Wlan ids ips, Flood attack detection, Weak iv detection – H3C Technologies H3C WA2600 Series WLAN Access Points User Manual
Page 47: Spoofing attack detection
7-2
z
Ad-hoc mode: A station in ad-hoc mode can directly communicate with other stations without
support from any other device.
WLAN IDS IPS
WLAN IDS IPS is a sub-feature of WLAN IDS. WLAN IDS IPS supports detection of the following
attacks:
z
Flood attack
z
Weak IV attack
z
Spoofing attack
WLAN IDS IPS detects intrusions or attacks on the WLAN system, and DoS attacks.
Flood attack detection
When a device tries to flood a network, it sends large volumes of frames of the same kind within a short
span of time. When this occurs, the Access Controller (AC) and the Access Points (APs) are
overwhelmed with frames from this device and consequently, frames from authorized stations get
dropped.
WLAN IDS IPS counters this flood attack by constantly keeping track of the density of traffic generated
by each device. When this density exceeds the tolerance limit, the device is reported to be flooding the
network and will be blocked. Subsequent frames from this device will not be processed. If the dynamic
blacklist feature is enabled, the detected device is added to the dynamic blacklist. WLAN IDS IPS
detects flood attacks for the following types of frames: authentication requests, deauthentication
requests, association requests, disassociation requests, reassociation requests, probe requests, null
data frames, and action frames.
When an AP supports multiple BSSIDs, stations send probe request frames to the individual BSSIDs.
Therefore, to track the density of probe request frames, both the source and destination addresses are
considered. For other frame types, only the source address is considered.
Weak IV detection
Wired Equivalent Privacy (WEP) is a protocol used for encrypting frames in a WLAN. WEP is based on
a shared secret key and a pseudo-randomly generated 3-byte sequence called Initialization Vector (IV).
When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, sending some classes of IVs can ultimately reveal the shared secret key to any potential
attackers. When the shared secret key is compromised, the attacker can access network resources.
WLAN IDS IPS counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak
IV is detected, the attack is immediately logged.
Spoofing attack detection
In this kind of attack, a potential attacker can send a frame in the air on behalf of another device. For
instance, a spoofed deauthentication frame can cause a station to get deauthenticated from the
network.
WLAN IDS IPS counters this attack by detecting broadcast deauthentication and disassociation frames.
When such a frame is received, this is identified as a spoofed frame, and the attack is immediately
logged.