| RF Alarm |
Description |
| Intrusion related RF alarms |
Rogue AP Detected |
Rogue access point represents the biggest
threat to WiFi security. Rogue access points are un-authorized
accesspoints that are physically connected to your wired ethernet
LAN. Examples for rogue access points are the SOHO grade APs
which the employees plant in their office for want of WiFi
access. Rogue access points drill a hole in the corporate
security by opening up the entire network to the outside world. |
Rogue Client Detected |
Rogue mobile clients are un-authorized wireless
clients operating in your network. With the price of WiFi
cards dropping day by day more and more WiFi cards slip into
enterprise LANs easily for want of mobility. Such un-authorized
cards can pose serious threat to the WLAN security. |
Rogue Adhoc Client Detected |
Wireless devices can communicate among themselves
in adhoc mode. Adhoc mode is not recommended as it does not
support most security standards available in the infrastructure
mode (AP-MU). Devices communicating in adhoc mode pose security
threat. |
AirJack Detected |
AirJack is a free linux-based device driver
API for 802.11 cards that enables raw frame injection into
WLANs. As per 802.11 specifications "mobile clients should
not refuse a de-authentication notification." AirJack
uses this vulnerability and transmits de-authentication management
packets (using spoofed AP MAC address) to clients forcing
them to disconnect from the AP. AirJack attack can be directed
towards a single mobile client or all mobile clients in a
BSSID group. |
AP SSID Changed |
If the SSID change is not carried out by a
WLAN administrator, it might indicate that an attacker is
using MAC address spoofing to masquerade as a legitimate access
point. |
AP Channel Changed |
If the channel change is either carried out
by a WLAN administrator or by the AP itself (because of interference)
it is normal. If not, it might indicate that an attacker is
using MAC address spoofing to masquerade as a legitimate access
point. |
Random MAC Address Detected |
Random MAC addresses indicate the presence
of hacking tool such as Wellenreiter. |
Spoofed MAC Address |
MAC address of an AP/client has been spoofed.
MAC address spoofing can lead to lot of security attacks.
If MAC based authentication is employed, a spoofing attack
can easily crack the system. |
ASLEAP Attack Detected |
ASLEAP is a tool that exploits a weakness in
the Cisco proprietary LEAP protocol. LEAP uses a modified
MS-CHAPv2 exchange to authenticate users which is vulnerable
to dictionary and brute force attacks. |
Client is Sending Spurious Traffic |
If a client is sending traffic without getting
connected to an AP, it is most likely a rogue client. Someone
may be injecting forged 802.11 packets in an attempt to connect
with an AP. |
Adhoc SSID same as AP |
Adhoc is the IBSS mode used to create network
without the use of an AP. Each node acts as a peer capable
of sending and receiving data. Malicious users could use the
same SSID as an AP, fooling the client into thinking the connection
is made with the legitimate AP.
|
Hotspotter Attack Detected |
Hotspotter is a free open source tool that
will passively monitor probe requests from Windows XP clients
and compares them to common "hotspot" SSID names.
If there is a match with the clients request, the rouge client
will act as an AP with the same SSID. |
Airsnarf Attack Detected |
Airsnarf is an opensource tool that creates
an AP with configurations similar to hotspots in an attempt
to lure clients. |
WEPWedgie Attack Detected |
WEPWedgie is a toolkit for determining 802.11
WEP keystreams and injecting traffic with known keystreams.
|
Constant Traffic |
Device is generating a large amount of constant
802.11 data frames. This could be a problem for other users
on the network if there is no load balancing. |
| Denial-of-service Attacks |
Fata-Jack Attack Detected |
Fata-jack is a modified version of Wlan-jack
written by Mark Osbourne. Fata-jack sends an
Authentication-Failed packets (with a reason code of previous
authentication failed) to a Wireless client PC. In addition,
the source and destination MAC addresses can be spoofed so
as to appear to come from the AP. |
Deauthentication Storm |
This could be evidence of an attack with the
void11 tool. void11 is a penetration tool written by Reyk
Floeter which floods wireless networks with deauthentication
packets and spoofed BSSID. As a result, authenticated stations
will drop their network connections.
|
AP Overloaded |
The AP has refused a new client which attempted
to associate with it. This alert could be caused by an AP
under extremely heavy load from legitimate clients, or it
could be evidence that a denial of service attack is underway.
Some forms of denial of service attack will create many fake
associations so that legitimate clients can no longer use
the AP.
|
Disassociation Storm |
Someone is sending a number of disassociation
management frame packets to the AP. Under normal 802.11 conditions
this means a rouge client is operating. |
Association Storm |
Someone is sending a number of association
management frame packets to the AP. Under normal 802.11 conditions
this means a rouge client is operating. |
Authentication Storm |
This could be evidence of an attack with the
void11 tool. Void11 is a penetration tool written by Reyk
Floeter which floods APs with authentication packets (random
stations addresses). As a result, some APs will deny any service
after excessive flooding. |
RF Jamming Detected |
Abnormal noise level indicates that a device
is jamming your legitimate signal. Might be due to neighboring
APs operating in the same channel. |
EAPoL Start Storm |
A client is executing excessive number of
EAPoL Start commands to the AP.
Extensible Authentication Protocol (EAP) is the IETF standard
for extensible authentication in network access. It is standardized
for use within PPP (RFC 2284), wired IEEE 802 networks (IEEE
802.1X), and VPNs (L2TP/IPsec and PIC).
|
EAPoL Logoff Storm |
A client is executing an excessive number of
EAPoL Logoff commands to the AP. |
Duration Attack Detected |
The duration field in an 802.11 packet tells
the other stations on the network how long they must wait
before transmitting again. If one station uses values which
are too large this is a denial of service because it prevents
other stations from operating. |
Broadcast Disassociation Packet |
Device transmitted a deauthentication packet
to the broadcast address. Indicates that someone could be
injecting malicious packets onto the network (either actively
or passively). |
Broadcast Deauthentication Packet |
A client transmitted a deauthentication packet
to the broadcast address. |
Improper Broadcast Packet |
A client transmitted a non-broadcast packet
to the broadcast address. |
| Vulnerability |
Default SSID in Use |
AP is using default SSID. This indicates that
an unconfigured access point is available. Hackers can connect
to the AP using the default SSID (Ex: Cisco default SSID is
Tsunami). |
AP Broadcasting SSID |
AP is broadcasting its SSID. This enables one
to know the SSID in use and get connected. |
Ad-hoc Network Operating |
An ad-hoc peer-to-peer network is operating.
Adhoc networks are not secure ones. |
AP Is Not Using Encryption |
If AP is not using encryption then sniffers
can be employed to capture and disassemble the packets to
get the full data. |
Station is Using Weak WEP IVs |
A device in your network is using weak IVs,
making it possible for an attacker to recover the WEP key.
Tools which exploit this weakness include AirSnort and WEPCrack. |
Authorized Client Connected to Rogue AP |
An authorized client has associated with an
unauthorized AP or ad-hoc network. |
AP is Using Hotspot SSID |
Access point is using commonly used hotspot
SSID. A common attack is to create an AP which appears to
use the same configuration as a "hotspot" in order
to lure clients. This technique is used by the open source
tools Airsnarf and Hotspotter.
|
NetBIOS Traffic Detected |
Unencrypted NetBIOS (Network Basic Input/Output
System) traffic was detected. Some common and popular applications
of this include Microsoft File and Printer sharing and Samba.
|
HTTP Enabled |
Web access is enabled in this access point. |
Telnet Enabled |
Telnet service is enabled in this Access point.
|
EAP Disabled |
Network level EAP authentication
is disabled in this AP by default. |
