Spoofing attack detection, Weak iv detection, Blacklist and white list – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

470

•

Association requests, disassociation requests and reassociation requests

•

Probe requests

•

802.11 null data frames

•

802.11 action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For

instance, a client in a WLAN has been associated with an AP and works normally. In this case, a
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can

affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast

de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.

Weak IV detection

Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key

are used to generate a key stream, and thus encryptions using the same key have different results. When

a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all

frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is

compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.

Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby
implement client access control.
WLAN client access control is accomplished through the following three types of lists.

•

White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients will be

discarded.

•

Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is

manually configured.

•

Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A client
is dynamically added to the list if it is considered sending attacking frames until the timer of the

entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects

any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more

information about ARP detection, see "ARP attack defense configuration."

When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the

frame as follows:

1.

If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid and will be further processed.

2.

If no white list entries exist, the static and dynamic blacklists are searched.

3.

If the source MAC address matches an entry in any of the two lists, the frame is dropped.