Filter
Top Products
Detecting an Omerta Attack
Omerta is an 802.11 DoS tool that sends disassociation frames to all stations on a channel in response to data
frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01. This reason code is
“unspecified” and is not be used under normal circumstances.
Detecting Rate Anomalies
Many DoS attacks flood an AP or multiple APs with 802.11 management frames. These can include
authenticate/associate frames which are designed to fill up the association table of an AP. Other management frame
floods, such as probe request floods, can consume excess processing power on the AP.
Detecting a TKIP Replay Attack
TKIP is vulnerable to replay (via WMM/QoS) and plaintext discovery (via ChopChop). This affects all WPA-TKIP
usage. By replaying a captured TKIP data frame on other QoS queues, an attacker can manipulate the RC4 data and
checksum to derive the plaintext at a rate of one byte per minute.
By targeting an ARP frame and guessing the known payload, an attacker can extract the complete plaintext and MIC
checksum. With the extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future
messages as MIC compliant, opening the door for more advanced attacks.
Detecting Unencrypted Valid Clients
An authorized (valid) client that is passing traffic in unencrypted mode is a security risk. An intruder can sniff
unencrypted traffic (also known as
packet capture
) with software tools known as sniffers. These packets are then
reassembled to produce the original message.
Detecting a Valid Client Misassociation
This feature does not detect attacks, but rather it monitors authorized (valid) wireless clients and their association
within the network. Valid client misassociation is potentially dangerous to network security. The four types of
misassociation that we monitor are:
l Authorized Client associated to Rogue—A valid client that is associated to a rogue AP
l Authorized Client associated to External AP—An external AP, in this context, is any AP that is not valid and
not a rogue
l Authorized Client associated to Honeypot AP—A honeypot is an AP that is not
valid
but is using an SSID that
has been designated as valid/protected
l Authorized Client in ad hoc connection mode—A valid client that has joined an ad hoc network
Detecting an AirJack Attack
AirJack is a suite of device drivers for 802.11(a/b/g) raw frame injection and reception. It was intended to be used as
a development tool for all 802.11 applications that need to access the raw protocol, however one of the tools
included allowed users to force off all users on an AP.
Detecting ASLEAP
ASLEAP is a tool created for Linux systems which is used to attack Cisco LEAP authentication protocol.
Detecting a Null Probe Response
A null probe response attack has the potential to crash or lock up the firmware of many 802.11 NICs. In this attack,
a client probe-request frame will be answered by a probe response containing a null SSID. A number of popular NIC
cards will lock up upon receiving such a probe response.
DellPowerConnectW-SeriesArubaOS6.2 | User Guide WirelessIntrusion Prevention | 380