Client Event Detection Levels and Signature Descriptions

Client Event Detection Levels and Signature Descriptions provide a concise overview of the detection levels and detailed descriptions for events related to wireless clients. These classifications help in understanding and managing the severity of events within a wireless network. Detection levels range from low to high, indicating the potential impact of client-related incidents. Signature descriptions offer specific details about the nature and characteristics of each event, aiding in prompt identification and appropriate response to potential issues in the wireless environment. Together, these features enhance network administrators’ ability to proactively address client-related events for improved network security and performance.

Client Event Detection Levels

The available detection levels that can be configured for client events.

Low

  • Detect valid client mis-association

Medium

  • Detect Disconnect Station Attack

  • Detect Omerta Attack

  • Detect FATA-Jack Attack

  • Detect Block ACK DoS

  • Detect Hotspotter Attack

  • Detect unencrypted valid client

  • Detect Power Save DoS Attack

High

  • Detect EAP rate anomaly

  • Detect rate anomaly

  • Detect Chop Chop Attack

  • Detect TKIP Replay Attack

  • IDS signature – Air Jack

  • IDS signature – ASLEAP

  • Detect ghost tunnel client attack

Client Events - Names and Descriptions

A listing of the available client event signatures along with the description from the user guide and engineering.

Detect Block ACK DoS

The Block ACK mechanism that was introduced in 802.11e, and enhanced in 802.11n D3.0, has a built-in DoS vulnerability. The Block ACK mechanism allows for a sender to use the ADDBA request frame to specify the sequence number window that the receiver should expect. The receiver will only accept frames in this window. An attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and thereby drop frames that do not fall in that range.

Very prone to false positives from low SNR clients, as well as other mobile devices with poor client driver behavior. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining.

Detect ChopChop Attack

ChopChop is a plaintext recovery attack against WEP encrypted networks. It works by forcing the plaintext, one byte at a time, by truncating a captured frame and then trying all 256 possible values for the last byte with a corrected CRC. The correct guess causes the AP to retransmit the frame. When that happens, the frame is truncated again.

Recommend disable, as this attack is based on WEP and WEP should NOT be in use anymore.

Detect Disconnect Station Attack

A disconnect attack can be launched in many ways; the result is that the client is effectively and repeatedly disconnected from the AP.

Prone to false positives based on how some clients disassociate/disconnect from Wi-Fi. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining.

Detect EAP Rate Anomaly

To authenticate wireless clients, WLANs may use 802.1X, which is based on a framework called Extensible Authentication Protocol (EAP). After an EAP packet exchange, and the user is successfully authenticated, the EAP-Success is sent from the AP to the client. If the user fails to authenticate, an EAP-Failure is sent. In this attack, EAP-Failure or EAP-Success frames are spoofed from the access point to the client to disrupting the authentication state on the client. This confuses the clients state, causing it to drop the AP connection. By continuously sending EAP Success or Failure messages, an attacker can effectively prevent the client from authenticating with the APs in the WLAN.

Prone to false positives in EAP environments. If proper security is in place (WPA2 using RADIUS and valid certs with validation enabled, etc.), the risk is minimal. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining.

Detect FATA-Jack Attack structure

FATA-Jack is an 802.11 client DoS tool that tries to disconnect targeted stations using spoofed authentication frames that contain an invalid authentication algorithm number.

Recommend enable unless WIDS is monitoring open/public WLAN networks.

Detect Hotspotter Attack

The Hotspotter attack is an evil-twin attack which attempts to lure a client to a malicious AP. Many enterprise employees use their laptop in Wi-Fi area hotspots at airports, cafes, malls etc. They have SSIDs of their hotspot service providers configured on their laptops. The SSIDs used by different hotspot service providers are well known. This enables the attackers to set up APs with hotspot SSIDs in close proximity of the enterprise premises. When the enterprise laptop client probes for hotspot SSIDs, these malicious APs respond and invite the client to connect to them. When the client connects to a malicious AP, several security attacks can be launched on the client. Airsnarf is a popular hacking tool used to launch these attacks.

Recommend disable, especially for dense WLAN environments or when the monitored WLAN is within/surrounded by many neighboring WLANs. Very high false positives, and most threats are covered by other WIDS signatures.

