Minimise the impact of RF jamming
Jump to another channel and call in the law!
By The Wireless Wizards, Network World | Network World US | Published: 00:00, 16 July 2004
Q: Should we be concerned with jamming (of radio frequency)? If so, how do we minimize the impact?
The Wizards respond:
Bob Friday, Airespace
Because RF is an open medium, “jamming” can be an issue. This can be as innocent as noise or interference on the same channels that are delivering WLAN service, or a direct attack on your RF domain launched from a malicious individual.
Most WLANs are open to all different kinds of interference, as the majority of non-proprietary wireless networking products available today follow 802.11 standards, which operate in the unlicensed 2.4 and 5.2 GHz bands. This interference comes from a variety of sources, ranging from other legitimate 802.11 networks to noise from Bluetooth devices or microwaves.
Older generations of WLANs are not effectively equipped to adapt to various forms of interference, and require an administrator to adjust channel and power on each access point manually through trial and error. The best way to combat the various forms of interference is to invest in newer WLAN systems that have real-time RF management, which can identify and adapt to interference.
If your concern is malicious jamming, you should look into wireless prevention and detection functionality. At a minimum, these systems should detect an unauthorized client device or "rogue access point" in the presence of your wireless network. Advanced systems can prevent unauthorised attacking devices from accessing the system, modify configurations to maintain performance in presence of threats, track or 'blacklist' these threats, and find the physical location of rogue devices for rapid containment.
Regardless of the type or intent of interference, your wireless network must be able to detect, react and adjust to it accordingly.
Albert Lew, Legra Systems
If someone really wanted to disrupt your WLAN network, it would be far easier to launch an attack by sending periodic deauthenticated packets to all the wireless stations in the network. This attack can be mounted with off-the-shelf hardware from any mass-market consumer electronics retailer and free software downloaded from the Internet. In the worst case, it is impossible to defend against a radio jamming attack, because a clever attacker will jam all frequencies for both 802.11a and 802.11b/g.
To minimise the potential impact of a non-worst case jamming attack, first identify the presence of the attack. An RF jamming attack will be characterised at the physical layer by an increased noise floor on the RFs used to mount the attack. The increased noise floor will result in a degraded signal-to-noise ratio as measured at the client. The degraded signal noise ratio should also be measurable from the access point, and the network management capabilities of your WLAN system should support reporting of noise floor levels that exceed a preset threshold, as well as reporting degradation of signal-to-noise ratio.
The RF jamming attack will also make itself known at the 802.11 MAC layer, because the transmission error rate and the receive error rate for the access point will be increased since 802.11 will require multiple retransmissions due to the increased noise floor. The network management system of the WLAN should be able to alert the administrator to the locations of the access points that are experiencing excessive retransmissions and receive errors.
The next step is for the access point to dynamically and automatically reconfigure its transmit channel in reaction to the jamming attack, as identified by the change in physical layer and 802.11 layer transmission and reception characteristics. In 802.11b, for instance, if the attack was being made on the frequency corresponding to channel 1, the access point should automatically change to channel 6 or channel 11 to work around the attack. With 802.11a, there are many more alternative channels that can be selected. Selecting a new channel does not automatically turn the jamming attack into a non-issue - a clever attacker will use all available channels in the jamming attack. If this is the case, then there is really no recourse other than to physically locate and confront the attacker.
For use of unlicensed band spectrum (such as 802.11b/g and 802.11a) to be legal according to local regulators (the FCC in the US, and Ofcom in the UK), the transmit power used on the unlicensed spectrum must be below certain transmit power levels (100mW for 802.11b/g, and varying according to channel for 802.11a). For an attack to be effective on the entire enterprise, the attacker would either have to have multiple attacking devices physically located within the enterprise, or have a single attacking device operating at illegal transmit power levels. The latter is a more likely scenario, and if the equipment can be captured after the attack, the attacker could be shown to be in violation of the law.