DoS is a common network security problem, and it refers to an attempt to disrupt the function of a service. The disruption can range from physical destruction of network equipment to attacks that are designed to use all of a network's bandwidth. It could even be an attempt to deny a particular person from using the service. DoS is particularly problematic in the wireless realm because of the ease of network access. An attacker can do a simple DoS attack with radio-jamming equipment, but such equipment is more difficult to find than 802.11 cards, and it has no means of being selective. Attacks that use the consumer-grade 802.11 cards are much easier to carry out and can be just as effective. Several DoS attacks can target particular stations or networks.
Disassociation and deauthentication attacks exploit the unauthenticated nature of 802.11 management frames. Chapter 3, "WLAN Standards," showed that when a station wants to connect to an AP, it first exchanges authentication frames and then association frames. It can participate in the network after it is authenticated and associated. However, any station can spoof a disassociate or deauthenticate message, pretending to be another station. The AP disassociates the targeted station, which cannot send traffic until it is associated again. By repeatedly sending these frames, an attacker can keep one or more stations off a network indefinitely. This attack is documented in a paper by John Bellardo and Stephan Savage. The following are several implementations of this attack.
Mike Schiffman released one such implementation in a tool called Omerta (named after the Sicilian code of silence). This tool listens for packets and simply sends a disassociate message for every data packet it sees. To his credit, Schiffman delayed releasing Omerta until other tools just like it were already public. Omerta is written using Schiffman's libradiate package, which allows creation of custom 802.11 packets. Omerta is available in a posting to the bugtraq mailing list (http://www.securityfocus.com/archive/89/326248).
The AirJack package (http://802.11ninja.net) comes with a tool called essid_jack, which implements a deauthentication attack to discover "hidden" networks. These are networks in which the AP does not send beacon packets advertising the SSID. However, by disassociating a user, the attacker forces that user to send probe packets with the SSID in them. This tool demonstrates why SSIDs are not, and should never be considered, a security mechanism. AirJack also includes wlan_jack, which is a simple disassociation attack. A variation on this theme is fata_jack. It sends invalid authentication requests spoofing legitimate clients, causing the AP to disassociate the real client.
A more nefarious use of this attack would be to knock somebody off a network with the goal of posing as a server. This technique is useful in the MitM attack on PEAP. Monkey_jack is a proof-of-concept attack that deauthenticates a victim and then poses as the AP when the victim comes back up. If the victim does not have a method of verifying the AP's identity, he could be fooled into giving up useful information.
Reyk Floeter wrote void11 (http://www.wlsec.net/void11), which includes two attacks based on this principle. One is the deauthentication attack described earlier. The other attack floods authenticate requests to an AP, with the goal of crashing the AP or denying service by filling up tables of associated stations.
Given all of the preceding attacks, you can see that the lack of strong authentication for management frames in 802.11 leads to some critical vulnerabilities.
Bellardo and Savage describe another denial-of-service attack based on the Transmit Duration field of the 802.11 frame. Transmit Duration is the collision avoidance mechanism for 802.11 that announces to other nodes how long a frame transmission will last. All stations on the network are then supposed to stay quiet for that amount of time to avoid colliding with that transmission. An attacker can send a stream of packets with the maximum Transmit Duration (1/30th of a second) set, which prevents other nodes from sending for that amount of time. Thus, a relatively slow 30-packets-per-second rate keeps the network occupied. Currently, many cards ignore the Transmit Duration field, so the attack is not effective now. However, they will have to respect it to support QoS in the future, and this attack could become practical.