SonicPoint > RF Monitoring
414
SonicOS Enhanced 4.0 Administrator Guide
To add a station to the watch list:
Step 1 In the SonicPoint > RF Monitoring page, navigate to the Discovered RF threat stations
section.
Step 2 Clic k the icon that corresponds to the threat station you wish to add to the watch list.
Step 3 A confirmation screen will appear. Click OK to add the station to the watch list.
Step 4 If you have accidentally added a station to the watch list, or would otherwise like a station
removed from the list, click the icon that corresponds to the threat station you wish to
remove.
Tip Once you have added one or more stations to the watch list, you can filter results to see only
these stations in the real-time log by choosing “Only Stations in Watch List Group” from the
View Type drop-down list.
Types of RF Threat Detection
The following is a partial list containing descriptions for the most prominent types of RF
signatures detected by SonicWALL RF Monitoring:
Long Duration Attacks - Wireless devices share airwaves by dividing the RF spectrum into
14 staggered channels. Each device reserves a channel for a specified (short) duration and
during the time that any one device has a channel reserved, other devices know not to
broadcast on this channel. Long Duration attacks exploit this process by reserving many
RF channels for very long durations, effectively stopping legitimate wireless traffic from
finding an open broadcast channel.
Management Frame Flood - This variation on the DoS attack attempts to flood wireless
access points with management frames (such as association or authentication requests)
filling the management table with bogus requests.
Null Probe Response - When a wireless client sends out a probe request, the attacker
sends back a response with a Null SSID. This response causes many popular wireless
cards and devices to stop responding.
Broadcasting De-Authentication - This DoS variation sends a flood of spoofed de-
authentication frames to wireless clients, forcing them to constantly de-authenticate and
subsequently re-authenticate with an access point.
Valid Station with Invalid (B)SSID - In this attack, a rouge access point attempts to
broadcast a trusted station ID (ESSID). Although the BSSID is often invalid, the station can
still appear to clients as though it is a trusted access point. The goal of this attack is often
to gain authentication information from a trusted client.
Wellenreiter/NetStumbler Detection - Wellenreiter and NetStumbler are two popular
software applications used by attackers to retrieve information from surrounding wireless
networks.