No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - WLAN-AC

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the concepts, configuration procedures, and configuration examples of WLAN-AC features.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Perimeter Security

Perimeter Security

Attack Detection

On small- and medium-scale WLANs, attack detection can be enabled to allow an AP to add attackers to a dynamic blacklist and send alarms to the AC to alert administrators. When enabled, attack detection can detect the following:
  • Flooding attacks
  • Weak initialization vector (IV) attacks
  • Spoofing attacks
Flooding Attack Detection
Figure 7-1  Flooding attack

In Figure 7-1, the AP receives a large number of management packets or empty data packets that have the same type and source MAC address within a short period. This is a flooding attack. As a result, the system is busy processing these attack packets and cannot process packets from authorized STAs.

Flooding attack detection allows an AP to monitor the traffic volume of each STA to prevent flooding attacks. When the traffic of a STA exceeds the allowed threshold (for example, the AP receives more than 100 packets from a STA within 1 second), the AP considers this STA to be flooding packets and reports an alarm to the AC. If a dynamic blacklist is configured, the AP adds the detected device to the dynamic blacklist and discards all of the packets from the attack device until the dynamic blacklist expires.

An AP can detect flooding attacks of the following packets:
  • Authentication Request
  • Deauthentication
  • Association Request
  • Disassociation
  • Reassociation Request
  • Probe Request
  • Action
  • EAPOL Start
  • EAPOL-Logoff
Weak IV Detection
Figure 7-2  Weak IV

In Figure 7-2, when WEP encryption is used, a STA uses a 3-byte IV and a fixed shared key to encrypt each packet to be sent so that the same shared key generates different encryption effects. If the STA uses the weak IV (the first byte of the IV ranges from 3 to 15 and the second byte is 255), attackers can easily decrypt the shared key and access network resources because the IV of the packet sent by the STA is sent in plain text as one part of the header.

Weak IV detection identifies the IV of each WEP packet to prevent attackers from decrypting the shared key. When the AP detects a packet carrying a weak IV, the AP sends an alarm to the AC so that users can use other security policies to prevent STAs from using the weak IV for encryption.

Spoofing Attack Detection
Figure 7-3  Spoofing attack

In Figure 7-3, an attacker (a rogue AP or malicious user) forges an authorized user' information to send spoofing attack packets to STAs, which then fail to go online. This is a spoofing attack, which is also called man-in-the-middle attack. Spoofing attack packets includes broadcast Disassociation packets and Deauthentication packets.

After the spoofing attack detection function is enabled, an AP checks whether the source MAC address of a packet is its MAC address when receiving either of the two types of packets. If so, the WLAN is under the spoofing attack of Disassociation or Deauthentication packets.

Defense Against Brute Force Attacks Using Keys

During a brute force attack, the attacker searches for a password by trying to use all possible password combinations. This method is also called the exhaustive attack method. For example, a 4-digit password that contains only digits may have a maximum of 10,000 combinations. Therefore, the password can be decrypted after a maximum of 10,000 attempts. In theory, the brute force method can decrypt any password. Attackers, however, are always looking for ways to shorten the time required to decrypt the password. When a WLAN uses WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key as the security policy, attackers can use the brute force method to decrypt the password.

Using a key can defend against brute force attacks on WLANs by prolonging the time needed to decrypt passwords. An AP checks whether the number of key negotiation attempts during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the configured threshold. If the threshold is exceeded, the AP assumes that the user is using the brute force method to decrypt the password and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets of the user until the dynamic blacklist entry expires.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100033726

Views: 34111

Downloads: 211

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next