Alcatel-Lucent omniaccess User Manual
OmniAccess RN: User Guide
164
Part 031650-00
May 2005
Denial of Service Detection
DoS attacks are designed to prevent or inhibit legitimate users from accessing
the network. This includes blocking network access completely, degrading
network service, and increasing processing load on clients and network
equipment. Denial of Service attack detection encompasses both rate analysis
and detection of a specific DoS attack known as FakeAP.
the network. This includes blocking network access completely, degrading
network service, and increasing processing load on clients and network
equipment. Denial of Service attack detection encompasses both rate analysis
and detection of a specific DoS attack known as FakeAP.
z
Rate Analysis: Many DoS attacks flood an AP or multiple APs with 802.11
management frames. These can include authenticate/associate frames,
designed to fill up the association table of an AP. Other management frame
floods, such as probe request floods, can consume excess processing
power on the AP. The Alcatel Mobility Controller can be configured with the
thresholds that indicate a DoS attack and can detect the same. Refer to the
Configuring Denial of Service attack detection section for more details.
management frames. These can include authenticate/associate frames,
designed to fill up the association table of an AP. Other management frame
floods, such as probe request floods, can consume excess processing
power on the AP. The Alcatel Mobility Controller can be configured with the
thresholds that indicate a DoS attack and can detect the same. Refer to the
Configuring Denial of Service attack detection section for more details.
z
Fake AP: FakeAP is a tool that was originally created to thwart wardrivers
by flooding beacon frames containing hundreds of different addresses.
This would appear to a wardriver as though there were hundreds of differ-
ent APs in the area, thus concealing the real AP. While the tool is still effec-
tive for this purpose, a newer purpose is to flood public hotspots or
enterprises with fake AP beacons to confuse legitimate users and to
increase the amount of processing client operating systems must do. Refer
to the Configuring Denial of Service attack detection section for more
details.
by flooding beacon frames containing hundreds of different addresses.
This would appear to a wardriver as though there were hundreds of differ-
ent APs in the area, thus concealing the real AP. While the tool is still effec-
tive for this purpose, a newer purpose is to flood public hotspots or
enterprises with fake AP beacons to confuse legitimate users and to
increase the amount of processing client operating systems must do. Refer
to the Configuring Denial of Service attack detection section for more
details.
Man-In-The-Middle Detection
A successful man-in-the-middle attack will insert an attacker into the data path
between the client and the AP. In such a position, the attacker can delete, add,
or modify data, provided he has access to the encryption keys. Such an attack
also enables other attacks that can learn a user’s authentication credentials.
Man-in-the-middle attacks often rely on a number of different vulnerabilities.
between the client and the AP. In such a position, the attacker can delete, add,
or modify data, provided he has access to the encryption keys. Such an attack
also enables other attacks that can learn a user’s authentication credentials.
Man-in-the-middle attacks often rely on a number of different vulnerabilities.
z
Station disconnection: Spoofed deauthenticate frames form the basis for
most denial of service attacks, as well as the basis for many other attacks
such as man-in-the-middle. In a station disconnection attack, an attacker
spoofs the MAC address of either an active client or an active AP. The
attacker then sends deauthenticate frames to the target device, causing it
to lose its active association.
most denial of service attacks, as well as the basis for many other attacks
such as man-in-the-middle. In a station disconnection attack, an attacker
spoofs the MAC address of either an active client or an active AP. The
attacker then sends deauthenticate frames to the target device, causing it
to lose its active association.
z
EAP Handshake analysis: EAP (Extensible Authentication Protocol) is a
component of 802.1x used for authentication. Some attacks, such as
“ASLEAP” (used to attack Cisco LEAP) send spoofed deauthenticate mes-
sages to clients in order to force the client to re-authenticate multiple times.
These attacks then capture the authentication frames for offline analysis.
EAP Handshake Analysis detects a client performing an abnormal number
of authentication procedures and generates an alarm when this condition is
detected.
component of 802.1x used for authentication. Some attacks, such as
“ASLEAP” (used to attack Cisco LEAP) send spoofed deauthenticate mes-
sages to clients in order to force the client to re-authenticate multiple times.
These attacks then capture the authentication frames for offline analysis.
EAP Handshake Analysis detects a client performing an abnormal number
of authentication procedures and generates an alarm when this condition is
detected.