Detect a Meiners Power Save DoS Attack

To save on power, wireless clients will “sleep” periodically, during which they cannot transmit or receive. A client indicates its intention to sleep by sending frames to the AP with the Power Management bit ON. The AP then begins buffering traffic bound for that client until it indicates that it is awake. An intruder could exploit this mechanism by sending (spoofed) frames to the AP on behalf of the client to trick the AP into believing the client is asleep. This will cause the AP to buffer most, if not all, frames destined for the client.

High false positives are possible in dense environments or where clients roam rapidly in short periods of time. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining, as clients are very PS-Poll aggressive.

Detect Omerta Attack

Omerta is an 802.11 DoS tool that sends disassociation frames to all stations on a channel in response to data frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01. This reason code is “unspecified” and is not used under normal circumstances.

While exact device identification is impossible due to the nature of the attack, general localization of the alert is possible. Recommend enable.

Detect Rate Anomalies

Many DoS attacks flood an AP or multiple APs with 802.11 management frames. These can include authenticate/associate frames, which are designed to fill up the association table of an AP. Other management frame floods, such as probe request floods, can consume excess processing power on the AP.

Prone to false positives in dense environments, or areas where large numbers of clients and/or APs are located. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining, as clients are very PS-Poll aggressive.

Detect TKIP Replay Attack

TKIP is vulnerable to replay (via WMM/QoS) and plaintext discovery (via ChopChop). This affects all TKIP usage in WPA and WPA2. By replaying a captured TKIP data frame on other QoS queues, an attacker can manipulate the RC4 data and checksum to derive the plaintext at a rate of one byte per minute. By targeting an ARP frame and guessing the known payload, an attacker can extract the complete plaintext and MIC checksum. With the extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future messages as MIC compliant, opening the door for more advanced attacks.

Would only be enabled if there is a TKIP-based SSID being monitored. All SSIDs now should be WPA2-based (using AES instead of TKIP). Recommend disable unless customer has a TKIP-based SSID WLAN.

Detect Unencrypted Valid Clients

An authorized (valid) client that is passing traffic in unencrypted mode is a security risk. An intruder can sniff unencrypted traffic (also known as packet capture) with software tools known as sniffers. These packets are then reassembled to produce the original message.

Recommend enable, unless one of the monitored WLANs are open. Should not be enabled where Open SSIDs are being monitored as it will generate a large number of alerts.

Detect Valid Client Misassociation

This feature does not detect attacks, but rather it monitors authorized (valid) wireless clients and their association within the network. Valid client misassociation is potentially dangerous to network security. The four types of misassociation monitored are:

  1. Authorized Client associated to Rogue: A valid client that is associated to a rogue AP.

  2. Authorized Client associated to External AP: An external AP, in this context, is any AP that is not valid and not a rogue.

  3. Authorized Client associated to Honeypot AP: A honeypot is an AP that is not valid but is using an SSID that has been designated as valid/protected.

  4. Authorized Client in ad hoc connection mode: A valid client that has joined an ad hoc network.

Recommend enable for any high security conscious customers where clients should NOT be connecting to non-HPE Aruba Networking or non-Monitored WLAN SSIDs.

Detect AirJack

AirJack is a suite of device drivers for 802.11(a/b/g) raw frame injection and reception. It was intended to be used as a development tool for all 802.11 applications that need to access the raw protocol. However, one of the tools included allowing users to force all users off an AP.

Recommend disable, except maybe for very high security conscious customers.

Detect ASLEAP

ASLEAP is a tool created for Linux systems used to attack Cisco LEAP authentication protocol.

Recommend disable unless the HPE Aruba Networking WIDS is an overlay monitoring a Cisco WLAN that uses LEAP.

Detect Null Probe Response

A null probe response attack has the potential to crash or lock up the firmware of many 802.11 NICs. In this attack, a client probe-request frame will be answered by a probe response containing a null SSID. Several popular NIC cards will lock up upon receiving such a probe response.

Recommend disable unless large numbers of disconnects are seen with an unknown cause. Most modern NICs are NOT vulnerable.


Last modified: March 12, 2024 (0fa8d52)