Nortel Networks 2300 manual DoS Attacks

552Rogue Detection and Countermeasures

DoS Attacks

When active scan is enabled on APs, WSS Software can detect the following types of DoS attacks:

•RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radio environment with high-power noise. A symptom of an RF jamming attack is excessive interference. If an AP radio detects excessive interference on a channel, and RF Auto-Tuning is enabled, WSS Software changes the radio to a different channel.

•Deauthenticate frames—Spoofed deauthenticate frames form the basis for most DoS attacks, and are the basis for other types of attacks including man-in-the-middle attacks. The source MAC address is spoofed so that clients think the packet is coming from a legitimate AP. If an AP detects a packet with its own source MAC address, the AP knows that the packet was spoofed.

•Broadcast deauthenticate frames—Similar to the spoofed deauthenticate frame attack above, a broadcast deauthenticate frame attack generates spoofed deauthenticate frames, with a broadcast destination address instead of the address of a specific client. The intent of the attack is to disconnect all stations attached to an AP.

•Disassociation frames—A disassociation frame from an AP instructs the client to end its association with the AP. The intent of this attack it to disconnect clients from the AP.

•Null probe responses—A client’s probe request frame is answered by a probe response containing a null SSID. Some NIC cards lock up upon receiving such a probe response.

•Decrypt errors—An excessive number of decrypt errors can indicate that multiple clients are using the same MAC address. A device’s MAC address is supposed to be unique. Multiple instances of the same address can indicate that a rogue device is pretending to be a legitimate device by spoofing its MAC address.

•Fake AP—A rogue device sends beacon frames for randomly generated SSIDs or BSSIDs. This type of attack can cause clients to become confused by the presence of so many SSIDs and BSSIDs, and thus interferes with the clients’ ability to connect to valid APs. This type of attack can also interfere with RF Auto-Tuning when an AP is trying to adjust to its RF neighborhood.

•SSID masquerade—A rogue device pretends to be a legitimate AP by sending beacon frames for a valid SSID serviced by APs in your network. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device.

•Spoofed AP—A rogue device pretends to be a Nortel AP by sending packets with the source MAC address of the Nortel AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the rogue device.

Note. WSS Software detects a spoofed AP attack based on the fingerprint of the spoofed AP. Packets from the real AP have the correct signature, while spoofed packets lack the signature. (See “Enabling AP Signatures” on page 549.)

320657-A