See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/221400238

Two Novel 802.1x Denial of Service Attacks

Conference Paper · September 2011

DOI: 10.1109/EISIC.2011.49 · Source: DBLP

CITATIONS READS
4 2,697

2 authors:

Abdulrahman Alruban Emlyn Everitt

Majmaah University University of South Wales
29 PUBLICATIONS 58 CITATIONS 2 PUBLICATIONS 20 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

APPLYING BIOMETRICS TO DIGITAL FORENSIC View project

All content following this page was uploaded by Abdulrahman Alruban on 25 May 2015.

The user has requested enhancement of the downloaded file.

 2011 European Intelligence and Security Informatics Conference
Two Novel 802.1x Denial of Service Attacks
Abdulrahman Alruban
Master in Computer Systems Security
University of Glamorgan
Cardiff, UK
amsr9@hotmail.com
Abstract—Denial of Service (DoS) attacks are among the
most common security issues threatening today’s 802.11
networks. In this paper, we have proposed two 802.1x DoS
attacks, EAP-NAK and EAP-Notification flooding attacks.
These effectively disrupt the authentication process between
the legitimate wireless supplicants and the network
authentication server. The evaluation of these attacks against
EAP is performed using well-suited metrics which highlight
their impact on the targeted network in practice. Furthermore,
we discuss possible techniques to detect these attacks, such as
configuring the WIDS to create a performance baseline of the
wireless network. Lastly, several techniques and solutions were
discussed which can be applied to the 802.11i standard in order
to enhance the security of the 802.1x for dealing with DoS
attacks, such as the use of a process delay time technique.
Keywords-802.11 Denial of Service; IEEE 802.1x Security;
EAP DoS.
I. INTRODUCTION
802.11 wireless networks are continuously evolving to
meet the growing demand of modern mobile and internet
applications for high capacity and advanced features in
security and quality of service. In the last few years,
numerous malicious attacks have already targeted 802.11
networks due to their broadcast nature, since access to the
radio medium is not restricted by any security means. On
the other hand, some security standards, such as 802.1x and
802.11i, have been introduced to the wireless network
infrastructure in order to enhance such networks’ access
control and confidentiality, and to abolish the overall
security concerns that have been discovered in the early
versions of the 802.11 standard, such as Wired Equivalent
Privacy (WEP).
However, these security standards focus exclusively on
confidentiality and authentication (access control), rather
than the availability of the service [1]. For instance, the
conventional authentication framework frequently used in
most organisations today is Extensible Authentication
Protocol (EAP). Since the network and security protocols
are the essential components of today’s computer networks
[2], this attracts adversaries to choose such protocols to
perform malicious attacks to achieve their evil purposes,
such as bringing the network down or compromising such
networks and systems by exploiting the 802.1x
vulnerabilities.
There are various types of attacks that an adversary can
perform against the vulnerable protocols depending on the
978-0-7695-4406-9/11 $26.00 © 2011 IEEE
DOI 10.1109/EISIC.2011.49
Dr Emlyn Everitt
Lecturer in Faculty of Advanced Technology
University of Glamorgan
Cardiff, UK
eeveritt@glam.ac.uk
type of these vulnerabilities; for instance, exploiting a
vulnerability that leads to the disruption of the availability
of a service on the victim network or system. This is known
as a Denial of Service (DoS) attack.
In the IEEE 802.1x standard, the network access point
which acts as a wireless network authenticator, cannot be
authenticated by the network supplicant to verify its
legitimacy, even when EAP-Transport Layer Security
(EAP-TLS) is in use, which supplies a two-side
authentication between the supplicant and the authentication
server [3]. This vulnerability leaves the wireless network
susceptible to an adversary to spoof a wireless node identity
and play within the network. Besides this, EAP, which is a
part of the 802.1x standard, is susceptible to many DoS
attacks, since these attacks take advantage of the
unprotected EAP and EAPOL messages, such as EAPOL-
Start, EAPOL-Logoff, EAP-Success and EAP-Failure. An
adversary who exploits these messages could stop the
proper functioning of EAP and have a negative impact on
the functioning of the wireless network, such as preventing
a legitimate network supplicant from completing the
authentication process and joining the network.
In this paper, we proposed two 802.1x DoS attacks,
EAP-NAK response and EAP-Notification flooding attacks,
