375| Wireless Intrusion Prevention DellPowerConnect W- Series ArubaOS 6.2 | User Guide
Detecting Bad WEP Init ialization
This is the detection of WEP i nitialization vectors that are known to be weak. A primary means of cracking WEP
keys is to capture 802.11 frames over an extendedperiod o f time and searching for such weak implementations that
are still used by many legacy devices.
Detecting a Beacon Frame Spoofing A ttack
In this type of attack, an intruderspoo fs a beaconpacket on a channel that is different from that advertised in the
beacon frameof t he AP.
Detecting a Client Flood Att ack
Thereare fake AP tools that can be used to at tack wireless intrusion detection itself by generating a large number of
fakec lientst hat fillinternal tables with fake information. If successful, it overwhelmst hewi relessintrusion system,
resultingin a DoS.
Detecting an RTS Rate Anom aly
The RF mediumc anbe reserved via Virtual Carrier Sensing using anCTS/RTS transaction. The transmitter statio n
sends a Request To Send (RTS) frame to the receiver station. The receiver statio n respondswi th a Clear To Send
(CTS) frame.All other stati ons that receive these RTS and/or CTS frames will refrain from transmitting over the
wireless mediumfor an amount o f time specified in the
duration
fields of these frames.
Attackers can exploit the Virtual CarrierSensing mechanism to launch a DoS attack on the WLAN by transmitting
numerousRTS and/or CTS frames. This causes other stations in the WLAN to defer transmission to the wireless
medium.The attacker can essentially block the authorized stations in the WLAN with this att ack.
Detecting Devices wi th an Invalid MAC OUI
The first threebytes of a MAC address, known as the MAC organizationally uniquei dentifier(OUI), is assigned by
the IEEE to known manufacturers. Oftenclients using a spoofed MAC address do not use a valid OUI and instead
use a randomlygenerated MAC address.
Detecting an Invali d AddressCom bination
In this attack, an intruder can cause an AP to transmit deauthenticatio n anddis association frames to all of its
clients. Triggersthat can cause this condit ion includethe use of broadcast or multicast MAC address in the source
addressfield.
Detecting an Overflow EA POL Key
Some wireless driversused in ac cess points do not correctly validate the EAP OL key fields.A malicious EAPOL-Key
packet with an invalid advertised length can triggera DoS or possible code execution. This can only be achieved
after a successful8 02.11 association exchange.
Detecting Overflow I E Tags
Some wirelessdrivers used in access points do not correctly parse the vendor-specific IE tags. A malicious
association request sent to the AP containing an IE with an i nappropriatelength (too long) can cause a Do S and
potentially lead to code execution. The association request must be s ent after a successful8 02.11 authentication
exchange.
Detecting a Malformed Frame-Assoc Request
Some wireless driversused in ac cess points do not correctly parse the SSID information element tag contained in
association request frames. A malicious association request wit h a nullSSID (that is, zero length SSID) can trigger a
DoS or potential code execution condition on t het argeteddevice.