Specifications
Chapter 13: RF Intrusion Detection and Containment
13-4
Client BSSID Changed Mobile station has changed its BSSID. D
Client Limit Maximum client limit per AP has been reached. Could be due to a MAC spoofing client or real
network density increase.
D
Client Rate Support Mismatch Specified mandatory data rate in Probe Request does not match with the values advertised by the AP. D
Client To Rogue AP An authorized client is connected to a rogue AP. D
Deauthentication Flood An attacker is conducting a Denial of Service (DoS) attack by flooding the network with 802.11 de-
authentication frames in an attempt to disconnect users from Access Points. This can result in a Denial
of Service (DoS) attack
S
Disassociation Traffic This alarm indicates that a client is continuing to send traffic within 10 seconds of being disassociated
from an AP.
S
Duration Attack An attacker sends 802.11 frame with 0xFF in the duration field. This forces other mobile nodes in the
range to wait till the value reaches zero. If the attacker sends continuous packets with huge durations,
it prevents other nodes from operating for a long time, results in an Denial-of-Service attack.
S
EAPOL ID Flood Attacker tries to bring down an AP by consuming the EAP Identifier space (0-255). S
EAPOL Logoff Storm An attacker floods the air with EAPOL logoff frames. It may result in Denial of Service to all legitimate
stations.
S
EAPOL Spoofed Failure Spoofed EAP failure messages detected. S
EAPOL Spoofed Success Spoofed EAP success messages detected. S
EAPOL Start Storm Attacker floods air with EAPOL start frames; may result in Denial of Service to all legitimate stations. S
Fata-Jack Attack A Fata-jack device sends an authentication failure packet to a mobile node to prevent the client from
getting any WLAN services.
S
Invalid Deauthentication Code Unknown deauthentication reason code. Some access points and drivers can not handle improper
reason codes.
D
Invalid Disconnect Code Unknown disassociation reason code. Some access points and drivers can not handle improper
reason codes.
D
Invalid Probe Response An Access Point has responded to a client probe with a 0-length SSID, which is an invalid response
which has been shown to create a fatal error with some client cards. This could be a faulty AP or an
attacker specifically crafting the packet to disrupt the network.
D
Link Test Some Lucent/Orinoco/Proxim/Agere products provide link testing capability which could use network
bandwidth.
D
MSF Broadcom Exploit MSF-style poisoned exploit packet for Broadcom drivers, this can be used for client hijacking. D
MSF D-Link Exploit MSF-style poisoned 802.11 rate field in beacon for D-Link driver, this can be used for client hijacking. D
MSF Netgear Exploit MSF-style poisoned 802.11 over-sized options beacon for Netgear driver attack, this can be used for
client hijacking.
S
Netstumbler Probe Netstumbler is a wireless network scanning tool available for download at: http://
www.netstumbler.com. This could be the precursor to a more serious attack
D
Network Probe A Client is probing the network looking for a wireless AP, but is not connecting. Many wireless cards
and operating systems (i.e. Windows XP) do this by default in an attempt to automatically find Access
Points, but this could be an operational issue indicating a misconfigured client because it cannot
associate
D
Possible AP Spoof A BSS timestamp mismatch in beacon or probe frames is likely to indicate an attempt to spoof the
BSSID or SSID of an AP.
S
Rogue Client A rogue client has been detected. D
Rogue Client To AP A rogue client is connected to an authorized AP. D
Table 13-1: BSAP Sensor Alarms
Alarm Description
Dual/
Sensor
Mode