Can we block WLAN connectivity of abusive users?

Q: We have users that sometimes abuse our wireless policy. Is there a way I can disrupt connectivity to the wireless area and users via a notebook or iPAQ? This would be something like a hack to cause a denial-of-service attack, without physically unplugging the access point? – Wayne, New Orleans.

The Wizards gaze deeply into their crystal ball and respond:

Michael Montemurro, Chantry Networks

If the access point is within your corporate administrative domain, there are ways of disrupting connectivity to the wireless network without physically unplugging the access point, and without causing a denial of service. Your options include turning the radio off on the access point; minimize the power on the access point; or enable the access control list on the access point and add the offending MAC address(es) to a Blacklist.

If the access point is not within your corporate administrative domain, and is thus a rogue access point, then WLAN infrastructure providers can detect such an access point and issue disassociate messages to the clients that are attempting to associate to it. That way you can ensure that no user is sending traffic to your wired network. Another alternative is to initiate a denial-of-service attack against the rogue by sending large amounts of 802.11 associations to the access point.

Scott Haugdahl, WildPackets

There are tools you can use to “kick” users off of access points. Unfortunately, these tools typically work by sending out 802.11 de-authentication frames to the all stations’ broadcast addresses, so you would need to hack the code to allow you to specify a single user by physical address. Using de-authentication attacks is generally not a recommended practice – you must run the tool all the time because stations will continually attempt to re-authenticate. This can also create excess traffic, penalizing users that are not “abusing” your policy. Look for vendors that offer a more “friendly” solution, such as the ability to update the access tables across multiple access points (doing this by hand is tedious unless you only have a small number of access points and users) or systems that include an agent that all wireless users must install to directly control of that user.

Rich Swier, Highwall Technologies

Shutting down access of a wireless client can be done a few different ways. If it’s not a “hacker” who knows tricks around MAC Address spoofing, I would suggest the best way to disconnect a client from the network is blacklisting the MAC address of the client. A more sophisticated approach would be to re-direct traffic intended for the user to another machine (which is similar to a DOS/Middle Man attack hackers use). These types of reactive measures are not done via a laptop, but software or manual configuration of your routers.