What is the difference between, AP impersonation, AP spoofing and Valid-SSID misuse?

MVP
MVP
Q:

What is the difference between, AP impersonation, AP spoofing and Valid-SSID misuse? 



A:

In AP Impersonation, the attacker AP assumes the same BSSID and ESSID of a valid AP. 

In AP Spoofing, an attacker assumes the BSSID of the valid AP and the ESSID can be any (ESSID can be seen in beacon or probe response). 

In valid-ssid-misuse, an attacker AP assumes the ESSID of the valid AP and the BSSID should be a non-valid Aruba BSSID, i.e, a BSSID that is not being used by any Aruba APs in the cluster. 

Below are the example security logs that can be seen when such attacks are detected.  

324-40:e3:d6:cd:a7:a4# show log security 

Oct 27 02:55:04  sapd[4795]: <127069> <WARN> |AP 324-40:e3:d6:cd:a7:a4@192.168.248.254 sapd| |ids-ap| AP(40:e3:d6:5a:7a:50): AP Spoofing: An AP detected a frame that has a spoofed source address of 40:e3:d6:5a:7a:50, a BSSID of 10:11:11:11:11:12, a destination address of 40:e3:d6:5a:7a:50, and is on CHANNEL 36. SNR is 40, and FrameType is Assoc Request. Additional Info: SSID:.

Oct 27 02:53:25  sapd[4795]: <127006> <WARN> |AP 324-40:e3:d6:cd:a7:a4@192.168.248.254 sapd| |ids-ap| AP(40:e3:d6:5a:7a:50): AP Impersonation: An AP detected AP impersonation of (BSSID 32:04:01:04:82:84 and SSID  on CHANNEL 36), based of the number of beacons seen. Additional Info: Beacons-Exp:1.00; Beacons-Rcv:322.00; Diff-percent=32100.00.

Oct 26 19:11:48  sapd[4795]: <127007> <WARN> |AP 324-40:e3:d6:cd:a7:a4@192.168.248.254 sapd| |ids-ap| AP(40:e3:d6:5a:7a:40): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 18:64:72:e3:e5:41 and SSID 324 on CHANNEL 1) is violating Valid SSID configuration by using a protected SSID.
Version history
Revision #:
2 of 2
Last update:
‎12-25-2017 09:17 PM
Updated by:
 
Labels (1)
Contributors
Comments
Sairam_sify

I think there is a typo error in the Introduction. As per logs you have shared, for AP impersination, both BSSID and ESSID should match. but in AP impersination line, BSSID didn't match. In AP spoofing logs, these BSSID and ESSID matched.

 

Please correct me if i am wrong!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: