Flood attack detection, Spoofing attack detection, Weak iv detection – H3C Technologies H3C MSR 50 User Manual
Page 66: Blacklist and white list
57
Flood attack detection
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind
within a short span of time. When this occurs, the WLAN devices are overwhelmed. Consequently, they
are unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic
generated by each device. When the traffic density of a device exceeds the limit, the device is
considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist
and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
•
Authentication requests and de-authentication requests
•
Association requests, disassociation requests and reassociation requests
•
Probe requests
•
802.11 null data frames
•
802.11 action frames.
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For
instance, a client in a WLAN has been associated with an AP and operates correctly. In this case, a
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can
affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thus
encryptions using the same key have different results. When a WEP frame is sent, the IV used in
encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key might be exposed to any potential attackers. When the shared secret key
is compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
Blacklist and white list
You can configure the blacklist and white list functions to filter frames from WLAN clients and implement
client access control.
WLAN client access control is accomplished through the following types of lists.
•
White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
•
Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.