You are here: Home > CLI Commands > Just_CLI_Topics > ids dos-profile

ids dos-profile

ids

ids dos-profile <profile-name>

ap-flood-inc-time <ap-flood-inc-time>

ap-flood-quiet-time <ap-flood-quiet-time>

ap-flood-threshold <ap-flood-threshold>

assoc-rate-thresholds <assoc-rate-thresholds>

auth-rate-thresholds <auth-rate-thresholds>

block-ack-dos-quiet-time <block-ack-dos-quiet-time>

chopchop-quiet-time <chopchop-quiet-time>

client-ht-40mhz-intol-quiet-time <client-ht-40mhz-intol-quiet=time>

client-flood-inc-time <client-flood-inc-time>

client-flood-quiet-time <client-flood-quiet-time>

client-flood-threshold <client-flood-threshold>

clone <source>

cts-rate-quiet-time <cts-rate-quiet-time>

cts-rate-threshold <cts-rate-threshold>

cts-rate-time-interval <cts-rate-time-interval>

deauth-rate-thresholds <deauth-rate-thresholds>

detect-ap-flood

detect-block-ack-dos

detect-chopchop-attack

detect-client-flood

detect-cts-rate-anomaly

detect-disconnect-sta

detect-eap-rate-anomaly

detect-fata-jack-attack

detect-ht-40mhz-intolerance

detect-invalid-address

detect-malformed-association-request

detect-malformed-auth-frame

detect-malformed-htie

detect-malformed-large-duration

detect-omerta-attack

detect-overflow-eapol-key

detect-overflow-ie

detect-power-save-dos-attack

detect-rate-anomalies

detect-rts-rate-anomaly

detect-tkip-replay-attack

detect-wpa-ft-attack

disassoc-rate-thresholds <disassoc-rate-thresholds>

disconnect-deauth-disassoc-threshold <disconnect-deauth-disassoc-threshold>

disconnect-sta-assoc-resp-threshold <disconnect-sta-assoc-resp-threshold>

disconnect-sta-quiet-time <disconnect-sta-quiet-time>

eap-rate-quiet-time <eap-rate-quiet-time>

eap-rate-threshold <eap-rate-threshold>

eap-rate-time-interval <eap-rate-time-interval>

fata-jack-quiet-time <fata-jack-quiet-time>

invalid-address-combination-quiet-time <invalid-address-combination-quiet-time>

malformed-association-request-quiet-time <malformed-association-request-quiet-time>

malformed-auth-frame-quiet-time <malformed-auth-frame-quiet-time>

malformed-htie-quiet-time <malformed-htie-quiet-time>

malformed-large-duration-quiet-time <malformed-large-duration-quiet-time>

no

omerta-quiet-time <omerta-quiet-time>

omerta-threshold <omerta-threshold>

overflow-eapol-key-quiet-time <overflow-eapol-key-quiet-time>

overflow-ie-quiet-time <overflow-ie-quiet-time>

power-save-dos-min-frames <power-save-dos-min-frames>

power-save-dos-quiet-time <power-save-dos-quiet-time>

power-save-dos-threshold <power-save-dos-threshold>

probe-request-rate-thresholds <probe-request-rate-thresholds>

probe-response-rate-thresholds <probe-response-rate-thresholds>

rts-rate-quiet-time <rts-rate-quiet-time>

rts-rate-threshold <rts-rate-threshold>

rts-rate-time-interval <rts-rate-time-interval>

spoofed-deauth-blacklist

tkip-replay-quiet-time <tkip-replay-quiet-time>

wpa-ft-quiet-time

wpa-ft-threshold

wpa-ft-time-interval

Description

This command configures traffic anomalies for DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks.

Syntax

Parameter

Description

Range

Default

<profile-name>

Name of the IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. profile.

1-63 characters

“default”

ap-flood-inc-time

<ap-flood-inc-time>

Time, in seconds, during which the AP count is over the threshold (AP flood).

