Wids attack detection, Flood attack detection, Spoofing attack detection – H3C Technologies H3C WX6000 Series Access Controllers User Manual

42-4

WIDS Attack Detection

The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the

network administrator of the attacks through recording information or sending logs. At present, WIDS

detection supports detection of the following attacks:

Flood attack

Spoofing attack

Weak IV attack

Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind

within a short span of time. When this occurs, the WLAN devices get overwhelmed and consequently, is

unable to service normal clients.

WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic

generated by each device. When the traffic density of a device exceeds the limit, the device is

considered flooding the network and will be blocked. If the dynamic blacklist feature is enabled, the

detected device will be added to the blacklist.

WIDS inspects the following types of frames:

Authentication requests and de-authentication requests

Association requests, disassociation requests and reassociation requests

Probe requests

Null data frames

Action frames.

Spoofing attack detection

In this kind of attack, a potential attacker can send a frame in the air on behalf of another device. For

instance, a spoofed de-authentication frame can cause a station to get de-authenticated from the

network.

Spoofing attack detection counters this attack by detecting broadcast de-authentication and

disassociation frames. When such a frame is received, this is identified as a spoofed frame, and the

attack is immediately logged.

Weak IV detection

Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a

key are used to generate a key stream, and thus encryptions using the same key have different results.

When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.

However, if a client generates IVs in an insecure way, for example, if it uses a fixed IV for all frames, the

shared secret key may be exposed to any potential attackers. When the shared secret key is

compromised, the attacker can access network resources.

Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a

weak IV is detected, it is immediately logged.

Frame Filtering

You can specify rules to filter frames from clients and thus implement client access control.

The wireless client access control is accomplished through the following three types of filtering lists.