D-Link DWS-1008 User Manual page 362
Wireless 8 port switch with poe
Hide thumbs
Also See for DWS-1008:
- Cli reference manual (531 pages) ,
- Product manual (502 pages) ,
- Installation manual (17 pages)
Table of Contents
Advertisement
DWS-1008 User's Manual
Flood Attacks
A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless
device attempts to overwhelm the resources of other wireless devices by continuously
injecting management frames into the air. For example, a rogue client can repeatedly send
association requests to try to overwhelm APs that receive the requests.
The threshold for triggering a flood message is 100 frames of the same type from the same
MAC address, within a one-second period. If MSS detects more than 100 of the same type
of wireless frame within one second, MSS generates a log message. The message indicates
the frame type, the MAC address of the sender, the listener (AP and radio), channel number,
and RSSI.
DoS Attacks
When active scan is enabled on APs, MSS can detect the following types of DoS attacks:
• RF Jamming - The goal of an RF jamming attack is to take down an entire WLAN
by overwhelming the radio environment with high-power noise. A symptom of an RF
jamming attack is excessive interference. If an AP radio detects excessive interference
on a channel, and RF Auto-Tuning is enabled, MSS changes the radio to a different
channel.
• Deauthenticate frames - Spoofed deauthenticate frames form the basis for most
DoS attacks, and are the basis for other types of attacks including man-in-the-middle
attacks. The source MAC address is spoofed so that clients think the packet is coming
from a legitimate AP. If an AP detects a packet with its own source MAC address, the
AP knows that the packet was spoofed.
• Broadcast deauthenticate frames - Similar to the spoofed deauthenticate frame attack
above, a broadcast deauthenticate frame attack generates spoofed deauthenticate
frames, with a broadcast destination address instead of the address of a specific client.
The intent of the attack is to disconnect all stations attached to an AP.
• Disassociation frames - A disassociation frame from an AP instructs the client to end
its association with the AP. The intent of this attack it to disconnect clients from the
AP.
• Null probe responses - A client's probe request frame is answered by a probe response
containing a null SSID. Some NIC cards lock up upon receiving such a probe response.
• Decrypt errors - An excessive number of decrypt errors can indicate that multiple
clients are using the same MAC address. A device's MAC address is supposed to be
unique. Multiple instances of the same address can indicate that a rogue device is
pretending to be a legitimate device by spoofing its MAC address.
D-Link Systems, Inc.
Rogue Detection and Countermeasures
357
Advertisement
Table of Contents
