D-Link DWS-1008 User Manual
88
Enabling Rogue and Countermeasures
Notifications
By default, all SNMP notifications (informs or traps) are disabled. To enable or disable notifications for
rogue detection, Intrusion Detection System (IDS), and Denial of Service (DoS) protection, configure a
notification profile that sends all the notification types for these features.
IDS and DoS Alerts
MSS can detect illegitimate network access attempts and attempts to disrupt network service. In
response, MSS generates messages and SNMP notifications. The following sections describe the types
of attacks and security risks that MSS can detect.
For examples of the log messages that MSS generates when DoS attacks or other security risks are
detected, see “IDS Log Message Examples”.
Note: To detect DoS attacks, active scan must be enabled.
Flood Attacks
A flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device
attempts to overwhelm the resources of other wireless devices by continuously injecting management
frames into the air. For example, a rogue client can repeatedly send association requests to try to
overwhelm APs that receive the requests.
The threshold for triggering a flood message is 100 frames of the same type from the same MAC
address, within a one-second period. If MSS detects more than 100 of the same type of wireless frame
within one second, MSS generates a log message. The message indicates the frame type, the MAC
address of the sender, the listener (AP and radio), channel number, and RSSI.
DoS Attacks
When active scan is enabled on APs, MSS can detect the following types of DoS attacks:
•
RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by
overwhelming the radio environment with high-power noise. A symptom of an RF jamming
attack is excessive interference. If an AP radio detects excessive interference on a channel,
and RF Auto-Tuning is enabled, MSS changes the radio to a different channel.
•
Deauthenticate frames—Spoofed deauthenticate frames form the basis for most DoS
attacks, and are the basis for other types of attacks including man-in-the-middle attacks.
The source MAC address is spoofed so that clients think the packet is coming from a
legitimate AP. If an AP detects a packet with its own source MAC address, the AP knows
that the packet was spoofed.
Summary of Contents for DWS-1008
Page 1: ......