Infrastructure Event Detection Levels and Signature Descriptions
14 minute read
Infrastructure Event Detection Levels
The available detection levels that can be configured for infrastructure events.
Low
-
Detect AP Spoofing
-
Detect Windows bridge
-
IDS signature - de-authentication broadcast
-
IDS signature - de-association broadcast
Medium
-
Detect ad hoc networks using valid SSID – Valid SSID list is auto configured based on the AP configuration.
-
Detect malformed frame large duration
High
-
Detect AP impersonation
-
Detect ad hoc networks
-
Detect valid SSID misuse
-
Detect wireless bridge
-
Detect 802.11 40 MHz intolerance settings
-
Detect active 802.11n greenfield mode
-
Detect AP food attack
-
Detect client flood attack
-
Detect bad WEP
-
Detect CTS rate anomaly
-
Detect RTS rate anomaly
-
Detect invalid address combination
-
Detect malformed frame – HT IE
-
Detect malformed frame association request
-
Detect malformed frame – auth
-
Detect overflow IE
-
Detect overflow EAPOL key
-
Detect beacon wrong channel
-
Detect devices with invalid MAC OUI
-
Detect ghost tunnel server attack
Infrastructure Events - Names and Descriptions
A listing of the available infrastructure event signatures along with the description from the user guide and engineering.
- Detect 802.11n 40 MHz Intolerance Setting
-
When a client sets the HT capability intolerant bit to indicate that it is unable to participate in a 40 MHz BSS, the AP must use lower data rates with all its clients. Network administrators often want to know if there are devices that are advertising 40 MHz intolerance, as this can impact the performance of the network.
This would be enabled to indicate if any clients have set the intolerance bit when HT40+ ESSIDs are configured or monitored. When clients have the intolerance bit set, it can diminish the channel throughput. This is not a security related issue. Recommend Disable.
- Detect Active 802.11n Greenfield Mode
-
When 802.11 devices use the HT operating mode, they cannot share the same channel as 802.11a/b/g stations. Not only can they not communicate with legacy devices, but the way they use the transmission medium is different, which would cause collisions, errors, and retransmissions.
This can generate verbose alerts if a nearby WLAN is broadcasting in Greenfield mode. Greenfield though is very rare anymore. Recommend Disable.
- Detect Ad hoc Networks
-
An ad hoc network is a collection of wireless clients that form a network amongst themselves without the use of an AP. As far as network administrators are concerned, ad hoc wireless networks are uncontrolled. If they do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a wired network and has bridging enabled, an ad hoc network may also function like a rogue AP. Additionally, ad hoc networks can expose client devices to viruses and other security vulnerabilities. For these reasons, many administrators choose to prohibit ad hoc networks.
This can generate VERY verbose alerts, as things like printers, mobiles with Ad hoc enabled, etc. are enabled. Recommend disable unless there is firm control of the devices within the WLAN coverage area where an Incident Response Team can investigate and remediate alerts, or if the environment is a high-security customer where policy dictates that Ad hoc devices be detected.
- Detect Ad hoc Network Using Valid SSID
-
If an unauthorized ad hoc network is using the same SSID as an authorized network, a valid client may be tricked into connecting to the wrong network. If a client connects to a malicious ad hoc network, security breaches or attacks can occur.
While this should be more rare than basic Ad hoc detection, as it would require the Ad hoc network to be configured with a valid ESSID, which while it should be rarer, would indicate malicious intent. Recommend enable for any security conscious customers.
- Detect AP Flood Attack
-
Fake AP is a tool that was originally created to thwart wardrivers by flooding beacon frames containing hundreds of different addresses. This would appear to a wardriver as though there were hundreds of APs in the area, thus concealing the real AP. An attacker can use this tool to flood an enterprise or public hotspots with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client operating systems.
If large reports of client disconnects are a concern, this can be enabled. This can be a high false-positive signature depending on the thresholds configured. False alarms can happen if APs or gateways reboot and the signature re-triggers. It can also trigger a false alert if the AP/AM table is full (254 BSSIDs seen, which can be increased but consumes more AP processing power). Recommend enable for any high security conscious customer.
- Detect AP Impersonation
-
In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack.
This is a very explicit type of attack where a bad actor is spoofing a valid ESSID/BSSID. If proper security is in place (WPA2 using RADIUS and valid certs with validation enabled, etc.), the risk is minimal. WPA2-PSK should use VERY strong passphrases. Open SSIDs would be vulnerable. Recommend disable unless there are managed WLANs that are ‘Open’, or the customer is a high security conscious customer.
- Detect Wireless Hosted Network
-
If enabled, this feature can detect the presence of a wireless hosted network.
When a wireless hosted network is detected this feature sends a “Wireless Hosted Network” warning level security log message and the wlsxWirelessHostedNetworkDetected SNMP trap. If there are clients associated to the hosted network, this feature will send a “Client Associated To Hosted Network” warning level security log message and the wlsxClientAssociatedToHostedNetworkDete cted SNMP trap.
