Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

461

462

463

464

465

466

467

468

469

470

IDS and DoS Alerts

RoamAbout Mobility System Software Configuration Guide 22-13

Flood Attacks

AfloodattackisatypeofDenialofServiceattack.Duringafloodattack,aroguewirelessdevice

attemptstooverwhelmtheresourcesofotherwirelessdevicesbycontinuouslyinjecting

managementframesintotheair.Forexample,arogueclientcanrepeatedlysendassociation

requeststotrytooverwhelmAPs

thatreceivetherequests.

Thethresholdfortriggeringafloodmessageis100framesofthesametypefromthesameMAC

address,withinaone‐secondperiod.IfMSSdetectsmorethan100ofthesametypeofwireless

framewithinonesecond,MSSgeneratesalogmessage.Themessage

indicatestheframetype,the

MACaddressofthesender,thelistener(APandradio),channelnumber,andRSSI.

DoS Attacks

WhenactivescanisenabledonAPs,MSScandetectthefollowingtypesofDoSattacks:

•RFJamming—ThegoalofanRFjammingattackistotakedownanentireWLANby

overwhelmingtheradioenvironmentwithhigh‐powernoise.AsymptomofanRFjamming

attackisexcessiveinterference.If

anAPradiodetects excessiveinterferenceonachannel,and

RFAuto‐Tuningisenabled,MSSchangestheradiotoadifferentchannel.

• Deauthenticateframes—SpoofeddeauthenticateframesformthebasisformostDoSattacks,

andarethebasisforothertypesofattacksincludingman‐in‐the‐middleattacks.Thesource



MACaddressisspoofedsothatclientsthinkthepacketiscomingfromalegitimateAP.Ifan

APdetectsapacketwithitsownsourceMACaddress,theAPknowsthatthepacketwas

spoofed.

•Broadcastdeauthenticateframes—Similartothespoofeddeauthenticateframeattackabove,a

broadcastdeauthenticateframe

attackgeneratesspoofeddeauthenticateframes,witha

broadcastdestinationaddressinsteadoftheaddressofaspecificclient.Theintentofthe

attackistodisconnectallstationsattachedtoanAP.

• Disassociationframes—AdisassociationframefromanAPinstructstheclienttoendits

associationwiththeAP.Theintent

ofthisattackistodisconnectclientsfromtheAP.

•Nullproberesponses—Aclient’sproberequestframeisansweredbyaproberesponse

containinganullSSID.SomeNICcardslockupuponreceivingsu chaproberesponse.

•Decrypterrors—Anexcessivenumberofdecrypterrorscanindicatethatmultipleclientsare



usingthesameMACaddress.Adevice’sMACaddressissupposedtobeunique.Multiple

instancesofthesameaddresscanindicatethataroguedeviceispretendingtobealegitimate

devicebyspoofingitsMAC address.

•FakeAP—AroguedevicesendsbeaconframesforrandomlygeneratedSSIDsor

BSSIDs.This

typeofattackcancauseclientstobecomeconfusedbythepresenceofsomanySSIDsand

BSSIDs,andthusinterfereswiththeclients’abilitytoconnecttovalidAPs.Thistypeofattack

canalsointerferewithRF Auto‐TuningwhenanAPistryingtoadjusttoits

RFneighborhood.

•SSIDmasquerade—AroguedevicepretendstobealegitimateAPbysendingbeaconframes

foravalidSSIDservicedbyAPsinyournetwork.Datafromclientsthatassociatewiththe

roguedevicecanbeaccessedbythehackercontrollingtheroguedevice.