379| Wireless Intrusion Prevention DellPowerConnect W- Series ArubaOS 6.2 | User Guide
Detecting a Block ACK DoS
The Block ACK mechanism that was introduced in 802.11e, and enhanced in 802.11nD 3.0, has a built-in DoS
vulnerability.The Bock ACK mechanism allows for a sender to use the ADDBA request frame to specify the
sequencenumber window that t he receivershould expect. The receiver will only accept frames in this wi ndow.
An attacker can spoof the ADDBA request framecausi ngt he receivert o reset its sequence number window and
therebydrop frames that do not falli nthat range.
Detecting a ChopChop Att ack
ChopChop is a plaintext recovery attack against WEP encrypted networks. It works by forcing the plaintext, one
byte at a time, by truncating a captured frame and then trying all 256 possible values for the last byte with a
corrected CRC. Thec orrectguess causes the AP to retransmit the frame.When that happens, the frame is truncated
again.
Detecting a Disconnect St ation Attack
A disconnect attack can be launched in many ways; the endresult is t hat the client is effectively and repeatedly
disconnected fromt he AP.
Detecting an EAP Rate Anom aly
To authenticate wireless clients, WLANs may use 802.1x, which is based on a framework calledE xtensible
Authentication Protocol (EAP). After an EAP packet exchangeand the user is successfully authenticated, the EAP-
Success is sent from the AP to the client. If the user fails to authenticate, an EAP-Failure is sent. In this attack,
EAP-Failure or EAP-Success frames arespoo fedfrom the access point t o the client to disrupting the authentication
state on the client. This confuses the client’s state causing it to drop the AP connection. By continuously sending
EAP Success or Failure messages,an att ackercan effectively prevent the client from authenticating with the APs in
the WLAN.
Detecting a FATA-Jack Attack St ructure
FATA-Jack is an 802.11 client DoS tool that tries t o disconnect targeted stations using spoofed authenticati on
framesthat contain an invalid authentication algorithm number.
Detecting a Hotspott erA ttack
The Hotspotter attack is an evil-twin attack which att empts to lure a client to a malicious AP. Many enterprise
employees use their laptop in Wi-Fi area hotspots at airports, cafes, malls etc. They have SSIDs of their hotspot
service providers configuredon their laptops. The SSIDs used by different hotspot service providers are wellknown.
This enablest heatt ackersto set up APs with hotspot SSID s in close proximity of the enterprisepremises. When
the enterpriselaptop Client probes for hotspot SSID, these malicious AP s respondand invite t heclient to connect
to them. Whenthe client connects to a malicious AP, a number of security attacks can be launchedon the client. A
popularhacking tool used to launcht hese attacks is Airsnarf.
Detecting a Meiners Power Save DoS Att ack
To save on power, wireless clients will "sleep" periodically, duringwhich they cannot transmit or receive. A client
indicates its intention to sleep by sending frames to the AP with the Power Management bit ON. The AP then
begins bufferingtraffic bound fort hatclient until it indicates that it is awake. An intruder couldexploit this
mechanismby sending (spoofed) framesto t heA P on behalfof the client to t rick theA P into believing the client is
asleep.This wi llcause the AP to buffer most, if not all,frames destined for the client.