Open as PDF
IDS and DoS Alerts 585
Flood Attacks A flood attack is a type of Denial of Service attack. During a flood attack,
a rogue wireless device attempts to overwhelm the resources of other
wireless devices by continuously injecting management frames into the
air. For example, a rogue client can repeatedly send association requests
to try to overwhelm APs that receive the requests.
The threshold for triggering a flood message is 100 frames of the same
type from the same MAC address, within a one-second period. If MSS
detects more than 100 of the same type of wireless frame within one
second, MSS generates a log message. The message indicates the frame
type, the MAC address of the sender, the listener (MAP and radio),
channel number, and RSSI.
DoS Attacks When active scan is enabled on MAPs, MSS can detect the following
types of DoS attacks:
RF Jamming—The goal of an RF jamming attack is to take down an
entire WLAN by overwhelming the radio environment with
high-power noise. A symptom of an RF jamming attack is excessive
interference. If a MAP radio detects excessive interference on a
channel, and RF Auto-Tuning is enabled, MSS changes the radio to a
Deauthenticate frames—Spoofed deauthenticate frames form the
basis for most DoS attacks, and are the basis for other types of attacks
including man-in-the-middle attacks. The source MAC address is
spoofed so that clients think the packet is coming from a legitimate
AP. If a MAP detects a packet with its own source MAC address, the
MAP knows that the packet was spoofed.
Broadcast deauthenticate frames—Similar to the spoofed
deauthenticate frame attack above, a broadcast deauthenticate frame
attack generates spoofed deauthenticate frames, with a broadcast
destination address instead of the address of a specific client. The
intent of the attack is to disconnect all stations attached to an AP.
Disassociation frames—A disassociation frame from an AP instructs
the client to end its association with the AP. The intent of this attack is
to disconnect clients from the AP.
Null probe responses—A client’s probe request frame is answered by
a probe response containing a null SSID. Some NIC cards lock up upon
receiving such a probe response.