3Com WX4400 3CRWX440095A, WXR100 3CRWXR10095A, WX1200 3CRWX120695A manual IDS and DoS Alerts

IDS and DoS Alerts 585

Flood Attacks A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly send association requests to try to overwhelm APs that receive the requests.

The threshold for triggering a flood message is 100 frames of the same type from the same MAC address, within a one-second period. If MSS detects more than 100 of the same type of wireless frame within one second, MSS generates a log message. The message indicates the frame type, the MAC address of the sender, the listener (MAP and radio), channel number, and RSSI.

DoS Attacks When active scan is enabled on MAPs, MSS can detect the following types of DoS attacks:

„RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radio environment with high-power noise. A symptom of an RF jamming attack is excessive interference. If a MAP radio detects excessive interference on a channel, and RF Auto-Tuning is enabled, MSS changes the radio to a different channel.

„Deauthenticate frames—Spoofed deauthenticate frames form the basis for most DoS attacks, and are the basis for other types of attacks including man-in-the-middle attacks. The source MAC address is spoofed so that clients think the packet is coming from a legitimate AP. If a MAP detects a packet with its own source MAC address, the MAP knows that the packet was spoofed.

„Broadcast deauthenticate frames—Similar to the spoofed deauthenticate frame attack above, a broadcast deauthenticate frame attack generates spoofed deauthenticate frames, with a broadcast destination address instead of the address of a specific client. The intent of the attack is to disconnect all stations attached to an AP.

„Disassociation frames—A disassociation frame from an AP instructs the client to end its association with the AP. The intent of this attack is to disconnect clients from the AP.

„Null probe responses—A client’s probe request frame is answered by a probe response containing a null SSID. Some NIC cards lock up upon receiving such a probe response.