which effectively disrupt the authentication process between
a legitimate wireless supplicant and the network
authentication server.
The rest of this paper is structured as follows: In section
II we present related security research. Section III lists a
background on 802.1x standards along with a discussion of
the EAP authentication process, followed by the proposing
of two DoS attacks. Section IV discusses the experimental
setup, including the hardware and software used in the
experiments. In section V we use live experiments and
analyse the practicality and efficacy of these attacks. Section
VI discusses the feasible mitigation and workaround
techniques that can be used to prevent or eliminate the
impact of the EAP DoS attacks on the wireless networks.
Section VII offers our conclusions.
II. RELATED WORK
Recently, much research has been published which
exposes several weaknesses and vulnerabilities in 802.11
networks [1-2, 4-7].
In [1], Bellardo and Savage discovered serious
weaknesses which exploit the unprotected 802.11
183
management frames, such as deauthentication and A. EAP MESSAGES EXCHANGE
disassociation messages. In their research they successfully The typical procedure for a station joining a WLAN
demonstrated these vulnerabilities by disconnecting and network initially involves it attempting to authenticate and
blocking legitimate wireless network clients from joining associate itself by sending authentication and association
the network for the duration of an attack. Furthermore, in requests with the wireless access point. When 802.11i
[2], Zhao and Vemuri proposed two exception triggered standard is in use for authentication, then the access point
denial-of-service attacks on EAP-TLS. In the first attack, and the supplicant will enter an additional authentication
the attacker spoofs an error message to inform the WLAN process, for example EAP.
supplicant or authenticator that a failure has occurred. In the Figure 2 shows the flowchart process of the EAP
second attack, it sends some deceptive messages to trigger authentication messages exchange between the WLAN
one of the supplicant or authentication servers to send out an supplicant, authenticator and authentication server.
error message. Both methods take advantage of intercepting
unprotected EAP messages sent between the wireless
network supplicant and authentication server. Several
mitigation techniques were proposed in this study to deal
with such vulnerability, for instance, the messages process
time delay technique.
III. BACKGROUND ON 802.1X
802.1X is a Port-based Access Control standard which
divides every physical Ethernet port into two logical
controlled and uncontrolled ports. This means that when a
station is connected into the physical Ethernet port it can
communicate over the uncontrolled port. However, the only
type of communication allowed over the uncontrolled port is
packets that relate to authentication, such as EAP and
EAPOL messages.
Once the network supplicant successfully authenticates
(over the uncontrolled port), data are allowed to pass over
the controlled port. In addition, 802.1X defines a way to
transport EAP packets across Ethernet and other link layer
protocols to an authenticator embedded in an 802.1x-aware
switch or access point. This allows the use of an
authentication server, such as RADIUS based, to
authenticate users before they can use an Ethernet port to
transfer data. When the 802.11 networks use the 802.11i
(WPA enterprise mode), the implementation of the 802.1x is
instead of passing EAP packets (encapsulated within
EAPOL) over Ethernet. Instead, the packets are transmitted
over 802.11 (still encapsulated within EAPOL).
Instead of a switch being the authenticator and
authenticating physical ports, the access point now acts as
Figure 2 Typical 802.1x-EAP Authentication Flowchart
the authenticator and authenticates everyone who associates
[8]. Figure 1 illustrates how the 802.1x is structured when it
is used in 802.11 networks. When the authentication processes are finished, and the
supplicant has been accepted to join the network, it can now
send and receive data to other network nodes. In addition,
when the client wishes to end the authenticated session, it
simply sends an EAPOL-Logoff frame to the authenticator to
end the session. However, this EAPOL-Logoff frame is
transmitted unprotected.
B. POSSIBLE DENIAL OF SERVICE ATTACKS AGAINST EAP
EAP provides a flexible infrastructure to other protocols
to work on top of it, such as TLS, TTLS, PEAP and many
other EAP-Methods which are still vulnerable to EAP DoS
attacks. This is because the EAP acts as an underlying layer
for these methods. Since some of the 802.1x messages are
Figure 1 Authentication using 802.1X on a WLAN
transmitted between the supplicant and the authenticator

