cell phones are prohibited due to the radio frequency (RF) interference. ... DoS attacks will affect both the wireless to wireless call and the wireless to wired call. ..... Advanced International Conference on Telecommunications and International ...
An Analysis of Denial of Service Attacks on Wireless VoIP Chibiao Liu and James Yu School of Computer Science, Telecommunications, and Information Systems DePaul University {cliu1, jyu}@cs.depaul.edu Abstract In recent years, Wireless Voice over IP (WVoIP) has been one of the most popular telecommunication technologies. Quality of Service (QoS) and security are two important issues which determine the success of WVoIP. WVoIP QoS issues have been extensively studied. However, security issues of WVoIP are rarely addressed. In this paper, we study one important WVoIP security issue of Denial of Service (DoS) attacks. DoS attacks not only degrade WVoIP call quality, but also disconnect active calls and prevent making new calls. We conducted extensive testing on the DoS attacking mechanisms and their effects on WVoIP quality. One major contribution is that we discuss and demonstrate solutions to resolve some DoS attacks on WVoIP. Another contribution of this paper is an experimental framework to emulate the DoS attacking process and to study its effects on WVoIP. A summary of open issues and directions for future research are also provided in this paper.
1 Introduction Since the emergence of data network, the convergence of voice and data networks --- Voice over Internet Protocol (VoIP) has becoming one of the most popular technologies in the telecommunication worlds. VoIP across wired network has been extensively studied and implemented on enterprise networks for cost savings. With the standardization of 802.11 in 1999, the Wireless Local Area Network (WLAN) is becoming more and more popular and widely deployed at home, Small Office/Home Office (SOHO), enterprise networks, and hot spots. The advantages of WLANs (in comparison to other LAN technologies) are flexibility, ease of installation and configuration, high performance, and relatively low cost. WVoIP was proposed and implemented over WLANs of SOHO and enterprise because of the potential advantages over the wired VoIP and the traditional cellular networks. WVoIP provides economical voice communications with high flexibility, mobility and better voice quality (due to its higher-bandwidth) compared to a cellular connection. WVoIP can be implemented on laptops, handheld computers, PDAs (Personal Digital Assistants) and dual mode cell phone. Unlike cellular communication, WVoIP can have three-way calling, call forwarding and multi-line selections. Furthermore, WVoIP can have a high quality call in residential areas, offices and basements where the WLAN signal strength is much better than that of the conventional cellular network. Meanwhile, WVoIP is a good fit for most of the hospitals where cell phones are prohibited due to the radio frequency (RF) interference. On the campus, there are often no phones for classrooms. With WVoIP, students, teachers and staff can have mobile and flexible communications without involving traditional cellular networks.
Quality of Service (QoS) and security are two major functional elements that have great impacts on the success of WVoIP. QoS issues of WVoIP have been widely studied [1-5]. DoS attack is one important security issue for WVoIP. DoS attacks can greatly decrease the call quality and even disconnect active calls. There have been no detail studies of DoS attacks on WVoIP. Major DoS attacks on WVoIP include authentication request flooding, association request flooding, deauthentication flooding and disassociation flooding. These DoS attacks have great dangers to WVoIP. Without solving these DoS attacks, the success of WVoIP will be impossible. Currently, there are no standard based approaches to address these DoS attacks. The purpose of this paper is to provide a comprehensive review of major DoS attacks against WVoIP and their potential solutions, along with an experimental framework to study and quantify the effect of DoS attacks on WVoIP. The questions to be addressed in this paper are summarized as follows. 1. 2. 3. 4.
What are DoS attacks on WVoIP? What are the effects of DoS attacks on WVoIP? What are the solutions to address DoS attacks on WVoIP? What are the directions for future research on WVoIP security issues?
