Filter
Top Products
377 | WirelessIntrusionPrevention DellPowerConnectW-SeriesArubaOS6.2 | User Guide
Detecting Wellenreiter
Wellenreiter is a passive wireless network discovery tool that is used to compile a list of APs along with their MAC
address, SSID, channel, security setting in the vicinity. It passively sniffs wireless traffic and with certain version
(versions 1.4, 1.5, and 1.6) sends active probes that target known default SSIDs.
Understanding Client Intrusion Detection
Generally, clients are more vulnerable to attacks than APs. Clients are more apt to associate with a malignant AP
due to the client’s driver behavior or to a misconfigured client. It is important to monitor authorized clients to track
their associations and to track any attacks raised against the client.Client attack detection is categorized as:
l Detecting attacks against Dell APs clients—An attacker can perform an active DOS attack against an associated
client, or perform a replay attack to obtain the keys of transmission which could lead to more serious attacks.
l Monitoring Authorized clients—Since clients are easily tricked into associating with unauthorized APs, tracking
all misassociations of authorized clients is very important.
An authorized client is a client authorized to use the WLAN network. In ArubaOS, an authorized client is called a
valid-client
. ArubaOS automatically learns a valid client. A client is determined to be valid if it is associated to an
authorized or valid AP using encryption; either Layer 2 or IPSEC.
NOTE: Detection of attacks is limited to valid clients and clients associated to valid APs. Clients that are associated as guests using
unencrypted association are included in the attack detection. However, clients on neighboring (interfering) APs are not tracked for
attack detection unless they are specified as valid.
Table 106 presents a summary of the client intrusion detection features with their related commands, traps, and
syslog identification. Details of each feature follow the table.
Feature Command Trap Syslog ID
"Detecting a Block
ACK DoS" on page
379
ids-dos-profile
detect-block-ack-attack
block-ack-quiet-time
wlsxBlockAckAttackDetected 126087, 127087
"Detecting a
ChopChop Attack" on
page 379
ids-dos-profile
detect-chopchop-attack
chopchop-quiet-time
wlsxChopChopAttackDetected 126078, 127078
"Detecting a
Disconnect Station
Attack " on page 379
ids dos-profile <name>
detect-disconnect-sta
disconnect-sta-quiet-time
disconnect-sta-assoc-resp-threshold
disconnect-deauth-disassoc-threshold
wlsxNDisconnectStationAttack 126035, 127035
"Detecting an EAP
Rate Anomaly" on
page 379
ids-dos-profile
detect-eap-rate-anomaly
eap-rate-threshold
eap-rate-time-interval
eap-rate-quiet-time
wlsxEAPRateAnomaly 126032, 127032
"Detecting a FATA-
Jack Attack Structure"
on page 379
ids dos-profile
detect-fatajack-attack
fatajack-attack-quiet-time
wlsxFataJackAttackDetected 126072, 127072
Table 106:
Client Detection Summary