Once a rogue AP is discovered the next immediate step is to block the AP from the network so that the authorized clients don’t associate with it. There are two ways of blocking the rogue APs.

1. Tit for Tat: Launch a Denial-of-service (DoS) attack on the rogue AP and make it deny wireless service to any new client.
2. Pull it out of the network, manually
3. Blocking the switch port to which the AP is connected.

Launching a DoS attack on the rogue

AP Most Wireless IDS vendors follow this practice. This is kind of using offense for defense. Once a rogue AP is detected the WLAN administrator can use the sensor to launch a DoS attack on it by sending numerous disassociation packets.

Figure 1: Rogue blocking by sending disassociation packets

Pulling an AP off the LAN

This is manual work. The administrator can walk up to the rogue AP and pull it off the LAN. In many cases it would be an over enthusiastic employee who has installed the AP for wireless communication.

Blocking the switch port

Wireless network management software offers this functionality. Once the rogue AP is detected the software will look for the rogue AP’s MAC address in all the switches connected in the LAN. The port at which the MAC is connected can then be blocked for any LAN traffic. This would automatically prevent the clients connected to the AP from dropping the connection and get associated to the nearest AP. This is a very effective technique.

Figure 3: Switch Port Blocking using WiFi Manager