489| Wireless Intrusion Prevention AOS-W 6.5.3.x| User Guide
Understanding Client Intrusion Detection
Generally, clients are more vulnerable to attacks than APs. Clients are more apt to associate with a malignant
AP due to the client’s driver behavior or a misconfigured client. It is important to monitor authorized clients to
track their associations and to track any attacks raised against the client.Client attack detection is categorized
as:
n Detecting attacks against Alcatel-Lucent APs clients: An attacker can perform an active DOS attack
against an associated client, or perform a replay attack to obtain the keys of transmission which could lead
to more serious attacks.
n Monitoring Authorized clients: Since clients are easily tricked into associating with unauthorized APs,
tracking all misassociations of authorized clients is very important.
An authorized client is a client authorized to use the WLAN network. In AOS-W, an authorized client is called a
valid-client. AOS-W automatically learns a valid client. A client is determined to be valid if it is associated to an
authorized or valid AP using encryption; either Layer 2 or IPSEC.
Detection of attacks is limited to valid clients and clients associated to valid APs. Clients that are associated as guests
using unencrypted association are included in the attack detection. However, clients on neighboring (interfering) APs
are not tracked for attack detection unless they are specified as valid.
Table 112 presents a summary of the client intrusion detection features with their related commands, traps,
and syslog identification. Details of each feature follow the table.
Feature Command Trap
Syslog
ID
Detecting a
Block ACK DoS
on page 491
ids-dos-profile
detect-block-ack-attack
block-ack-quiet-time
wlsxBlockAckAttackDetected 126087,
127087
Detecting a
ChopChop
Attack on page
491
ids-dos-profile
detect-chopchop-attack
chopchop-quiet-time
wlsxChopChopAttackDetected 126078,
127078
Detecting a
Disconnect
Station Attack
on page 491
ids dos-profile <name>
detect-disconnect-sta
disconnect-sta-quiet-time
disconnect-sta-assoc-resp-threshold
disconnect-deauth-disassoc-threshold
wlsxNDisconnectStationAttack 126035,
127035
Detecting an
EAP Rate
Anomaly on
page 491
ids-dos-profile
detect-eap-rate-anomaly
eap-rate-threshold
eap-rate-time-interval
eap-rate-quiet-time
wlsxEAPRateAnomaly 126032,
127032
Detecting a
FATA-Jack
Attack
Structure on
page 491
ids dos-profile
detect-fatajack-attack
fatajack-attack-quiet-time
wlsxFataJackAttackDetected 126072,
127072
Table 112: Client Detection Summary
To Next Page
Loading...