Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 889
Brocade Mobility RFS Controller CLI Reference Guide
877
53-1003098-01
10
multicast-hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detectio
n|
multicast-ospf-all-routers-detection|multicast-ospf-designated-routers-detect
ion|
multicast-rip2-routers-detection|multicast-vrrp-agent|netbios-detection|
null-probe-response-detected|stp-detection|unauthorized-bridge|
windows-zero-config-memory-leak|wlan-jack-attack-detected] trigger-against
[neighboring|sanctioned|unsanctioned] {(neighboring|sanctioned|unsanctioned)}
crackable-wep-iv-used
This event occurs when a crackable WEP initialization vector is used.
The standard WEP64 uses a 40 bit key concatenated with a 24 bit initialization vector
dos-deauthentication-detec
tion
This event occurs when a DoS deauthentication attack is detected.
In this attack, clients connected to an AP are constantly forced to deauthenticate so they cannot stay
connected to the network long enough to utilize it.
dos-disassociation-detectio
n
This event occurs when a DoS disassociation attack is detected.
With this attack, clients connected to an AP are constantly disassociated. A fake disassociation frame is
generated using an AP MAC address as the source address and the MAC address of the target device as the
destination address. The target device on receiving this fake frame dissociates itself from the AP, then tries
to re-associate. If the target receives a large number of disassociation frames, it will not be able to stay
connected to the network long enough to utilize it.
dos-eap-failure-spoof
This event occurs when a DoS EAP failure spoofing attack is detected.
The attacker generates a large number of EAP-failure packets forcing the AP to disassociate with its
legitimate wireless clients.
dos-rts-flood
This event occurs when a large number of request to send (RTS) frames are detected in the network.
essid-jack-attack-detected
This event occurs when an essid-jack attack is detected.
Essid-jack is a tool in the AirJack suite that sends a disassociate frame to a target client to force it to
reassociate it to the network to find the SSID. This can be used to launch further DoS attacks on the
network.
fake-dhcp-server-detected
This event occurs when a fake DHCP server is detected.
A fake or rogue DHCP server is a type of man in the middle attack where DHCP services are provide by an
unauthorized DHCP server compromising the integrity of the controller managed network.
fata-jack-detected
This event occurs when a FATA-jack exploit is detected.
FATA-jack is a tool in the AirJack suite that forces an AP to disassociate a valid client. This exploit uses a
spoofed authentication frame with an invalid authentication algorithm number of 2. The attacker sends an
invalid authentication frame with the wireless client’s MAC, forcing the AP to return a deauth to the client.
id-theft-eapol-success-spoo
f-detected
This event occurs when an EAPOL success spoof is detected
The attacker keeps the client from providing its credentials through the EAP-response packet by sending a
EAP-success packet. Since the client is unable to provide its credentials, it cannot be authenticated and
therefore cannot access the wireless network.
id-theft-out-of-sequence
This event occurs when an out of sequence packet is received.
This indicates a wireless client has been spoofed and is sending a packet out of sequence with the packet
sent by the real wireless client (that means two devices using the same MAC address have been detected
operating in the airspace, resulting in detected wireless frames that are out of sequence)
invalid-channel-advertized
This event occurs when packets with invalid channels are detected.
invalid-management-frame
This event occurs when an invalid management frame is detected.
ipx-detection
This event occurs when Novell’s Internetwork Packet Exchange (IPX) packets are detected
monkey-jack-attack-detecte
d
This event occurs when a monkey-jack attack is detected.
Monkey-jack is a tool in the AirJack suite that enables an attacker to deauthenticate all wireless clients from
an AP, and then insert itself between the AP and the wireless clients.
multicast-all-routers-on-sub
net
This event occurs when a sanctioned device detects multicast packets to all routers on the subnet