No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Attack Detection and Dynamic Blacklist

Configuring Attack Detection and Dynamic Blacklist

Context

To identify attacks on a WLAN in a timely manner, you can configure attack detection. Attack detection enables WLAN devices to detect attacks such as flood attacks, weak IV attacks, spoofing attacks, and brute force WPA-PSK/WPA2-PSK/WAPI-PSK/WEP-SK key cracking attacks, and to record information about the attacking devices. If the dynamic blacklist function is enabled, the WLAN devices automatically add the attacking devices to a dynamic blacklist and discard packets sent from the attacking devices.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface wlan-radio wlan-radio-number

    The radio interface view is displayed.

  3. Run:

    wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key }

    Attack detection is enabled.

    By default, attack detection is disabled on an AP radio.

  4. Run:

    quit

    Return to the system view.

  5. Run:

    wlan

    The WLAN view is displayed.

  6. Run:

    wids

    The WIDS view is displayed.

  7. Configure parameters according to the attack detection type set in 3.

    • Flood attack detection

      1. Run the flood-detect interval interval command to set the flood attack detection interval.

        By default, the flood attack detection interval is 10 seconds.

      2. Run the flood-detect threshold threshold command to set the flood attack detection threshold.

        By default, the flood attack detection threshold is 500.

      3. Run the flood-detect quiet-time quiet-time-value command to set the quiet time for an AP to record the detected flood attacks.

        By default, the quiet time is 600 seconds for an AP to record the detected flood attacks.

    • Weak IV attack detection

      1. Run the weak-iv-detect quiet-time quiet-time-value command to set the quiet time for an AP to record the detected weak IV attacks.

        By default, the quiet time is 600 seconds for an AP to record the detected weak IV attacks.

    • Spoofing attack detection

      1. Run the spoof-detect quiet-time quiet-time-value command to set the quiet time for an AP to record the detected spoofing attacks.

        By default, the quiet time is 600 seconds for an AP to record the detected spoofing attacks.

    • Detection of brute force key cracking attacks

      1. Run the brute-force-detect interval interval command to set the interval for detecting brute force key cracking attacks.

        By default, the interval for brute force key cracking detection is 60 seconds.

      2. Run the brute-force-detect threshold threshold command to set the maximum number of key negotiation failures allowed within the period of the detection of brute force key cracking attacks.

        By default, an AP allows a maximum of 20 key negotiation failures within a brute force key cracking attack detection period.

      3. Run the brute-force-detect quiet-time quiet-time-value command to set the quiet time for an AP to record the detected brute force key cracking attacks.

        By default, the quiet time for an AP to record brute force key attacks is 600 seconds.

  8. Run:

    dynamic-blacklist enable

    The dynamic blacklist function is enabled.

    By default, the dynamic blacklist function is disabled.

    NOTE:
    • The dynamic blacklist is saved on APs. After the dynamic blacklist function is enabled, the detected attacking devices are added to the dynamic blacklist. Within the aging time of the dynamic blacklist, the device discards packets sent from the blacklisted devices. You can run the dynamic-blacklist aging-time command to set the aging time of the dynamic blacklist.

    • When an AP is configured to work in monitor mode, the dynamic blacklist function does not take effect.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 129841

Downloads: 312

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next