Flood attack detection, Spoofing attack detection, Weak iv detection – H3C Technologies H3C MSR 50 User Manual

57

Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind

within a short span of time. When this occurs, the WLAN devices are overwhelmed. Consequently, they
are unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic

generated by each device. When the traffic density of a device exceeds the limit, the device is

considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist
and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:

•

Authentication requests and de-authentication requests

•

Association requests, disassociation requests and reassociation requests

•

Probe requests

•

802.11 null data frames

•

802.11 action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For

instance, a client in a WLAN has been associated with an AP and operates correctly. In this case, a

spoofed de-authentication frame can cause a client to get de-authenticated from the network and can

affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast

de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it

is identified as a spoofed frame, and the attack is immediately logged.

Weak IV detection

WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thus
encryptions using the same key have different results. When a WEP frame is sent, the IV used in

encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all

frames, the shared secret key might be exposed to any potential attackers. When the shared secret key
is compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a

weak IV is detected, it is immediately logged.

Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and implement

client access control.
WLAN client access control is accomplished through the following types of lists.

•

White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients are

discarded.

•

Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.