechanism defined in the IEEE 802.11 standard, and the second method solves the hidden node problem shown below.

Figure 7 - Hidden Node Problem

    Figure 3–5: Hidden Node Problem

Both Nodes 1 and 2 have data to transmit at the same basic time. Neither node can sense that the other is transmitting data to the access point, so both nodes end up transmitting at the same time, negating the ability of the access point to successfully receive either. This problem is solved through the user of both carrier-sense and virtual carrier-sense methods, namely the Request To Send (RTS)/Clear To Send (CTS) method.

Both the RTS/CTS method and the standard MAC implementation without RTS/CTS are vulnerable to denial-of-service attacks.

Virtual Carrier Sense Attack—Virtual carrier-sense is the method described above in which the use of RTS/CTS frames reserves the medium for a period of time for all users within transmission distance of both the access point and the user preparing to transmit. A discussion of this method is outside of the scope of this document. For more information, please see Section 9.2 of the ANSI/IEEE Standard 802.11, 1999 Edition.

The denial-of-service attack that is made possible through the use of the virtual carrier-sense mechanism in 802.11 concentrates on the Network Allocation Vector (NAV), which is a value transmitted in both the RTS and CTS packets. This field contains the duration necessary to complete the entire transaction on both the part of the user and the access point. The attack here is simple; the duration field has a maximum value of 32767, or 32.767 milliseconds. The attacker would necessarily have to have access to the network to employ this attack. Once access has been gained, the attacker could simply transmit RTS packets with the NAV value set to its maximum. In order for the attacker to maintain this attack and shut down the entire network, the attacker would have to transmit 30.5 packets per second. This is a relatively small duty cycle compared to the other denial-of-service attacks that will be covered in this section.

Unfortunately for the attacker, this attack is not terribly feasible for a variety of reasons. First, the attacker would have to have access to the 802.11 network stack in order to actually set this value, as this value is set in the firmware of a COTS 802.11 radio. Second, it has been found that most CTS 802.11 radios actually incorrectly implement the NAV functionality,2 ignoring the duration field altogether. Thus, for the time being, this attack has no real impact on public safety. In the future, however, this attack will be considered a threat. This is due to the fact that if the Quality of Service (QoS) mechanisms being discussed in 802.11e are to be implemented, adherence to the NAV will be critical.

Brute Force Attacks—There is an inherent amount of trust required to successfully deploy an 802.11 network. One aspect of that trust is with respect to the time windows, or interframe spaces (IFS), defined by the standards that are used to determine carrier sense for transmission.

Figure 8 - Interframe Space Relationships

     Figure 3–6: Interframe Space Relationships

Some quick definitions:

  • SIFS—short interframe space—This spacing is used as a spacer between transmissions for a continuous session. For example, transmission of data that requires an acknowledgement packet (ACK) will have a SIFS spacing between the data transmission and the ACK transmission.
  • PIFS—PCF interframe space—The PIFS is used in stations running Point Coordination Function (PCF) protocol. Due to the lack of wide deployment, attacks against PIFS are out of the scope of this document.
  • DIFS—DCF interframe space—The DIFS is used by devices as a timer to sense whether or not a channel is idle. If a device that has data to transmit senses that the channel is idle for DIFS time, it starts counting down in its random backoff window (described below). Once the countdown reaches zero, if the channel is still clear, the device will initiate its transmission.
  • Random Backoff Window—This is used to manage multiple devices that have data to transmit at the same time. For example, if three devices were all waiting for the channel to go idle and they all waited DIFS time once the channel went idle and then transmitted, there would be a collision. By requiring that each device have a random backoff timer that must countdown prior to transmission, the chances of a collision are reduced.

The attack against the interframe space relationships is simple. Using 802.11b as an example, SIFS is stated to be 10µs. Because every transmitting node must wait at least SIFS time prior to transmission, an attacker could tie up the channel simply by transmitting every 10µs. This is the shortest spacing to effectively deny service to all devices on the network. This number could be as large as 50µs, which is the DIFS time.

There are two main problems with this kind of attack. First, the duty cycle for maintaining such an attack will range from 20,000 to 100,000 packets per second. This will cause the first problem, which is rapid battery drain, if the device is portable. The second is that with this type of duty cycle, it will make it easier for public safety to geolocate the source of the jamming, where as an aperiodic attack with a greater duration between transmissions would be much more difficult to locate.

This attack would prove devastating for public safety users; however, due to the nature of the attack, it is not terribly feasible. First, in order for an attacker to mount this type of attack, they would have to acquire and program specialized equipment, which while possible, is not trivial. Next, the attacker would have to ruggedize the platform for use in the field, in addition to supplying battery power.

Distributed DoS Attacks—Distributed denial-of-service attacks are a tool for attackers to accomplish two primary purposes: first, it enables an attacker to physically distribute the attack, making it more difficult for public safety users to triangulate the source of an attack, as there are more targets, and second, it enables the attacker to maximize the resources available to each attack device by splitting the attack amongst all of the devices employed in an attack. This can effectively extend the duration of an attack due to battery power conservation. While no examples of this type of attack having been implemented have been found, this does not mean that they are not possible. For example, though many of the denial-of-service attacks described in this guide are infeasible for an attacker to implement today, distributing a series of PDAs with 802.11 cards running a disassociation attack is feasible.

[1] Compliments of John Bellardo and Stefan Savage in 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions.

[2] 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions by Bellardo and Savage.