0-36000 seconds

3600 seconds

ap-flood-quiet-time

<ap-flood-quiet-time>

After an alarm has been triggered by an AP flood, the time, in seconds, that must elapse before an identical alarm may be triggered.

60-360000 seconds

900 seconds

ap-flood-threshold

<ap-flood-threshold>

Threshold for the number of spurious APs in the system.

0-100,000

50

assoc-rate-thresholds

<assoc-rate-thresholds>

Rate threshold for associate request frames.

auth-rate-thresholds

<auth-rate-thresholds>

Rate threshold for authenticate frames.

block-ack-dos-quiet-time

<block-ack-dos-quiet-time>

Time to wait, in seconds, after detecting an attempt to reset the receive window using a forged block ACK add.

60-360000 seconds

900 seconds

chopchop-quiet-time

<chopchop-quiet-time>

Time to wait, in seconds, after detecting a ChopChop attack after which the check can be resumed.

60-360000 seconds

900 seconds

client-ht-40mhz-intol-quiet-
time

<client-ht-40mhz-intol-quiet=time>

Quiet time (when to stop reporting intolerant STAs if they have not been detected), in seconds, for detection of 802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. 40 MHzMegahertz intolerance setting.

60-360000 seconds

900 seconds

client-flood-inc-time

<client-flood-inc-time>

Number of consecutive seconds over which the client count is more than the threshold.

0-36000 seconds

3 seconds

client-flood-quiet-time

<client-flood-quiet-time>

Time to wait, in seconds, after detecting a client flood before continuing the check.

60-360000 seconds

900 seconds

client-flood-threshold

<client-flood-threshold>

Threshold for the number of spurious clients in the system.

0-100000

150

clone <source>

Copies data from another IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Denial Of Service Profile.

cts-rate-quiet-time

<cts-rate-quiet-time>

Time to wait, in seconds, after detecting a CTSClear to Send. The CTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See RTS. rate anomaly after which the check can be resumed.

60-360000 seconds

900 seconds

cts-rate-threshold

<cts-rate-threshold>

Number of CTSClear to Send. The CTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See RTS. control packets over the time interval that constitutes an anomaly.

0-100000

5000

cts-rate-time-interval

<cts-rate-time-interval>

Time interval, in seconds, over which the packet count should be checked.

1-120 seconds

5 seconds

deauth-rate-thresholds

<deauth-rate-thresholds>

Rate threshold for deauthenticate frames.

detect-ap-flood

Enables or disables detection of AP flood attacks.

disabled

detect-block-ack-dos

Enables or disables detection of attempts to reset traffic receive windows using forged Block ACK Add messages.

enabled

detect-chopchop-attack

Enables or disables detection of ChopChop attacks.

disabled

detect-client-flood

Enables or disables detection of client flood attacks.

disabled

detect-cts-rate-anomaly

Enables or disables detection of CTSClear to Send. The CTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See RTS. rate anomalies.

disabled

detect-disconnect-sta

In a station disconnection attack, an attacker spoofs the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association.

Use this command to enable the detection of disconnect station attack.

enabled

detect-eap-rate-anomaly

Enables or disables detection of the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  handshake rate anomaly.

disabled

detect-fata-jack-attack

Enables or disables detection of FATA-Jack attacks.

enabled

detect-ht-40mhz-intolerance

Enables or disables detection of 802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz. 40 MHzMegahertz intolerance setting, which controls whether stations and APs advertising 40 MHzMegahertz intolerance will be reported.

disabled

detect-invalid-address

Enables or disables detection of invalid address combinations

disabled

detect-malformed-association-
request

Enables or disables detection of malformed association requests.

disabled

detect-malformed-auth-frame

Enables or disables detection of malformed authentication frames.

disabled

detect-malformed-htie

Enables or disables detection of malformed HTHigh Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands. IE.