184
unprotected, as previously discussed, it is feasible to
perform certain DoS attacks against the WLAN using these
unsecure EAPOL and EAP frames.
In this section two DoS flooding attacks which can be
performed by an attacker against WLAN using EAP
unprotected frames are discussed. The following flooding
attacks are proposed: EAP-NAK response, EAP-Negotiation
floods.
I.B.1 EAP-NAK FLOODING ATTACK
In IEEE 802.1x the EAP-NAK frame indicates an EAP
method that the supplicant can support as a response to the
authentication server request when it does not support the
proposed authentication method that the authentication
server proposed. However, during the EAP negotiation
process, the supplicant should not transmit a legacy or
expanded EAP-NAK as a response to an authentication
server request after an initial non EAP-NAK response has
already been sent [9]. In addition, RFC 3748 states that
whenever the authenticator gets an unexpected EAP-NAK
response it should discard it.
Typically, when the authentication server receives an
EAP-NAK response from the supplicant and the server does
not support the desired EAP method that the supplicant asks
for in its EAP-NAK response, the authentication server
should initiate an EAP-failure message to terminate the
authentication process, as Figure 3 illustrates. However, an
attacker who is able to detect the EAP unprotected frames
may send a fake EAP-NAK frame in response to the
authentication server request. This fake EAP-NAK is
designed for an unsupported EAP method in the
authentication server. In this case, the authentication server Figure 3 EAP Authentication process – EAP-NAK Attack Point
will examine and process this response (faked EAP-NAK) I.B.2 EAP-NOTIFICATION FLOODING ATTACK
as it comes from a legitimate supplicant and initiates an EAP-Notification messages are proposed to supply some
EAP-failure message each time it receives such a spoofed useful information to the wireless network supplicant during
EAP-NAK frame (as Figure 3 illustrates at point 2). As a the authentication process, such as the expiration time of a
result, the authentication process will be terminated between password or cautioning of some authentication failure sent
the two parties. by the authentication server [9]. Therefore, it cannot alter
the state of the supplicant during the authentication process
according to the RFC 3748. However, during security
analysis experiments of the EAP in this paper, it was found
that it is possible to disrupt this authentication process when
the attacker floods the network supplicants using a fake
EAP- Negotiation message where the attacker pretends to be
a legitimate network access point (spoofs its MAC address)
that the victim (legitimate supplicant) tries to authenticate,
as Figure 4 illustrates.