The remaining sections of this paper are organized as follows. The second section summarizes major DoS attacks on WVoIP. Section 3 presents the experimental design to study DoS attacks over WVoIP. Demonstrations and detail analyses of DoS attacks on WVoIP are presented in Section 4. Section 5 discusses the solutions to resolve DoS attacks on WVoIP and directions for future research. Conclusions are provided at the end of this paper. 2 Backgrounds of DoS Attacks on WVoIP In the enterprise environment, WVoIP can be divided into two parts, wireless-to-wireless VoIP and wireless-to-wired VoIP (Figure 1). The wireless-to-wireless VoIP is the call between wireless VoIP users through the access point (AP) or between two wireless VoIP users using the ad hoc operation mode. The wireless-to-wired VoIP involves one wireless VoIP user and one wired VoIP user on the wired network or one conventional telephone on the Public Switched Telephone Network (PSTN). DoS attacks will affect both the wireless to wireless call and the wireless to wired call. Current WLAN security approach of 802.11i [6, 7] provides strong encryption and can be used to prevent attacker from eavesdropping WVoIP call. However, this security scheme cannot be used to protect WVoIP against DoS attacks. Major DoS attacks (Figure 1) on WVoIP are described as follows. 1. Authentication Request Flooding (AuthRF): A hacker floods the AP with faked authentication frames to overflow AP’s resources and make it deny any other legitimate requests and services. 2. Association Request Flooding (AssRF): In a short time, the attacker floods association requests to the AP and forces it out of service. 3. Deauthentication Flooding (DeauthF): A hacker floods the WLAN with faked deauthentication messages to force authenticated wireless clients to drop their connections with the AP.
4. Disassociation Flooding (DisassF): The attacker floods disassociation messages to wireless clients to force them to disconnect from the AP. To our knowledge, the WVoIP DoS security issues have not been thoroughly investigated in the literature yet. In this paper, these DoS attacks against WVoIP are investigated extensively. 3 Experimental Design of WVoIP An experimental environment is illustrated in Figure 2, where Cisco Catalyst 2950 Ethernet switch (SW-1) is used to connect workstations, the Remote Authentication Dial In User Service (RADIUS) server, Session Initiation Protocol (SIP) server and the 802.11 wireless access point (Linksys WAP-54G). Workstations (SIP-1, SIP-2, SIP-3 and SIP-4) are running Windows XP SP2 with installation of Xlite SIP v2 VoIP phone [8] which supports G. 711voice codec. Audio data is encoded as eight bits per sample with 8000 samples per second. For the tested soft VoIP phone, the sampled voice data within 20 ms is placed into one Real-Time Transport Protocol (RTP) packet and transmitted over the IP network. In our experiments, the RTP payload size is 160 bytes. Adding the RTP header size of 12 bytes, the UDP header size of 8 bytes and the IP header size of 20 bytes, then the total size for each IP voice packet is 200 bytes.
Figure 1. DoS attacks on WVoIP.
Figure 2. Test design for WVoIP studies.
In this paper, we study the effects of DoS attacks of AuthRF, AssRF, DeauthF and DisassF. These DoS attacks are directly related to the processing mechanisms of the 802.11 management frames. They have nothing to do with the bandwidth requirements and the choice of vocoder. We assume that our studies using G. 711 are applicable to other vocoders such as G. 729A and G. 723.1. In our experiment, we observe that the security schemes such as WEP, TKIP and AES cannot prevent any of these DoS attacks, and there is no need to report each one of them under different DoS attacks. To prevent eavesdropping, in this paper, we choose the strongest security approach of 802.11i-AES to protect the tested WLAN. SIP-1 and SIP-2 are equipped with Linksys 802.11 b/g wireless adapters which support 802.1X user authentication, data encryption and integrity with Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). SIP-1 and SIP-2 represent the wireless VoIP phones. SIP-3 and SIP-4 represent the wired VoIP phones. The RADIUS server for 802.1X user authentication is a Linux based freeRadius server (version 1.02), which is running on Red Hat 9.0 (Linux kernel of 2.4.29). SIP server of Asterisk is running on Fedora Core 2 with Linux kernel of 2.65-1.358. The DoS attacking tool of void11 [9] is installed on a Red Hat (kernel 2.4.29) Linux machine (Hacker), which is used to launch layer-2 flooding DoS attacks. The sniffer is a Window XP machine installed with the sniffing software of LinkFerret [10], which runs on the Agere Orinoco 802.11b PCI (Peripheral Component Interconnect) adapter. This
