No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Attack Detection

Attack Detection

On small- and medium-scale WLANs, the attack detection function can be enabled to detect flooding attacks, weak initialization vector (IV), and spoofing attacks. This function enables an RU to add attackers to the dynamic blacklist and send alarms to the central AP to alert administrators.

Flooding Attack Detection

Figure 20-2  Flooding attack

In Figure 20-2, the RU receives a large number of management packets or empty data packets that have the same type and source MAC address within a short period. This is a flooding attack. As a result, the system is busy processing these attack packets and cannot process packets from authorized STAs.

Flooding attack detection allows an RU to keep monitoring the traffic volume of each STA to prevent flooding attacks. When the traffic of a STA exceeds the allowed threshold (for example, the RU receives more than 100 packets from a STA within 1 second), the RU considers that the STA will flood packets and reports an alarm to the central AP. If a dynamic blacklist is configured, the RU adds the detected attack device to the dynamic blacklist. Before the dynamic blacklist ages, the RU discards all the packets from the attack device to prevent the network from a flooding attack.

An RU can detect flooding attacks of the following packets:
  • Authentication Request
  • Deauthentication
  • Association Request
  • Disassociation
  • Reassociation Request
  • Probe Request
  • Action
  • EAPOL Start
  • EAPOL-Logoff

Weak IV Detection

Figure 20-3  Weak IV

In Figure 20-3, when WEP encryption is used, a STA uses a 3-byte IV and a fixed shared key to encrypt each packet to be sent so that the same shared key generates different encryption effects. If the STA uses the weak IV (the first byte of the IV ranges from 3 to 15 and the second byte is 255), attackers can easily decrypt the shared key and access network resources because the IV of the packet sent by the STA is sent in plain text as one part of the header.

Weak IV detection identifies the IV of each WEP packet to prevent attackers from decrypting the shared key. When the RU detects a packet carrying the weak IV, the RU sends an alarm to the central AP so that users can use other security policies to prevent STAs from using the weak IV for encryption.

Spoofing Attack Detection

Figure 20-4  Spoofing attack

In Figure 20-4, an attacker (a rogue AP or malicious user) forges an authorized user to send spoofing attack packets to STAs, which then fail to go online. This is a spoofing attack, which is also called man-in-the-middle attack. Spoofing attack packets includes broadcast Disassociation packets and Deauthentication packets.

After the spoofing attack detection function is enabled, an RU checks whether the source MAC address of a packet is its MAC address when receiving either of the two types of packets. If so, the WLAN is under the spoofing attack of Disassociation or Deauthentication packets.

Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116425

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next