Monitoring Wids Ap De-Authentication Attack Status - D-Link DWS-3000 Series User Manual

Software User Manual D-Link Unified Access System
02/15/2011

Monitoring WIDS AP De-Authentication Attack Status

The basic technique employed by the wireless system for automatically protecting the network against rogue APs is to send
de-authentication messages to clients by faking the rogue AP MAC address as the source MAC and BSSID of the de-
authentication frame and using the broadcast MAC address as the destination of the de-authentication packet. The de-
authentication attack feature must be globally enabled in order for the wireless system to do this function. The administrator
must insure that no legitimate APs are classified as rogues before enabling the attack feature. The de-authentication attack
feature is disabled by default. To enable the de-authentication attack feature, use the AP De-Authentication Attack
configuration parameter on the WLAN > Basic Setup > Global > Wireless Global Configuration page. See
Table 4: "Basic Wireless Global Configuration," on page 54. The AP De-Authentication Attack configuration parameter
persists across a switch reboot if the setting is saved in the configuration.
The wireless system can conduct the de-authentication attack against up to 16 APs at the same time. The intent of this attack
is to serve as a temporary measure until the rogue AP is located and disabled.
The wireless switch maintains a list of BSSIDs against which it is conducting a de-authentication attack. The switch sends
the list of BSSIDs and channels on which the rogue APs are operating to every managed AP.
Both sentry radios and operational-mode radios participate in the de-authentication attack. The sentry radios send de-
authentication messages whenever they are tuned to the appropriate channel during the RF scan. If the sentry radio is not
configured to scan the band where the rogue is operating, then it never sends de-authentication message to that rogue.
The operational mode radios send de-authentication frames only to rogue APs that operate on the same channel as the
managed AP radio. The messages are sent every 10 seconds. For instance if five BSSIDs in the attack list are on the same
channel as the operational mode radio, then the radio sends a burst of five de-authentication frames, one for each BSSID,
every 10 seconds. The attack interval is communicated by the switch to the AP, but is not configurable by the administrator
and is set to 10 seconds.
The switch sends the attack list to all new APs that connect to the managed network. The switch also sends the attack list
every time the list changes. The whole list and the number of rogue BSSIDs in the list are sent every time. If there is no attack
in progress, then the number of BSSIDs is zero.
The BSSIDs are added to the attack list by the administrator through the switch Web UI. When a rogue AP is acknowledged
by the administrator or the rogue RF Scan entry is deleted from the RF Scan database, the BSSID is removed from the attack
list.
The RF Scan entry for detected APs indicates whether a de-authentication attack is in progress against this AP. This is
indicated by the status of that AP as Rogue – Under Mitigation on the WLAN > Monitoring > Access Point > Rogue/RF
Scan Access Points page. See "Monitoring Rogue and RF Scan Access Points" on page 138.
The Rogue AP Mitigation Count and Rogue AP Mitigation Limit parameters contain global information about the Rogue
AP Mitigation. These status parameters are displayed on the WLAN > Monitoring > Global web page. See
Table 27: "Global WLAN Statistics," on page 120.
To view information about APs under mitigation, the parameters listed below are displayed for each AP on the WLAN >
Monitoring > Access Point > AP De-Authentication Attack Status page. On the web page, the MAC addresses provide
a link to the RF Scan database.
Document 34CS3000-SWUM104-D10 Page 141