sniffer is used to capture frames transferred over the wireless medium. The captured frames include 802.1X authentication frames, 802.11 management frames, 802.11 control frames and data frames. The traffic analyzer of Ethereal is installed on workstations of SIP-1 to SIP-4. Ethereal is used to measure VoIP call performances over wired and wireless networks. In our experiments, Ethereal is used to analyze RTP traffic and report the throughput, the packet loss, and jitters. We calculate the delay based on the timestamp of the captured packets of Internet Control Message Protocol (ICMP) echo request and ICMP echo replay. Voice quality is measured by packet loss, delay and jitter, and these measurements are translated into Mean Opinion Score (MOS) based on Equation 1 and Equation 2 [11]. R= 94.2-Id –Ie MOS=1+ 0.035*R + 7*10-6 * R (R-60)*(100-R)
(1) (2)
In Equation 1, Id is related to one trip delay and Ie is related to packet loss. And both of them are also related to the type of voice codec. In our experiments, since the delay and packet loss come from the same source of the DoS attack, thus, in Equation 1, we will eliminate parameter of Id and only use Ie to calculate the R value. For a typical WVoIP call from SIP-1 to SIP-4 (Figure 2), the calculated MOS is 4.40, which is close to the reported value [12]. Based on the MOS ranking and the user satisfaction (Table 1), all users are very satisfied with the normal WVoIP call quality. Table 1: MOS ranking and the user satisfaction [13]. MOS ranking
User Satisfaction
MOS ranking
User Satisfaction
4.3 to 5
Very Satisfied
3.1 to 3.6
Many Users Dissatisfied
4.0 to 4.3
Satisfied
2.6 to 3.1
Nearly All Users Dissatisfied
3.6 to 4.0
Some Users Dissatisfied
1.0 to 2.6
Not recommended
4 DoS Attacks on WVoIP In the case of AuthRF and AssRF attacks against an AP, the AP would have no resources to serve current calls or to accept new call requests. In the case of rogue AP based DeauthF and DisassF attacks the AP itself is not affected, but its wireless clients are attacked. When wireless clients receive deauthentication or disassociation messages from the rogue AP, they believe that they receive those messages from a legitimate AP, and terminate their wireless connections. Because attacking tools are widely available, AuthRF, AssRF, DeauthF and DisassF can be easily launched to attack WVoIP. The security approach of 802.11i can prevent WVoIP call eavesdropping; but it cannot resolve these DoS attacks on WVoIP. Without resolving DoS attacks, WVoIP would have limited use in an enterprise environment. DoS attacks would cause high jitter, packet loss and long delay of voice communication, and could even disconnect active calls. So far, there have been no detail investigations on these DoS attacks on WVoIP and we will investigate them in the following sections.
4.1 Authentication request flooding attack AP authentication buffer is used to hold information during authentication process. When the buffer is full, the AP would not be able to accept new access requests. A hacker could continuously flood the AP with authentication request frames, making the AP incapable of accepting new WVoIP calls or serving those active WVoIP calls. We conducted experiments to demonstrate AuthRF DoS attack on WVoIP. In Figure 2, SIP-1 and SIP-4 have an active WVoIP call. After the hacker starts flooding authentication requests to the AP, the WVoIP call stops. The duplex voice data throughput between SIP-1 and the AP drops significantly (Table 2). Meanwhile, no new WVoIP calls can be made under the AuthRF attack. Table 2 gives the voice characteristics before and during the AuthRF DoS attack. During the attacking period, the voice packet loss is 35.0%. The jitter is 25.63 ms. The MOS becomes 1.58, and this voice quality is unacceptable (Table 1). Table 2: Voice characteristics before and during the AuthRF DoS attack. Parameter
Throughput (kbps)
Packet loss (%)
Delay (ms)
Jitter (ms)
MOS
Without AuthRF
128
0
0.73
2.69
4.40
Under AuthRF 83 35.0 >500 25.63 1.58 Note: Throughput under DoS is calculated by multiplying the normal throughput and (1- packet loss).