185

Figure 4 EAP Authentication process – Possible EAP-Notification
flooding attacks points.
In addition, it was noticed that when a station is flooded
wirelessly using a malicious EAP- Negotiation messages,
and the station is not in the authentication state (as number 1
in the above figure). It simply discards these messages and
this is what it is expected to do according to EAP standard
specifications. However, when a wireless network
supplicant who is in an authentication state (as number 2 in
the above figure) is flooded, this will cause the supplicant to
respond to each EAP-Notification message it receives, since
the authenticator MAC address has been spoofed. The
supplicant sends its responses to the authenticator, which in
turn forwards these responses to the authentication server.
When the authentication server receives these EAP-
Notification responses, which seems as if they emanate from
a legitimate wireless network supplicant, it will discard
these messages. Additionally, the concept of this attack is
that it keeps the supplicant busy in responding to the fake
EAP-Notification requests, which delays the authentication
process until the configured time out of the EAP in both
sides is reached; which causes the authentication process to
restart.
IV. EXPERIMENTAL TEST SETUP
The framework of the EAP-flooding attacks
accomplished in this paper is based on a real hardware and
software laboratory setup, which has been designed and
configured to reflect a real life implementation of such
scenarios. This design is followed as an alternative to
186
conducting the experiments on a network simulation1, which
in the best conditions does not reflect the same results as a
real world experiment.
All the hardware used in our experiments is easily
available on the market. Since the software is open source, it
is freely available online (file2air, Wireshark, FreeRADIUS
and Open1X project) [10-13]
Figure 5 depicts the laboratory of the WLAN used for
the experiments in this research:
Figure 5 Laboratory of the WLAN
C. ATTACK METHODOLOGY
An EAP-NAK flooding attack can be performed by an
attacker against the access point, targeting the authentication
server. The attacker pretends to be the legitimate network
supplicant trying to authenticate with the network by
spoofing its MAC address. In an EAP- Negotiation flooding
attack, the attacker floods the network supplicants (entire
BSS) using a forged EAP- Negotiation frame, which the
attacker pretends to be the legitimate network access point
(spoofs its MAC address), targeting the victims (legitimate
supplicants).
V. EXPERIMENTAL RESULTS AND DISCUSSIONS
The aim of this section is to evaluate the techniques used
to cause DoS against EAP to conclude whether they
represent a real threat to 802.11 networks or whether they
are only theoretical dangers. In addition, researchers
involved in DoS experiments normally use several measures
in order to ascertain the impact of the DoS attacks metrics
such as: overall transaction duration, throughput of TCP
connections, attack traffic, and percentage of legitimate
packets that received no service [14]. For the experiments in
this paper, the successful authentication rate was used to
measure the impact of the proposed DoS techniques (EAP-
NAK and EAP- Negotiation flooding attacks).
1
There are many wireless simulations available out there, for
instance, Open Source Wireless Network Simulator (openWNS),
OPNET Modeler® Wireless Suite, QualNet simulator, and The
Network Simulator - ns-2, all these are software can be used to
simulate a virtual WLAN to be used for such excremental.
However some of these simulations are freely available and an
open source while others are highly expensive.
 A. EAP-NAK FLOODING ATTACK RESULT
The aim of this experiment is to inspect the impact of
floods on a wireless network authenticator using fake EAP-
NAK messages. As soon as a legitimate supplicant (client 1)
