Understanding Client Intrusion Detection

Generally, clients are more vulnerable to attacks than APs. Clients are more apt to associate with a malignant AP due to the client’s driver behavior or a misconfigured client. It is important to monitor authorized clients to track their associations and to track any attacks raised against the client. Client attack detection is categorized as:

  • Detecting attacks against Aruba APs clients: An attacker can perform an active DOS attack against an associated client, or perform a replay attack to obtain the keys of transmission, which could lead to more serious attacks.
  • Monitoring Authorized clients: Since clients are easily tricked into associating with unauthorized APs, tracking all misassociations of authorized clients is very important.

An authorized client is a client authorized to use the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network. In ArubaOS, an authorized client is called a valid-client. ArubaOS automatically learns a valid client. A client is determined to be valid if it is associated to an authorized or valid AP using encryption; either Layer 2 or IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session..

Detection of attacks is limited to valid clients and clients associated to valid APs. Clients that are associated as guests using unencrypted association are included in the attack detection. However, clients on neighboring (interfering) APs are not tracked for attack detection unless they are specified as valid.

Table 1 presents a summary of the client intrusion detection features with their related commands, traps, and syslog identification. Details of each feature follow the table.

Table 1: Client Detection Summary

Feature

Command

Trap

Syslog ID

Detecting a Block ACK DoS

ids-dos-profile <profile-name>

detect-block-ack-attack

block-ack-quiet-time

wlsxBlockAckAttackDetected

126087, 127087

Detecting a ChopChop Attack

ids-dos-profile <profile-name>

detect-chopchop-attack

chopchop-quiet-time

wlsxChopChopAttackDetected

126078, 127078

Detecting a Disconnect Station Attack

ids dos-profile <name>

detect-disconnect-sta

disconnect-sta-quiet-time

disconnect-sta-assoc-resp-threshold

disconnect-deauth-disassoc-threshold

wlsxNDisconnectStationAttack

126035, 127035

Detecting an EAP Rate Anomaly

ids-dos-profile <profile-name>

detect-eap-rate-anomaly

eap-rate-threshold

eap-rate-time-interval

eap-rate-quiet-time

wlsxEAPRateAnomaly

126032, 127032

Detecting a FATA-Jack Attack Structure

ids dos-profile <profile-name>

detect-fatajack-attack

fatajack-attack-quiet-time

wlsxFataJackAttackDetected

126072, 127072

Detecting a Hotspotter Attack

ids impersonation-profile <profile-name>

detect-hotspotter-attack

hotspotter-quiet-time

wlsxHotspotterAttackDetected

126088, 127088

Detecting a Meiners Power Save DoS Attack

ids dos-profile <profile-name>

detect-power-save-dos-attack

power-save-dos-min-frames

power-save-dos-quiet-time

power-save-dos-threshold

wlsxPowerSaveDoSAttack

126109, 127109

Detecting an Omerta Attack

ids dos-profile <profile-name>

detect-omerta-attack

omerta-attack-threshold

omerta-attack-quiet-time

wlsxOmertaAttack

126071, 127071

Detecting Rate Anomalies

ids dos-profile <profile-name>

detect-rate-anomalies

 

assoc-rate-thresholds

disassoc-rate-thresholds

deauth-rate-thresholds

probe-request-rate-thresholds

probe-response-rate-thresholds

auth-rate-thresholds

wlsxChannelRateAnomaly

wlsxNodeRateAnomalyAP

wlsxNodeRateAnomalySta

126061, 126062, 126063, 127061, 127062, 127063

Detecting a TKIP Replay Attack

ids dos-profile

detect-tkip-replay-attack

tkip-replay-quiet-time

wlsxTkipReplayAttackDetected

126077, 127077

Detecting Unencrypted Valid Clients

ids unauthorized-device-profile

detect-unencrypted-valid-client

unencrypted-valid-client-quiet-time

wlsxValidClientNotUsingEncryption

126065, 127065

Detecting a Valid Client Misassociation

ids unauthorized-device-profile

detect-valid-client-misassociation

wlsxValidClientMisassociation

126075, 127075

Detecting an AirJack Attack

ids signature-matching-profile

signature AirJack

 

ids general-profile

signature-quiet-time

wlsxNSignatureMatchAirjack

126046, 127046

Detecting ASLEAP

ids signature-matching-profile

signature ASLEAP

 

ids general-profile

signature-quiet-time

wlsxNSignatureMatchAsleap

126044, 127044

Detecting a Null Probe Response

ids signature-matching-profile

signature Null Probe Response

 

ids general-profile

signature-quiet-time

wlsxNSignatureMatchNullProbeResp

126045, 127045

Detecting a Block ACK DoS

The Block ACK mechanism that was introduced in 802.11e 802.11e is an enhancement to the 802.11a and 802.11b specifications that enhances the 802.11 Media Access Control layer with a coordinated Time Division Multiple Access (TDMA) construct. It adds error-correcting mechanisms for delay-sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability between business, home, and public environments such as airports and hotels, and offers all subscribers high-speed Internet access with full-motion video, high-fidelity audio, and VoIP., and enhanced in 802.11nD3.0, has a built-in DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. vulnerability. The Block ACK mechanism allows for a sender to use the ADDBA request frame to specify the sequence number window that the receiver should expect. The receiver will only accept frames in this window.

An attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and thereby drop frames that do not fall in that range.