Based on the captured wireless frames, during the AuthRF attack, the detail interactions among the WVoIP phone, the AP and the hacker are illustrated in Figure 3a. Figure 3a shows that when the legitimate AP receives the authentication request with a faked source MAC address, it reserves buffers for the authentication request and sends out an authentication response to the faked wireless client. Since the faked wireless client does not exist, the AP cannot receive the ACK (ACKnowledgement) for the transmitted authentication response frame. The AP keeps sending out several authentication response messages. For AuthRF, the victim AP always keeps reserving buffers and/or sending multiple response messages for each received authentication request. To process these authentication requests consumes a great deal of the AP’s resources. As a result, the AP has little resource to serve those already associated wireless clients (WVoIP phones), and these wireless clients may either suffer poor voice communications or lose the communication completely. 4.2 Association request flooding attack As AuthRF, for the AssRF DoS attack, a hacker could continuously flood the AP with association request frames to make the AP deny new WVoIP calls and stop serving those active WVoIP calls. We conducted experiments to demonstrate the AssRF DoS attack on WVoIP. When the hacker starts flooding association requests to the AP, the quality of the call between SIP-1 and SIP-4 is affected greatly (Table 3). During the testing period, the voice packet loss is 35.0%, and the jitter 26.50 ms. The MOS becomes 1.58, which is definitely unacceptable for nearly all WVoIP users. The sniffed wireless frames confirm that the AP receives association requests with faked source MAC addresses. For each received frame, the AP checks its buffer and finds that the faked wireless client does not exist in its authenticated state table. It then sends out the deauthentication frame to the faked wireless client (Figure 3b). Since it does not receive layer-2 ACK from the faked wireless client, it keeps sending out several deauthentication frames. To process the flooded association requests like this will consume a great deal of the AP’s resources. It has no resources left to serve those already associated wireless clients (WVoIP
phones). This forces the associated wireless clients to slow down or even stop their voice/data communications. Table 3: Voice characteristics before and during the AssRF DoS attack. Parameter
Throughput (kbps)
Packet loss (%)
Delay (ms)
Jitter (ms)
MOS
Without AssRF
128
0
0.73
2.69
4.40
Under AssRF 87 35.0 >500 26.5 1.58 Note: Throughput under DoS is calculated by multiplying the normal throughput and (1- packet loss).
Figure 3. Frames exchanged during AuthRF (a) and AssRF (b). 4.3 Rogue AP based deauthentication flooding attack Deauthentication is a notification between the AP and wireless clients and it cannot be refused. For AP based deauthentication, the AP initially sends out a deauthentication message to the wireless client to terminate the authenticated/associated relationship. Hackers can launch sophisticated deauthentication attack by configuring a station to operate as a rogue AP. The rogue AP then floods airwaves with persistent "deauthenticate" management frames. These spoofed frames have the source MAC of the legitimate AP, and have the destination MAC of a specific wireless client or a broadcast address. We demonstrate the rogue AP based DeauthF attack and their effects on a WVoIP call between SIP-1 and SIP-4 (Figure 2). When this attack begins, the voice data exchanged between SIP-1 and the AP stops immediately. Changes of voice characteristics for the WVoIP call under the deauthentication flooding are shown in Table 4. Table 4 shows that under deauthentication flooding attack, the jitter does not change much. This is because the wireless client becomes unauthenticated and unassociated during the DeauthF DoS attack. There is no voice data sent out, and there is also no data rate variation. However, because of the big packet loss and long delay, the MOS becomes 1.80, and which causes the voice quality unacceptable. Table 4: Voice characteristics before and during the DeauthF DoS attack. Parameter
Throughput (kbps)
Packet loss (%)
Delay (ms)
Jitter (ms)
MOS
Without DeauthF
128
0
0.73
2.69
4.40
Under DeauthF 90 29.9 >500 3.75 1.80 Note: Throughput under DoS is calculated by multiplying the normal throughput and (1- packet loss).
For the attacking mechanisms, the sniffed 802.11 frames show that immediately after receiving the deauthentication frame from the rogue AP, the WVoIP phone goes back to the unauthenticated and unassociated state. Then, the WVoIP phone starts a new round scanning for the available AP to connect with (Figure 4a). WVoIP phone sends out probe requests and receives probe responses from the AP. Since the WVoIP phone continuously receives deauthentication frames from the rogue AP (Hacker), it is unable to reconnect to the AP. After stopping DeauthF, the WVoIP phone starts device authentication and user authentication. If these authentications are successful, the WVoIP call will resume. 4.4 Rogue AP based disassociation flooding attack Like deauthentication frame, the disassociation frame is also a notification between the AP and wireless clients and it cannot be refused neither. Hackers can use a rogue AP to flood disassociation frames with the source MAC of the legitimate AP, and the destination MAC of a specific wireless client or a broadcast address. We demonstrate the rogue AP based DisassF attack and its effects on a WVoIP call between SIP-1 and SIP-4 (Figure 2). When the DisassF DoS attack starts sending disassociation frame to the WVoIP phone, the voice data exchanged between SIP-1 and the AP stops immediately, and the call quality becomes unacceptable. The call characteristics are shown in Table 5. Like the DeauthF DoS attack, DisassF also cause a small jitter. Because of the big packet loss and long delay, the calculated MOS is 1.90, which is still unacceptable for all WVoIP users (Table 1). Table 5: Voice characteristics before and during the DisassF DoS attack. Parameter
Throughput (kbps)
Packet loss (%)
Delay (ms)
Jitter (ms)
MOS
Without DisassF
128
0
0.73
2.69
4.40
Under DisassF 92 27.7 >500 3.73 1.90 Note: Throughput under DoS is calculated by multiplying the normal throughput and (1- packet loss).