was detected, the authentication negotiation began with the
authenticator. Its MAC address (client 1) was spoofed to
pretend the legitimate WLAN supplicant. This supplicant
had just started the EAP authentication negotiation with the
authenticator. The target (authenticator) was then
continually flooded by sending 30 maliciously modified
EAP-NAK frames per second for 17 minutes. In total,
30,600 frames were transmitted during the attack time as
Figure 6 depicts.
All the transmitted messages generated were maliciously
modified to the desired un-assigned (un-supported) EAP-
methods by the authentication server in order to disrupt the
authentication process between the two ends. As a result of
this attack, the legitimate WLAN supplicant failed to
authenticate itself with the network for the duration of the
attack. During the attack, the authentication process between
the victim and the authentication server was terminated
several times, which makes the legitimate WLAN
supplicants reissue an EAP-Start message, as Figure 7
depicts.
Figure 6 WLAN traffic during EAP-NAK flooding attack
Figure 7 WLAN Supplicant Transmitting EAPOL-Start
It can be concluded that, for every fake EAP-NAK
response the authenticator received, it forwarded these
responses to the authentication server as an access request
frame. When these access request frames reached the
authentication server, it kept discarding these requests until
the EAP timeout was reached, which made the supplicant
reissue a new EAP-Start message to start the authentication
process again.
However, during the flood, the server only processed the
message that it expected to receive. In other words, it
process frames it only receives any time between the
187
authentication server RADIUS-Access-Authentication and
the supplicant RADIUS-Access-Request. When this
occurred, it responded by issuing an EAP-failure to
terminate the authentication process. However, this attack
is not stealthy. To make it stealthy, an attacker could disrupt
the authentication process between a legitimate WLAN
supplicant and the authentication server by sending only one
forgery EAP-NAK as a response to the authentication server
RADUS-challenge request at the “right time”, which would
cause a termination of the authentication process.
B. EAP-NOTIFICATION FLOODING ATTACK EXPERIMENT
In this experiment, the effects on the authentication
process when flooded by a wireless network supplicant
using maliciously modified EAP-Notification requests was
examined. Firstly, a wireless network access point MAC
address was spoofed and the WLAN supplicants were
overwhelmed with forged EAP-Notification messages for
35 minutes. The transmission rate was configured to
generate 30 messages per second. In total, 63,000 frames
were transmitted during the attack time as Figure 8
illustrates.
Figure 8 WLAN traffic during EAP- Notifications flooding attack
For the duration of the attack, the authentication process
between the supplicant and the authentication server
remains suspended. In this experiment, the victim was
targeted using Windows XP SP3 with a default 802.1x
supplicant agent. However, the attack was also launched on
a different occasion, targeting the same victim, using
XSupplicant 2 (an open source 802.1x supplicant agent)
instead of the default windows 802.1x supplicant agent [13].
It has been noticed that, once the victim received our
malicious EAP-Notifications messages in the second
experiment, it silently discarded these messages.
Consequently, the legitimate supplicant continued the
authentication process with the authentication server as if
nothing had occurred, as Figure 9 illustrates. We manually
restarted the authentication 3 times to examine the impact of
the EAP-Notification floods, and the client successfully
authenticated itself without any further issue.
2
XSupplicant is part of the Open1X project, which is a free, open
source IEEE 802.1X/WPA/WPA2/IEEE 802.11i
implementation.

