Cisco 2100 Series Configuration Manual page 296

Configuring IDS
These signatures are divided into six main groups. The first four groups contain management signatures,
and the last two groups contain data signatures.
• Broadcast deauthentication frame signatures—During a broadcast deauthentication frame attack,
a hacker sends an 802.11 deauthentication frame to the broadcast MAC destination address of
another client. This attack causes the destination client to disassociate from the access point and lose
its connection. If this action is repeated, the client experiences a denial of service. When the
broadcast deauthentication frame signature (precedence 1) is used to detect such an attack, the
access point listens for clients transmitting broadcast deauthentication frames that match the
characteristics of the signature. If the access point detects such an attack, it alerts the controller.
Depending on how your system is configured, the offending device is contained so that its signals
no longer interfere with authorized clients, or the controller forwards an immediate alert to the
system administrator for further action, or both.
NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL
•
probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL
probe response signature is used to detect such an attack, the access point identifies the wireless
client and alerts the controller. The NULL probe response signatures include:
Management frame flood signatures—During a management frame flood attack, a hacker floods
•
an access point with 802.11 management frames. The result is a denial of service to all clients
associated or attempting to associate to the access point. This attack can be implemented with
different types of management frames: association requests, authentication requests, reassociation
requests, probe requests, disassociation requests, deauthentication requests, and reserved
management subtypes.
When a management frame flood signature is used to detect such an attack, the access point
identifies management frames matching the entire characteristic of the signature. If the frequency
of these frames is greater than the value of the frequency set in the signature, an access point that
hears these frames triggers an alarm. The controller generates a trap and forwards it to WCS.
The management frame flood signatures include:
The reserved management frame signatures 7 and F are reserved for future use.
Wellenreiter signature—Wellenreiter is a wireless LAN scanning and discovery utility that can
•
reveal access point and client information. When the Wellenreiter signature (precedence 17) is used
to detect such an attack, the access point identifies the offending device and alerts the controller.
Cisco Wireless LAN Controller Configuration Guide
5-108
– NULL probe resp 1 (precedence 2)
– NULL probe resp 2 (precedence 3)
– Assoc flood (precedence 4)
– Auth flood (precedence 5)
– Reassoc flood (precedence 6)
Broadcast probe flood (precedence 7)
–
Disassoc flood (precedence 8)
–
Deauth flood (precedence 9)
–
Reserved mgmt 7 (precedence 10)
–
Reserved mgmt F (precedence 11)
–
Chapter 5 Configuring Security Solutions
OL-17037-01