Detecting a ChopChop Attack

ChopChop is a plaintext recovery attack against WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. encrypted networks. It works by forcing the plaintext, one byte at a time, by truncating a captured frame and then trying all 256 possible values for the last byte with a corrected CRC Cyclic Redundancy Check. CRC is a data verification method for detecting errors in digital data during transmission, storage, or retrieval. . The correct guess causes the AP to retransmit the frame. When that happens, the frame is truncated again.

Detecting a Disconnect Station Attack

A disconnect attack can be launched in many ways; the end result is that the client is effectively and repeatedly disconnected from the AP.

Detecting an EAP Rate Anomaly

To authenticate wireless clients, WLANs Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. may use 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority., which is based on a framework called EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. . After an EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  packet exchange, and the user is successfully authenticated, the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Success is sent from the AP to the client. If the user fails to authenticate, an EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Failure is sent. In this attack, EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Failure or EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Success frames are spoofed from the access point to the client to disrupting the authentication state on the client. This confuses the client’s state, causing it to drop the AP connection. By continuously sending EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  Success or Failure messages, an attacker can effectively prevent the client from authenticating with the APs in the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection..

Detecting a FATA-Jack Attack Structure

FATA-Jack is an 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. client DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. tool that tries to disconnect targeted stations using spoofed authentication frames that contain an invalid authentication algorithm number.

Detecting a Hotspotter Attack

The Hotspotter attack is an evil-twin attack which attempts to lure a client to a malicious AP. Many enterprise employees use their laptop in Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. area hotspots Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. at airports, cafes, malls etc. They have SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. of their hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. service providers configured on their laptops. The SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. used by different hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. service providers are well known. This enables the attackers to set up APs with hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in close proximity of the enterprise premises. When the enterprise laptop Client probes for hotspot Hotspot refers to a WLAN node that provides Internet connection and virtual private network (VPN) access from a given location. A business traveler, for example, with a laptop equipped for Wi-Fi can look up a local hotspot, contact it, and get connected through its network to reach the Internet. SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., these malicious APs respond and invite the client to connect to them. When the client connects to a malicious AP, a number of security attacks can be launched on the client. Airsnarf is a popular hacking tool used to launch these attacks.

Detecting a Meiners Power Save DoS Attack

To save on power, wireless clients will sleep periodically, during which they cannot transmit or receive. A client indicates its intention to sleep by sending frames to the AP with the Power Management bit ON. The AP then begins buffering traffic bound for that client until it indicates that it is awake. An intruder could exploit this mechanism by sending (spoofed) frames to the AP on behalf of the client to trick the AP into believing the client is asleep. This will cause the AP to buffer most, if not all, frames destined for the client.

Detecting an Omerta Attack

Omerta is an 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. tool that sends disassociation frames to all stations on a channel in response to data frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01. This reason code is unspecified and is not used under normal circumstances.

Detecting Rate Anomalies

Many DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks flood an AP or multiple APs with 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. management frames. These can include authenticate or associate frames, which are designed to fill up the association table of an AP. Other management frame floods, such as probe request floods, can consume excess processing power on the AP.

Detecting a TKIP Replay Attack

TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. is vulnerable to replay (via WMM Wi-Fi Multimedia. WMM is also known as WME. It refers to a Wi-Fi Alliance interoperability certification, based on the IEEE 802.11e standard. It provides basic QoS features to IEEE 802.11 networks. WMM prioritizes traffic according to four ACs: voice (AC_VO), video (AC_VI), best effort (AC_BE), and background (AC_BK). or QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies.) and plain text discovery (via ChopChop). This affects all WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. usage. By replaying a captured TKIP Temporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. data frame on other QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. queues, an attacker can manipulate the RC4 data and checksum to derive the plain text at a rate of one byte per minute.

By targeting an ARP Address Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. frame and guessing the known payload, an attacker can extract the complete plain text and MIC checksum. With the extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future messages as MIC compliant, opening the door for more advanced attacks.

Detecting Unencrypted Valid Clients

An authorized (valid) client that is passing traffic in unencrypted mode is a security risk. An intruder can sniff unencrypted traffic (also known as packet capture) with software tools known as sniffers. These packets are then reassembled to produce the original message.

Detecting a Valid Client Misassociation

This feature does not detect attacks, but rather it monitors authorized (valid) wireless clients and their association within the network. Valid client misassociation is potentially dangerous to network security. The four types of misassociation that we monitor are:

  • Authorized Client associated to Rogue: A valid client that is associated to a rogue AP.
  • Authorized Client associated to External AP: An external AP, in this context, is any AP that is not valid and not a rogue.
  • Authorized Client associated to Honeypot AP: A honeypot is an AP that is not valid but is using an SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that has been designated as valid or protected.
  • Authorized Client in ad-hoc connection mode: A valid client that has joined an ad-hoc network.

Detecting an AirJack Attack

AirJack is a suite of device drivers for 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing.(a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. applications that need to access the raw protocol. However, one of the tools included allowing users to force all users off an AP.

Detecting ASLEAP

ASLEAP is a tool created for Linux systems used to attack Cisco LEAP Lightweight Extensible Authentication Protocol. LEAP is a Cisco proprietary version of EAP used in wireless networks and Point-to-Point connections. authentication protocol.

Detecting a Null Probe Response

A null probe response attack has the potential to crash or lock up the firmware of many 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. A number of popular NIC Network Interface Card. NIC is a hardware component that allows a device to connect to the network. cards will lock up upon receiving such a probe response.