Figure 9 WLAN traffic during EAP- Notifications flooding attack
(Victim using XSupplicant)
In conclusion, EAP-Notification messages were allowed
by default in the windows 802.1x supplicant agent, which
caused the legitimate wireless network supplicant to respond
to each EAP-Notification request it received by issuing an
EAP-Notification response without performing any sort of
validation on these messages to check the legitimacy of
these requests. As a result, this kept the WLAN supplicant
and the authentication server busy in responding to and
discarding these fake EAP-Notification messages, which in
turn delayed the flow of the authentication process until the
configured time out of the EAP in both sides was reached.
However, when EAP- Notification messages were
disabled within the 802.1x supplicant agent, such as in
XSupplicant, the WLAN supplicant discarded any
notification message it received without any further action.
Subsequently, the supplicant succeeded in authenticating
itself with the authentication server.
VI. EAP DOS FLOODING ATTACK COUNTERMEASURES
AND MITIGATION TECHNIQUES
In this section we research and discuss the feasible
mitigation and workaround techniques that can be used to
prevent or eliminate the impact of the EAP and EAPOL
DoS attacks on the wireless networks.
A. DETECTION OF ATTACKS
Fortunately, most of the current Wireless Intrusion
Detection Systems (WIDS) 3 can identify and spot known
EAP DoS flooding attacks based on their signatures. Even
with the EAP-NAK and EAP-Notification flooding attacks,
their signatures can be added to the WIDS database and be
detected. In addition, WIDS is capable of generating an
alarm to 802.1x DoS flooding, based on a configured rate
3 EAP-NAK frame, before processing the frame it will wait
WIDS venders such as AirMagnet, Cisco Systems, Aruba, and
AirDefense provide reasonable IDS systems for a wireless
networks (Wanner, 2009). However, the most prohibitive factor
that restricts small and medium enterprises form using wireless
such WIDSs is the high cost. Where the investment required to
deploy such systems is high, and requires a lot of staff training to
be able to administrate it.
188
threshold [15]. As such, it is possible to configure the WIDS
to create a performance baseline of the wireless network.
For instance, an EAP-NAK flooding attack alarm will be
triggered when a precise access point receives more than
“X” EAP-NAK frames per second, since “X” is predefined
based on the normal performance of the wireless network.
However, according to current information none of the
current WIDS can detect a stealthy EAP-NAK attack, where
an attacker could send only one forged EAP-NAK as a
response to the authentication server RADUS-challenge. In
order to spot such an attack, the WIDS needs to realise how
the EAP authentication process works between the WLAN
supplicant and the authentication server, as well as
recognising the attack technique. This can be achieved using
a state-full WIDS, for instance, when the authentication
server receives an EAP-NAK message along with the EAP-
Response-Authentication from the same supplicant within
“1” second, this should be considered an indication of an
EAP-NAK attack. However, this may generate a false-
positive 4 alert instead of a true-positive alert when the
WIDS is not configured properly.
B. EAP IMPROVEMENT AGAINST ATTACKS
In [2], Zhao and Vemuri proposed a technique that can
be used to mitigate EAP Exception Triggered DoS attacks
(Error Message and Misleading Message based attacks)
when the 802.1x is used in wireless networks. In addition,
the concept of their technique is to prioritise the received
packets process based on the given cost of those packets.
Each EAP packet will have a known cost that indicates the
precedence of the packet based on its consequence in the
entire protocol flow process. For example, for packets with
a lower cost, the receiver must process it prior to packets
that have a higher cost. By using such an approach the
authentication process between the legitimate supplicant and
the authentication server will usually succeed, where other
forged attempts, such as EAP-NAK attack, would be
eliminated.
I.B.1 EAP-NAK AND EAP-NOTIFICATION DOS ATTACK
COUNTERMEASURES
There are several methods of mitigating EAP-NAK and
EAP-Notification attacks. One method is the process delay
time technique. This mitigates both the NAK and
Notification flood attack. Another countermeasure against a
notification flood attack is to disable the use of these
notification messages using EAP authentication methods.
I.B.2 DELAY TIME TECHNIQUE
Zhao and Vemuri proposed a technique which requires a
modification on the EAP protocol on both WPA supplicant
agent and the authentication server. The modification will
ensure that, each time the authentication server gets an
for a maximum of 1 second. If the authentication server
receives a legal frame that reflects the typical EAP
4
IDSs sometimes generate some fake alarms, since it thinks it
detects some malicious intrusion. In fact if it spots something it
is supposed to trigger an alarm.
negotiation process flow from the supplicant, such as an
EAP-Response-Authentication frame, before the given
delayed time has expired (1 second) of the received EAP-
NAK response, the authentication server should process the
legitimate frame and drop the EAP-NAK response.
