Product and Software: This article applies to all Aruba controllers and ArubaOS 6.0 and later.
These types of attacks on clients that are associated to Aruba valid APs can be detected with WIDS 2.0 in ArubaOS 6.0.
Disconnect Station Attack Detection
- Clients are spoofed into disconnecting from the AP through disconnects sent to the AP or the client.
- Client under a repeated attack will repeatedly attempt to reconnect.
- The attack is detected if the number of successful association/reassociation responses within 20 seconds interval hits the user-defined threshold.
- Only checks valid clients that are associated to valid APs.
Block Ack Attack Detection
- Attacker spoofs ADDBA Request frames with bogus "window" values, which causes the receiver to drop packets.
- Detection is done via monitoring ADDBA Request frames and sequence numbers.
TKIP Replay Attack Detection
- An attacker replays a capture of TKIP data frames to extract the complete plaintext and MIC checksum.
- Detected via monitoring the encrypted key error messages whose length is 133 bytes. To avoid false positives, WIDS looks for 133 byte frames at least once every two minutes within a 10-minute period.
Chop Chop Attack Detection
- A plaintext recovery attack against WEP encrypted networks.
- It works by forcing the plaintext one byte at a time. A captured frame is truncated and all 256 possible values are tried for the last byte with a corrected CRC.
- The correct guess causes the AP to retransmit the frame.
- Detected via monitoring smaller frames than expected.
Hotspotter Attack Detection
- Attacker activates an AP in the enterprise vicinity that advertises well-known public hotspot SSIDs. A client may associate to it and become vulnerable to attacks.
- System watches for probe responses from previously unknown APs.
Omerta Attack Detection
- It is an 802.11 DoS tool that sends disassociation frames to all stations on a channel in response to data frames with an unspecified reason code of 0x01.
- Detected if the percentage disassociation frames to data packets is above a user-defined threshold.
FATA-Jack Attack Detection
- It is an 802.11 client DoS tool that tries to disconnect stations by spoofing authentication frames. These frames use an invalid authentication algorithm number of 2, which should never be used because it is a reserved value.
- Detected via checking for an invalid authentication algorithm number = 2 in auth frames between the station and the AP.