disabled

detect-malformed-large-duration

Enables or disables detection of unusually large durations in frames.

enabled

detect-omerta-attack

Enables or disables detection of Omerta attacks.

enabled

detect-overflow-eapol-key

Enables or disables detection of overflow EAPOL key requests.

disabled

detect-overflow-ie

Enables or disables detection of overflow IEs.

disabled

detect-power-save-dos-attack

Enables or disables detection of Power Save DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks.

enabled

detect-rate-anomalies

Enables or disables detection of rate anomalies.

disabled

detect-rts-rate-anomaly

Enables or disables detection of RTSRequest to Send. RTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See CTS. rate anomalies.

disabled

detect-tkip-replay-attack

Enables or disables detection of TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. replay attacks.

disabled

detect-wpa-ft-attack

Enables or disables detection of WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. FT attacks.

disabled

disassoc-rate-thresholds

<disassoc-rate-thresholds>

Rate threshold for disassociate frames.

disconnect-deauth-disassoc-
threshold

<disconnect-deauth-disassoc-threshold>

Number of deauthentication or disassociation frames seen in an interval of 10 seconds.

1-50

8

disconnect-sta-assoc-resp-
threshold

<disconnect-sta-assoc-resp-threshold>

The number of successful Association Response or Reassociation response frames seen in an interval of 10 seconds.

1-30

5

disconnect-sta-quiet-time

<disconnect-sta-quiet-time>

After a station disconnection attack is detected, the time, in seconds, that must elapse before the check can be resumed.

60-360000 seconds

900 seconds

eap-rate-quiet-time

<eap-rate-quiet-time>

After an EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  rate anomaly alarm has been triggered, the time, in seconds, that must elapse before the check can be resumed.

60-360000 seconds

900 seconds

eap-rate-threshold

<eap-rate-threshold>

Number of EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  handshakes that must be received within the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  rate time interval to trigger an alarm.

0-100000

60

eap-rate-time-interval

<eap-rate-time-interval>

Time, in seconds, during which the configured number of EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  handshakes must be received to trigger an alarm.

1-120

seconds

3 seconds

fata-jack-quiet-time

<fata-jack-quiet-time>

Time to wait, in seconds, after detecting a FATA-Jack attack after which the check can be resumed.

60-360000 seconds

900 seconds

invalid-address-combination-
quiet-time

<invalid-address-combination-
quiet-time>

Time to wait, in seconds, after detecting an invalid address combination after which the check can be resumed.

60-360000 seconds

900 seconds

malformed-association-request-
quiet-time

<malformed-association-request-quiet-time>

Time to wait, in seconds, after detecting a malformed association request after which the check can be resumed.

60-360000 seconds

900 seconds

malformed-auth-frame-quiet-time

<malformed-auth-frame-quiet-time>

Time to wait, in seconds, after detecting a malformed authentication frame after which the check can be resumed.

60-360000 seconds

900 seconds

malformed-htie-quiet-time

<malformed-htie-quiet-time>

Time to wait, in seconds, after detecting a malformed HTHigh Throughput. IEEE 802.11n is an HT WLAN standard that aims to achieve physical data rates of close to 600 Mbps on the 2.4 GHz and 5 GHz bands. IE after which the check can be resumed.

60-360000 seconds

900 seconds

malformed-large-duration-quiet-time

<malformed-large-duration-quiet-time>

Time to wait, in seconds, after detecting a large duration for a frame after which the check can be resumed.

60-360000 seconds

900 seconds

no

Negates any configured parameter.

omerta-quiet-time

<omerta-quiet-time>

Time to wait, in seconds, after detecting an Omerta attack after which the check can be resumed.

60-360000 seconds

900 seconds

omerta-threshold

<omerta-threshold>

The Disassociation packets received by a station as a percentage of the number of data packets sent, in an interval of 10 seconds.