- Detect WIFI-Direct P2P Groups
-
AOS now supports the detection and containment of devices associated to Wi-Fi Direct groups. Wi-Fi Direct is a form of a Wireless Hosted Network and shares many of the same features and concepts with Wireless Hosted Networks, such as:
-
The concepts of a Hosted Network group and group leader.
-
The softAP put up as a BSS that clients may associate with.
-
The derivation of the BSSID of the softAP, although different devices behave differently.
-
The ability for devices to BOTH be connected to WLAN Infrastructure and host a Wireless BSSID simultaneously.
-
The ability for a device to allow sharing, or access from one network to the other.
-
- Detect AP Spoofing
-
An AP Spoofing attack involves an intruder sending forged frames that are made to look like they are from a legitimate AP. It is trivial for an attacker to do this since tools are readily available to inject wireless frames with any MAC address that the user desires. Spoofing frames from a legitimate AP is the foundation of many wireless attacks.
Can be used by attackers to force client rekeying, to more quickly determine an encryption key (ala with weak WPA2-PSK). Recommend enable.
- Detect Bad WEP
-
This is the detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period and searching for such weak implementations that are still used by many legacy devices.
WEP should no longer be in use anywhere. Recommend disable unless the goal is protection of an antiquated WEP-based WLAN.
- Detect Beacon Wrong Channel
-
In this type of attack, an intruder spoofs a beacon packet on a channel that is different from that advertised in the beacon frame of the AP.
Prone to false positives as it can trigger when nearby or monitored WLANs change channels often (which is VERY common), would only be applicable if seen in VERY large quantities, and even then, is likely a false positive. Recommend disable.
- Detect Client Flood
-
There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large number of fake clients that fill internal tables with fake information. If successful, it overwhelms the wireless intrusion system, resulting in a DoS.
Can be enabled but is generally an attack on the WIDS. Similar to AP Flood, and can result in false positives. If enabled, thresholds should be enabled up to 150. Recommend disable unless a high security conscious customer.
- Detect RTS Rate Anomaly
-
The RF medium can be reserved via Virtual Carrier Sensing using a clear to send (CTS) transaction. The transmitter station sends a Ready To Send (RTS) frame to the receiver station. The receiver station responds with a CTS frame. All other stations that receive these CTS frames will refrain from transmitting over the wireless medium for an amount of time specified in the duration fields of these frames. Attackers can exploit the Virtual Carrier Sensing mechanism to launch a DoS attack on the WLAN by transmitting numerous RTS and/or CTS frames. This causes other stations in the WLAN to defer transmission to the wireless medium. The attacker can essentially block the authorized stations in the WLAN with this attack.
Very common false positive, generally indicative of bad client drivers, and requires the baselining of the known client environment to know what is ’normal’ versus what is ‘abnormal’. Is mostly a DoS-based type of attack to disrupt transmission. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining.
- Detect CTS Rate Anomaly
-
The RF medium can be reserved via Virtual Carrier Sensing using an RTS transaction. The transmitter station sends a RTS frame to the receiver station. The receiver station responds with a CTS frame. All other stations that receive these RTS frames will refrain from transmitting over the wireless medium for an amount of time specified in the duration fields of these frames. Attackers can exploit the Virtual Carrier Sensing mechanism to launch a DoS attack on the WLAN by transmitting numerous RTS and/or CTS frames. This causes other stations in the WLAN to defer transmission to the wireless medium. The attacker can essentially block the authorized stations in the WLAN with this attack.
Very common false positive, generally indicative of bad client drivers, and requires the baselining of a known client environment to know what is ’normal’ versus what is ‘abnormal’. Is mostly a DoS-based type of attack to disrupt transmission. Recommend disable unless customer is a high security conscious customer that is willing to tune the thresholds based on client baselining.
- Detect Device with a Bad MAC OUI
-
The first three bytes of a MAC address, known as the MAC organizationally unique identifier (OUI), is assigned by the IEEE to known manufacturers. Often, clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address.
Very verbose false positives. Triggered by both virtual-MACs as well as the proliferation of new MAC Address OUIs being constantly released. Recommend disable.
- Detect Invalid Address Combination
-
In this attack, an intruder can cause an AP to transmit deauthentication and disassociation frames to all its clients. Triggers that can cause this condition include the use of broadcast or multicast MAC address in the source address field.
This is a DOS-type of attack to the WLAN. Malformed frames can trigger this, bad client drivers, neighboring bad APs, etc. Very high false positive rates, generally NOT a security threat. Recommend disable unless customer is a high security conscious customer where all client devices are managed, tested, and tracked.
- Detect Overflow EAPOL Key
-
Some wireless drivers used in access points do not correctly validate the EAPOL key fields. A malicious EAPOL-Key packet with an invalid advertised length can trigger a DoS or possible code execution. This can only be achieved after a successful 802.11 association exchange.
Recommend disable unless HPE Aruba Networking WIDS is an overlay. Will likely show false positives for poorly performing clients, or very dense client environments. Only enable if HPE Aruba Networking WLAN is the overlay, and customer is high security conscious.
