Table of Contents
Advertisement
Chapter 13: RF Intrusion Detection and Containment
Alarm
Client BSSID Changed
Client Limit
Client Rate Support Mismatch
Client To Rogue AP
Deauthentication Flood
Disassociation Traffic
Duration Attack
EAPOL ID Flood
EAPOL Logoff Storm
EAPOL Spoofed Failure
EAPOL Spoofed Success
EAPOL Start Storm
Fata-Jack Attack
Invalid Deauthentication Code
Invalid Disconnect Code
Invalid Probe Response
Link Test
MSF Broadcom Exploit
MSF D-Link Exploit
MSF Netgear Exploit
Netstumbler Probe
Network Probe
Possible AP Spoof
Rogue Client
Rogue Client To AP
13-4
Table 13-1: BSAP Sensor Alarms
Mobile station has changed its BSSID.
Maximum client limit per AP has been reached. Could be due to a MAC spoofing client or real
network density increase.
Specified mandatory data rate in Probe Request does not match with the values advertised by the AP.
An authorized client is connected to a rogue AP.
An attacker is conducting a Denial of Service (DoS) attack by flooding the network with 802.11 de-
authentication frames in an attempt to disconnect users from Access Points. This can result in a Denial
of Service (DoS) attack
This alarm indicates that a client is continuing to send traffic within 10 seconds of being disassociated
from an AP.
An attacker sends 802.11 frame with 0xFF in the duration field. This forces other mobile nodes in the
range to wait till the value reaches zero. If the attacker sends continuous packets with huge durations,
it prevents other nodes from operating for a long time, results in an Denial-of-Service attack.
Attacker tries to bring down an AP by consuming the EAP Identifier space (0-255).
An attacker floods the air with EAPOL logoff frames. It may result in Denial of Service to all legitimate
stations.
Spoofed EAP failure messages detected.
Spoofed EAP success messages detected.
Attacker floods air with EAPOL start frames; may result in Denial of Service to all legitimate stations.
A Fata-jack device sends an authentication failure packet to a mobile node to prevent the client from
getting any WLAN services.
Unknown deauthentication reason code. Some access points and drivers can not handle improper
reason codes.
Unknown disassociation reason code. Some access points and drivers can not handle improper
reason codes.
An Access Point has responded to a client probe with a 0-length SSID, which is an invalid response
which has been shown to create a fatal error with some client cards. This could be a faulty AP or an
attacker specifically crafting the packet to disrupt the network.
Some Lucent/Orinoco/Proxim/Agere products provide link testing capability which could use network
bandwidth.
MSF-style poisoned exploit packet for Broadcom drivers, this can be used for client hijacking.
MSF-style poisoned 802.11 rate field in beacon for D-Link driver, this can be used for client hijacking.
MSF-style poisoned 802.11 over-sized options beacon for Netgear driver attack, this can be used for
client hijacking.
Netstumbler is a wireless network scanning tool available for download at: http://
www.netstumbler.com. This could be the precursor to a more serious attack
A Client is probing the network looking for a wireless AP, but is not connecting. Many wireless cards
and operating systems (i.e. Windows XP) do this by default in an attempt to automatically find Access
Points, but this could be an operational issue indicating a misconfigured client because it cannot
associate
A BSS timestamp mismatch in beacon or probe frames is likely to indicate an attempt to spoof the
BSSID or SSID of an AP.
A rogue client has been detected.
A rogue client is connected to an authorized AP.
Description
Dual/
Sensor
Mode
D
D
D
D
S
S
S
S
S
S
S
S
S
D
D
D
D
D
D
S
D
D
S
D
D
Advertisement
Table of Contents
