Functionalities supported, Wids attack detection, Flood attack detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 150: Spoofing attack detection
138
For example, if the countermeasures mode is config, the monitor AP takes countermeasures against only
rogue devices in the static attack list. It sends fake de-authentication frames by using the MAC addresses
of the rogue devices to remove them from the network.
Functionalities supported
The rogue detection feature supports the following functionalities:
•
RF monitoring in different channels
•
Rogue AP detection
•
Rogue client detection
•
Ad hoc network detection
•
Wireless bridge detection
•
Countermeasures against rogue devices, clients and ad hoc networks
WIDS attack detection
The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the
network administrator of the attacks through recording information or sending logs. At present, WIDS
detection supports detection of the following attacks:
•
Flood attack
•
Spoofing attack
•
Weak IV attack
Flood attack detection
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind
within a short span of time. When this occurs, the WLAN devices get overwhelmed and consequently,
is unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic
generated by each device. When the traffic density of a device exceeds the limit, the device is
considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the blacklist
and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
•
Authentication requests and de-authentication requests
•
Association requests, disassociation requests and reassociation requests
•
Probe requests
•
802.11 null data frames
•
802.11 action frames.
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For
instance, a client in a WLAN has been associated with an AP and works normally. In this case, a
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can
affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.