- Detect Overflow IE
-
Some wireless drivers used in access points do not correctly parse the vendor-specific IE tags. A malicious association request sent to the AP containing an IE with an inappropriate length (too long) can cause a DoS and potentially lead to code execution. The association request must be sent after a successful 802.11 authentication exchange.
Recommend disable unless HPE Aruba Networking WIDS is an overlay. Will likely show false positives for poorly performing clients, or very dense client environments. Only enable if HPE Aruba Networking WLAN is the overlay, and customer is high security conscious.
- Detect Malformed Frame Association Request
-
Some wireless drivers used in access points do not correctly parse the SSID information element tag contained in association request frames. A malicious association request with a null SSID (that is, zero length SSID) can trigger a DoS or potential code execution condition on the targeted device.
Recommend disable unless HPE Aruba Networking WIDS is an overlay. Will likely show false positives for poorly performing clients, or very dense client environments. Only enable if HPE Aruba Networking WLAN is the overlay, and customer is high security conscious.
- Detect Malformed Frame Auth
-
Malformed 802.11 authentication frames that do not conform to the specification can expose vulnerabilities in some drivers that have not implemented proper error checking. This feature checks for unexpected values in an Authentication frame.
Recommend disable unless HPE Aruba Networking WIDS is an overlay. Will likely show false positives for poorly performing clients, or very dense client environments. Only enable if HPE Aruba Networking WLAN is the overlay, and customer is high security conscious.
- Detect Malformed Frame-HT IE
-
The IEEE 802.11n HT (High Throughput) IE is used to convey information about the 802.11n network. An 802.11 management frame containing a malformed HT IE can crash some client implementations, potentially representing an exploitable condition when transmitted by a malicious attacker.
Recommend disable unless HPE Aruba Networking WIDS is an overlay. Will likely show false positives for poorly performing clients, or very dense client environments. Only enable if HPE Aruba Networking WLAN is the overlay, and customer is high security conscious.
- Detect Malformed Frame Large Duration
-
The virtual carrier-sense attack is implemented by modifying the 802.11 MAC layer implementation to allow random duration values to be sent periodically. This attack can be carried out on the ACK, data, RTS, and CTS frame types by using large duration values. This attack can prevent channel access to legitimate users.
Recommend disable. Will likely show false positives for poorly performing clients, or very dense client environments, as other vendor’s APs often send Large Duration frames. Leads to large duration to an extended hold down timers.
- Detect Misconfigured AP
-
A list of parameters can be configured to define the characteristics of a valid AP. This feature is primarily used when non-HPE Aruba Networking APs are used in the network, since the HPE Aruba Networking gateway cannot configure the thirdparty APs. These parameters include WEP, WPA, OUI of valid MAC addresses, valid channels, and valid SSIDs.
Recommend disable unless there is a 3rd party WLAN being monitored. May often show false positives from poorly performing clients or dense client environments. May catch an AP spoofing in different location. If enabled, it’s only for high security conscious customers with controlled physical environments, and limited neighboring WLANs.
- Detect Windows Bridge
-
A Windows Bridge occurs when a client that is associated to an AP is also connected to the wired network and has enabled bridging between these two interfaces.
Recommend enable for security conscious customers. Should generally be a low false positive alert.
- Detect Wireless Bridge
-
Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or have an authorized person place) a wireless bridge inside the network that would extend the corporate network somewhere outside the building. Wireless bridges are somewhat different from rogue APs, in that they do not use beacons and have no concept of association. Most networks do not use bridges – in these networks, the presence of a bridge is a signal that a security problem exists.
Recommend enable, though non-HPE Aruba Networking wireless bridges must be marked as ‘Valid’. Does not trigger on ArubaOS Mesh but may trigger on other vendor’s mesh solutions.
- Detect Broadcast Deauthentication
-
A deauthentication broadcast attempts to disconnect all stations in range. Rather than sending a spoofed deauth to a specific MAC address, this attack sends the frame to a broadcast address.
Recommend enable, may require on-site troubleshooting to narrow own source.
- Detect Broadcast Dissociation
-
By sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF), an attacker can disconnect all stations on a network for a widespread DoS.
Recommend enable, may require on-site troubleshooting to narrow own source.
- Detect NetStumbler
-
NetStumbler is a popular wardriving application used to locate 802.11 networks. When used with certain NICs, NetStumbler generates a characteristic frame that can be detected. Version 3.3.0 of NetStumbler changed the characteristic frame slightly.
Recommend disable, is not a common threat vector anymore.
- Detect Valid SSID Misuse
-
If an unauthorized AP (neighbor or interfering) is using the same SSID as an authorized network, a valid client may be tricked into connecting to the wrong network. If a client connects to a malicious network, security breaches or attacks can occur.
Recommend enable.
- Detect Wellenreiter
-
Wellenreiter is a passive wireless network discovery tool used to compile a list of APs along with their MAC address, SSID, channel, and security setting in the vicinity. It passively sniffs wireless traffic, and with certain version (versions 1.4, 1.5, and 1.6), sends active probes that target known default SSIDs.
Recommend disable, as it’s based on WEP and WEP should NOT be in use anymore.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.