In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack.
Within your WIDS/WIPS configuration you can set up containment. Be careful not to put other peoples wireless into containment unless it is a true rogue device, and not just a neighboring system. If they are using the same BSSID and ESSID then they must be a rogue device.:
Wireless containment-When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point.
None-Disables all the containment mechanisms.
Deauthenticate only-With deauthentication containment, the Access Point or client is contained by disrupting the client association on the wireless interface.
Tarpit containment-With Tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the Access Point being contained.
------------------------------
Dustin Burns
Lead Mobility Engineer @Worldcom Exchange, Inc.
ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022
If my post was useful accept solution and/or give kudos
------------------------------
Original Message:
Sent: Oct 26, 2022 03:25 PM
From: Peter Abene
Subject: Airwave - AP Impersonation
In the RAPIDS IDS events, I see "AP Impersonation". What actions can/should I take?
------------------------------
Peter
------------------------------