Ghost Tunnel Attack Detection

Ghost tunnel attack is a backdoor transmission method that can be used in an isolated environment. A ghost tunnel attack uses 802.11 802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. probe request packets or beacon packets to communicate with the host and need not establish a Wi-Fi Wi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard. connection.

The server side of ghost tunnel uses beacon packets to send commands to the client and the client sends probe-request automatically in response to the server's request, thereby infecting the system. The server-side ghost tunnel attack detection system relies on identifying abnormal beacon packets and flagging the attacking server.

For the client-side ghost tunnel attack, the AP monitors the abnormal probe request packets in the wireless environment. When a client is heard by the AP, it looks for abnormal probe request packets from the client. The system reports a ghost tunnel detection event with the client's MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address when the alert criteria is met. If only abnormal probe request packets are monitored and there is no matching client, then the reported event does not contain the client's MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

Configuration

Ghost tunnel attack detection can be enabled on the access point using the webUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. However, parameters for ghost tunnel attack detection such as attack interval, attack threshold, and quiet time can only be configured through the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Enabling Ghost Tunnel Attack Detection

To configure ghost tunnel server attack detection on the access point using the webUI, set the Infrastructure detection setting to High in the Configuration > IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. > Detection page. For more information on configuring IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. settings, see Configuring WIP and Detection Levels.

To configure ghost tunnel client attack detection on the access point using the webUI, set the Clients detection setting to High in the Configuration > IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. > Detection section of the webUI. For more information on configuring IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. settings, see Configuring WIP and Detection Levels.

Configuring Ghost Tunnel Attack Detection Parameters

Parameters for identifying Ghost Tunnel attacks can only be configured using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Parameters such as interval of probe requests to classify an attack, threshold, and time between checks are configured using the ids command.

The following commands configure ghost tunnel detection on the AP:

(Instant AP)(config)# ids

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# detect-ghosttunnel-client-attack

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# detect-ghosttunnel-server-attack

(Instant AP)(IDS)# ghosttunnel-client-attack-interval <seconds>

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# ghosttunnel-client-attack-threshold <threshold>

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# ghosttunnel-client-quiet-time <seconds>

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# ghosttunnel-server-attack-interval <seconds>

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# ghosttunnel-server-attack-threshold <threshold>

(Instant AP)(IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network.)# ghosttunnel-server-quiet-time <seconds>

For more information, see Aruba Instant 8.x CLI Reference Guide.