Wlan ids ips, Flood attack detection, Weak iv detection – H3C Technologies H3C WA2600 Series WLAN Access Points User Manual

7-2

z

Ad-hoc mode: A station in ad-hoc mode can directly communicate with other stations without

support from any other device.

WLAN IDS IPS

WLAN IDS IPS is a sub-feature of WLAN IDS. WLAN IDS IPS supports detection of the following

attacks:

z

Flood attack

z

Weak IV attack

z

Spoofing attack

WLAN IDS IPS detects intrusions or attacks on the WLAN system, and DoS attacks.

Flood attack detection

When a device tries to flood a network, it sends large volumes of frames of the same kind within a short

span of time. When this occurs, the Access Controller (AC) and the Access Points (APs) are

overwhelmed with frames from this device and consequently, frames from authorized stations get

dropped.

WLAN IDS IPS counters this flood attack by constantly keeping track of the density of traffic generated

by each device. When this density exceeds the tolerance limit, the device is reported to be flooding the

network and will be blocked. Subsequent frames from this device will not be processed. If the dynamic

blacklist feature is enabled, the detected device is added to the dynamic blacklist. WLAN IDS IPS

detects flood attacks for the following types of frames: authentication requests, deauthentication

requests, association requests, disassociation requests, reassociation requests, probe requests, null

data frames, and action frames.

When an AP supports multiple BSSIDs, stations send probe request frames to the individual BSSIDs.

Therefore, to track the density of probe request frames, both the source and destination addresses are

considered. For other frame types, only the source address is considered.

Weak IV detection

Wired Equivalent Privacy (WEP) is a protocol used for encrypting frames in a WLAN. WEP is based on

a shared secret key and a pseudo-randomly generated 3-byte sequence called Initialization Vector (IV).

When a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.

However, sending some classes of IVs can ultimately reveal the shared secret key to any potential

attackers. When the shared secret key is compromised, the attacker can access network resources.

WLAN IDS IPS counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak

IV is detected, the attack is immediately logged.

Spoofing attack detection

In this kind of attack, a potential attacker can send a frame in the air on behalf of another device. For

instance, a spoofed deauthentication frame can cause a station to get deauthenticated from the

network.

WLAN IDS IPS counters this attack by detecting broadcast deauthentication and disassociation frames.

When such a frame is received, this is identified as a spoofed frame, and the attack is immediately

logged.