By applying this approach to the entire protocol at both
ends, EAP-Notification flooding can be prevented. The
processing time will be delayed for a maximum of 1 second
if the supplicant does not receive an expected legitimate
EAP message, and it will respond to the notification
message. Otherwise, the supplicant should discard the
received notification.
I.B.3 DISABLING THE USE OF EAP-NOTIFICATION
MESSAGES
For EAP-Notification flood attacks, disabling the use of
these notification messages by the EAP authentication
methods will eliminate the impact of the attack.
EAP-Notification messages are proposed to only supply
some useful information to the supplicant during the
authentication process, such as the expiration time of a
password or cautioning of some authentication failure. As a
result of disabling the notification messages, the supplicant
will discard any notification message it receives without any
further action, and continue the authentication process with
the authentication server as if nothing has occurred.
In the RFC 3748 it was suggested that a method-specific
Message Integrity Code (MIC) 5 be used to provide some
sort of integrity to the unprotected EAP messages from
being tampered with by an adversary [9].
Some of the EAP messages, such as NAK, Notification
and Identity, do not have a MIC within the frame. In
addition, they recommend deploying an integrity method
such as MIC to protect all the EAP header fields, including
the Code, Identifier, Length, Type, and Type-Data fields.
Nevertheless, by deploying this suggestion to the EAP, any
validation failure which occurs in such MIC protected
frames, on any side (at the authentication server or
supplicant), will cause a termination of the whole
negotiation process, which is good for protecting the
integrity of the messages.
This, however, will not prevent an adversary from
conducting Denial of Service attacks against the victim.
Since any malicious modification to the EAP messages that
have been protected by MIC will cause a fatal error and lead
to DoS, such a solution is excluded from use as a
countermeasure to the EAP-NAK and EAP-Notification
attacks.
VII. CONCLUSIONS
In this paper, two Denial of Service attacks are proposed
against EAP, and these are: EAP-NAK and EAP-
Notification flooding attacks. These attacks exploit the
5
Message Integrity Code (MIC) is a cryptographic hash of the
packet. The MIC is used simultaneously to prevent tampering of
packets and to verily that the supplicant has the network key
(Bock and Lynn, 2007).
189
vulnerability of the unprotected EAP messages that are
transmitted during the authentication process between the
network nodes. As was demonstrated in experiments
conducted, EAP-NAK and EAP-Negotiation flooding
effectively disrupt the authentication process between the
legitimate wireless supplicants and the authentication server
during the attack.
ACKNOWLEDGMENTS
The author would like to express his gratitude to his
family, Ruqaya (the author’s mother), Mona (the author’s
wife), and Alwaleed and Albaraa (the author’s sons) for
their love, prayers and unfailing support throughout his life.
REFERENCES
[1] J. Bellardo and S. Savage, "802.11 denial-of-service attacks:
real vulnerabilities and practical solutions," presented at the
Proceedings of the 12th conference on USENIX Security
Symposium - Volume 12, Washington, DC, 2003.
[2] Y. Zhao, S. Vemuri, J. Chen, Y. Chen, H. Zhou and Z. Fu,
"Exception triggered DoS attacks on wireless networks,"
presented at the Dependable Systems & Networks. DSN '09.
IEEE/IFIP International, Lisbon, 2009.
[3] D. B. Faria and D. R. Cheriton, "DoS and authentication in
wireless public access networks," presented at the
Proceedings of the 1st ACM workshop on Wireless security,
Atlanta, GA, USA, 2002.
[4] W. Li, "Analysis and Improvements over DoS Attacks against
IEEE 802.11i Standard," 2010, pp. 109-113.
[5] C. Liu and J. T. Yu., "An analysis of DoS attacks on wireless
LAN," presented at the IASTED International Conference on
Wireless Networks and Emerging Technologies (WNET2006),
2006.
[6] M. Bernaschi, F. Ferreri and L. Valcamonici, "Access points
vulnerabilities to DoS attacks in 802.11 networks," Wirel.
Netw., vol. 14, pp. 159-169, 2008.
[7] M. Malekzadeh, A. A. A. Ghani, J. Desa and S. Subramaniam,
"Vulnerability Analysis of Extensible Authentication Protocol
(EAP) DoS Attack over Wireless Networks," International
Congress for Global Science and Technology, Computer
Networks and Internet Research, vol. 9, 2009.
[8] J. Bock and M. Lynn, Hacking Exposed Wireless: McGraw-
Hill, Inc., 2007.
[9] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson and H.
Levkowetz. (2004, 12 July). Extensible Authentication
Protocol (EAP). Available: http://tools.ietf.org/html/rfc3748
[10] File2Air. (2010, 20 July). File2Air. Available:
http://www.willhackforsushi.com/File2air.html
[11] Wireshark. (2010, 3 July). Available:
http://www.wireshark.org/
 [12] FreeRADIUS. (2010, 3 July). Available: http://freeradius.org/

[13] Open1x. (2010, 3 Septemper). Available:

http://open1x.sourceforge.net/

[14] J. Mirkovic et al., "Measuring impact of DoS attacks," in

Proceedings of the DETER Community Workshop on Cyber
Security Experimentation, 2006.

[15] L. Phifer. (2006, 1 September). Fighting wireless DoS attacks.

Available:
http://searchnetworking.techtarget.com/generic/0,295582,sid7
_gci1169024,00.html

190

View publication stats