Rogue detection and counter measures 719

Nortel WLAN—Security Switch 2300 Series Configuration Guide

DoS attacks

When Scheduled RF Scanning is enabled on APs, WSS Software can detect the following types of DoS attacks:
RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radio
environment with high-power noise. A symptom of an RF jamming attack is excessive interference. If an AP radio
detects excessive interference on a channel, and Auto-RF is enabled, WSS Software changes the radio to a different
channel.
Deauthenticate frames—Spoofed deauthenticate frames form the basis for most DoS attacks, and are the basis for
other types of attacks including man-in-the-middle attacks. The source MAC address is spoofed so that clients think
the packet is coming from a legitimate AP. If an AP detects a packet with its own source MAC address, the AP
knows that the packet was spoofed.
Broadcast deauthenticate frames—Similar to the spoofed deauthenticate frame attack above, a broadcast
deauthenticate frame attack generates spoofed deauthenticate frames, with a broadcast destination address instead
of the address of a specific client. The intent of the attack is to disconnect all stations attached to an AP.
Disassociation frames—A disassociation frame from an AP instructs the client to end its association with the AP.
The intent of this attack is to disconnect clients from the AP.
Null probe responses—A client’s probe request frame is answered by a probe response containing a null SSID.
Some NIC cards lock up upon receiving such a probe response.
Decrypt errors—An excessive number of decrypt errors can indicate that multiple clients are using the same MAC
address. A device’s MAC address is supposed to be unique. Multiple instances of the same address can indicate that
a rogue device is pretending to be a legitimate device by spoofing its MAC address.
Fake AP—A rogue device sends beacon frames for randomly generated SSIDs or BSSIDs. This type of attack can
cause clients to become confused by the presence of so many SSIDs and BSSIDs, and thus interferes with the
clients’ ability to connect to valid APs. This type of attack can also interfere with Auto-RF when an AP is trying to
adjust to its RF neighborhood.
SSID masquerade—A rogue device pretends to be a legitimate AP by sending beacon frames for a valid SSID
serviced by APs in your network. Data from clients that associate with the rogue device can be accessed by the
hacker controlling the rogue device.
Spoofed AP—A rogue device pretends to be a Nortel AP by sending packets with the source MAC address of the
Nortel AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling the
rogue device.
Note. WSS Software detects a spoofed AP attack based on the fingerprint of
the spoofed AP. Packets from the real AP have the correct signature, while
spoofed packets lack the signature. (See “Enabling AP signatures” on page 716.)