Figure 4. Interactions during DeauthF (a) and DisassF (b). Based on the sniffed 802.11 frames, the attacking mechanism of DisassF is derived and shown in Figure 4b. It shows that after receiving the disassociation frame from the rogue AP, the wireless client immediately disconnects with the legitimate AP. Then, the wireless client starts a new round scanning for the available AP to connect with. Figure 4b shows that WVoIP
phone sends out probe requests and receives probe responses. The disassociation flooding attack is somewhat different from the deauthentication flooding attack. Under the disassociation flooding attack, the WVoIP phone is able to receive reassociation response and finish the device authentication with the legitimate AP. However, since the WVoIP phone is continuously receiving disassociation frames from the rogue AP (Hacker), after it gets associated with the AP, it disassociates from the AP immediately. Then, the WVoIP phone repeats another round of device authentication. After stopping DisassF, the WVoIP phone is able to make both device authentication and user authentication successfully. Then, the WVoIP call resumes. 5 Solutions to DoS Attacks on WVoIP and Directions for Future Research Currently, there are no published solutions to prevent DoS attacks of AuthRF and AssRF. In this paper, we demonstrate the solution to resolve association request flooding DoS attack through modification of source codes of a Linux based HostAP [14]. Before we modify the processing mechanisms of the Linux based AP, under the AssRF attack, the interactions between the hacker, the WVoIP phone and the Linux based AP are the same as those of the commercial Linksys WAP access point (Figure 3b). Normally, the AP processes the associate request following procedures shown in Figure 5a. For the Linux based AP, the AssRF DoS attack causes a lot of packet loss or even call disconnection (Table 6). Under the attack, MOS becomes 2.20, which is unacceptable for most of the WVoIP users. Then, we modify the Linux based AP and change the mechanisms to process the received association requests (Figure 5b). If the received association request is not from an authenticated wireless client, the AP will stop further processing this faked associate request to save the AP’s resources. After this modification, when restarting association request flooding attack, it has no effect on the tested WVoIP call quality (Table 6). There is also no voice data loss, and the jitter is small and similar as that without being attacked. After modification, the calculated MOS for WVoIP calls is 4.40, and it does not change during the AssRF attack. Thus, the modification of association request processing mechanisms is successful to prevent the AssRF DoS attack and to guarantee a high call quality.
Figure 5. Processing associate request.
Table 6: Voice characteristics vs. modification of association processing of Linux AP. Parameter
Throughput (kbps)
Packet loss (%)
Delay (ms)
Jitter (ms)
MOS
Before modification without AssRF
128
0
0.68
3.02
4.40
Before modification under AssRF
100
21.6
> 500
13
2.20
After modification without AssRF
128
0
0.69
2.9
4.40
After modification under AssRF 128 0 0.70 2.80 4.40 Note: Throughput under DoS is calculated by multiplying the normal throughput and (1- packet loss).
Compared with association request flooding, it is much more difficult to prevent authentication request flooding. This is because that the AP has no records for a wireless client before processing the authentication request frame. Future research should focus on how to change frame processing mechanisms to prevent AuthRF. For example, if the AP sends out several authentication responses without receiving any ACK, it means that the AP is under attack. Then, the AP should send out alarms and stop processing other received authentication requests for a period of time. Published approaches to resolve deauthentication and disassociation related DoS attacks include queuing frames [15], and central manager processing frames [16]. Queuing flooded disassociation or deauthentication requests could be a major challenge. In addition, the central management method is very complex. It needs to redesign the authentication system and add more overheads to it. To resolve deauthentication and disassociation flooding DoS attacks efficiently and effectively, future research may improve those approaches discussed earlier. Another approach is to investigate how to use the deauthentication or disassociation frame header information to check its validity. For example, the frame sequence could be used to perform this function. When an AP or wireless client receives a disassociation or a deauthentication frame, it can retrieve the sequence number of the received frame and compare it with 1+ the sequence number of the latest frame from the legitimate wireless client or the AP. If they match, the received frame will be processed; otherwise, it will be discarded. Lastly, any enhancement to the current 802.11 management frame should consider the overhead on performance. Ideally, modification to the protocols should be minimal to maintain the same performance level. 6 Conclusions In this paper, we analyze major DoS attacks on WVoIP. We also present a detailed study of various attacking mechanisms of AuthRF, AssRF, rogue AP based DeauthF and DisassF. One major contribution of this paper is that we provide the solutions to resolve some DoS attacks against WVoIP. Another contribution of this study is an empirical framework to emulate various DoS attacks and analyze the message flows among the hacker, the wireless client (WVoIP phone) and the AP under different attacking scenarios. The empirical framework also helps quantify the impact of those DoS attacks on WVoIP call performance and quality. Directions for future research are provided in the area of developing an authentication system for the wireless management frames where the solution should be theoretically sound and cost-effective with no performance degradation.