1-100

10%

overflow-eapol-key-quiet-time

<overflow-eapol-key-quiet-time>

Time to wait, in seconds, after detecting a overflow EAPOL key request after which the check can be resumed.

60-360000 seconds

900 seconds

overflow-ie-quiet-time

<overflow-ie-quiet-time>

Time to wait, in seconds, after detecting a overflow IE after which the check can be resumed.

60-360000 seconds

900 seconds

power-save-dos-min-frames

<power-save-dos-min-frames>

The minimum number of Power Management OFF packets that are required to be seen from a station, in intervals of 10 second, in order for the Power Save DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. check to be done.

1-1000

120

power-save-dos-quiet-time

<power-save-dos-quiet-time>

Time to wait, in seconds, after detecting a Power Save DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack after which the check can be resumed.

60-360000 seconds

900 seconds

power-save-dos-threshold

<power-save-dos-threshold>

The Power Management ON packets sent by a station as a percentage of the Power Management OFF packets sent, in intervals of 10 second, which will trigger this event.

1- 100%

80%

probe-request-rate-thresholds

<probe-request-rate-thresholds>

 

Rate threshold for probe request frames.

probe-response-rate-thresholds

<probe-response-rate-thresholds>

Rate threshold for probe response frames.

rts-rate-quiet-time

<rts-rate-quiet-time>

Time to wait, in seconds, after detecting an RTSRequest to Send. RTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See CTS. rate anomaly after which the check can be resumed.

60-360000 seconds

900 seconds

rts-rate-threshold

<rts-rate-threshold>

Number of RTSRequest to Send. RTS refers to the data transmission and protection mechanism used by the 802.11 wireless networking protocol to prevent frame collision occurrences. See CTS. control packets over the time interval that constitutes an anomaly.

0-100000

5000

rts-rate-time-interval

<rts-rate-time-interval>

Time interval, in seconds, over which the packet count should be checked.

1-120 seconds

5 seconds

spoofed-deauth-blacklist

Enable or disable detection of a deauth attack initiated against a client associated to an AP. When such an attack is detected, the client is quarantined from the network to prevent a man-in-the-middle attack from being successful.

disabled

tkip-replay-quiet-time

<tkip-replay-quiet-time>

Time to wait, in seconds, after detecting a TKIPTemporal Key Integrity Protocol. A part of the WPA encryption standard for wireless networks. TKIP is the next-generation Wired Equivalent Privacy (WEP) that provides per-packet key mixing to address the flaws encountered in the WEP standard. replay attack after which the check can be resumed.

60-360000 seconds

900 seconds

wpa-ft-quiet-time

<wpa-ft-quiet-time>

Time to wait, in seconds, after detecting a WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. FT attack after which the check can be resumed. Minimum is 60.

60-360000 seconds

900 seconds

wpa-ft-threshold

<wpa-ft-threshold>

Number of reassociation management packets for a particular client over the time interval that constitutes a WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. FT attack.

0-100000

45

wpa-ft-time-interval

<wpa-ft-time-interval>

Time interval, in seconds, over which the packet count should be checked.

1-120 seconds

60 seconds

Usage Guidelines

DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks are designed to prevent or inhibit legitimate clients from accessing the network. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment.

Example

The following command enables a detection in the DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. profile named “floor2”:

(host) [mynode] (config) #ids dos-profile floor2

(host) [mynode] (IDS Denial Of Service Profile "floor2") detect-ap-flood

Related Commands

Command

Description

show ids dos-profile

Displays the IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. profile.

Command History

Release

Modification

ArubaOS 8.2.0.0

The following parameters were added:

detect-wpa-ft-attack

wpa-ft-quiet-time

wpa-ft-threshold

wpa-ft-time-interval

ArubaOS 8.0.0.0

Command Introduced.

Command Information

Platform

License

Command Mode

All platforms

Requires the RFprotect license.

Config mode on Mobility Master.

/*]]>*/