Blacklist And White List - H3C MSR Series Configuration Manual

Flood attack detection
A flood attack refers to the case where WLAN devices receive large volumes of frames of the same
kind within a short span of time. When this occurs, the WLAN devices are overwhelmed.
Consequently, they are unable to service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic
generated by each device. When the traffic density of a device exceeds the limit, the device is
considered flooding the network and, if the dynamic blacklist feature is enabled, is added to the
blacklist and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
•
Authentication requests and de-authentication requests
•
Association requests, disassociation requests and reassociation requests
•
Probe requests
•
802.11 null data frames
•
802.11 action frames.
Spoofing attack detection
In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For
instance, a client in a WLAN has been associated with an AP and operates correctly. In this case, a
spoofed de-authentication frame can cause a client to get de-authenticated from the network and
can affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received,
it is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
WEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thus
encryptions using the same key have different results. When a WEP frame is sent, the IV used in
encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key might be exposed to any potential attackers. When the shared secret
key is compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.

Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and
implement client access control.
WLAN client access control is accomplished through the following types of lists.
•
White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the white
list is used, only permitted clients can access the WLAN, and all frames from other clients are
discarded.
•
Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This
list is manually configured.
•
Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. A
client is dynamically added to the list if it is considered sending attacking frames until the timer
of the entry expires.
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and
processes the frame by following these rules:
56