References [1] A. Ksentini, A. Guéroui, M. Naimi, "802.11-based wireless networks: Adaptive transmission opportunity with admission control for IEEE 802.11e networks", Proceedings of the 8th ACM international symposium on MSWiM systems, Oct. 2005, pp. 234-241. [2] G. Hanley, S. Murphy, L. Murphy, "802.11-based wireless networks: Adapting WLAN MAC parameters to enhance VoIP call capacity", Proceedings of the 8th ACM international symposium on MSWiM systems, Oct. 2005, pp. 250-254. [3] L. Gao, J. Luo, "Performance Analysis of a P2P-Based VoIP Software", Proceedings of the Advanced International Conference on Telecommunications and International Conference on Internet and Web Applications and Services (AICT), Guadeloupe, French Caribbean, February 2006. [4] C. Hesselman, H. Eertink, I. Widya, E. Huizer, "Models and measures: Measurements of SIP signaling over 802.11b links", Proceedings of the 3rd ACM international workshop on Wireless mobile applications and services on WLAN hotspots, Sept. 2005, pp. 74-83. [5] M. C. Domingo, D. Remondo, "QoS in wireless networks: An interaction model between adhoc networks and fixed IP networks for QoS support", Proceedings of the 7th ACM international symposium on Modeling, analysis and simulation of wireless and mobile systems, Oct. 2004, pp 188-194. [6] N. Cam-Winget, R. Housley, D. Wagner, J. Walker, "Security flaws in 802.11 data link protocols ", Communications of the ACM, Vol46(5) , 2003, pp. 35-39. [7] IEEE 802.11i, “Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications”, July, 2004. [8] CounterPath Solutions, http://www.xten.com/ index.php?menu= download. [9] A. A. Vladimirov, K. V. Gavrilenko, A. A. Mikhailovsky, "Wi-Foo: The Secrets of Wireless Hacking", Pearson/Addison Wesley, June 2004, pp. 159-195. [10] Tuca Software, "LinkFerret Wireless Packet Sniffer", http://www.linkferret.ws/wireless/ wireless.htm. [11] W. Jiang, H. Schulzrinne, “Comparisons of FEC and Codec Robustness on VoIP Quality and Bandwidth Efficiency”. In IEEE International Conference on Networks (ICN), Atlanta, Georgia, August 2002, pp. 1-12. [12] W. Jiang, H. Schulzrinne, “Comparison and Optimization of Packet Loss Repair Methods on VoIP Perceived Quality under Bursty Loss”, NOSSDAV’02, Miami Beach, Florida, USA, May, 2002, pp. 73-81. [13] P. Calyam, M. Sridharan, W. Mandrawa, P. Schopis “Performance Measurement and Analysis of H.323 Traffic”, Passive and Active Measurement Workshop (PAM), Proceedings published in Springer Lecture Notes in Computer Science, 2004. [14] J. Malinen, "Host AP driver for Intersil Prism2/2.5/3, hostapd, and WPA Supplicant", http://hostap.epitest.fi/. [15] J. Bellardo, S. Savage “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, Proceedings of the USENIX Security Symposium, Aug. 2003. pp. 1527. [16] P. Ding, J. Holliday, A. Celik, “Improving the Security of Wireless LANs by Managing 802.1X Disassociation”, Proceedings of the IEEE Consumer Communications and Networking Conference, Las Vegas, NV, January 2004. pp. 53-58.
