Q: What is enhanced Adhoc protection on IDS will do ?
A: We have this feature Enhanced adhoc protection from 6.3 code and above.
- Common way of disrupting Adhoc communication by sending Spoofed Deauth frames (Current Adhoc Protection mechanism)
- But, adhoc network wireless clients are ignoring Deauth frames. Need different mechanism to contain it(by ARP Poisoning called Enhanced Adhoc protection)
Note:
- Effective on Open Adhoc network
- Ineffective on WEP/WPA Adhoc network
How it works
- If we see an IP data frame in the air sent from one member (X) of the ibss to another member (Y), we will create a gratuitous ARP response frame in the reverse direction addressed from Y to X, but replace the sender MAC address in the frame with a fake MAC address*.
- If we see an IP data frame in the air sent from one member (X) of the ibss to another member (Y), we will create a gratuitous ARP response frame addressed from X to Y, but replace the sender MAC address in the frame with a fake MAC address*.
- If we see an ARP request in the air sent to or from a member of the ibss, we will generate an ARP response in the reverse direction, but replace the sender MAC address in the frame with a fake MAC address*.
- If we see an ARP response in the air sent to or from a member of the ibss, we will replay that ARP response (in the same direction), but replace the sender MAC address in the frame with a fake MAC address*.
From controller config:
ids unauthorized-device-profile <> protect-adhoc-enhanced
Note:
ids general-profile <> wireless-containment should be enabled for containment to take effect
Here is the Screen shot to configure from GUI.
‘show log all | include Enhanced’
(7210-205) #show log all 2 | include Enhanced
Mar 29 11:08:25 wms[3289]: <126114> <WARN> |wms| |ids| AP(d8:c7:c8:xx:xx:xx@AP-135-D3:0A): Enhanced Adhoc Containment: An AP attempted to contain an adhoc node 68:a3:c4:xx:xx:xx that is part of the adhoc network (BSSID b6:9d:c2:xx:xx:xx and SSID adhoc-open-gsk on CHANNEL 10).
Mar 29 11:08:25 wms[3289]: <126114> <WARN> |wms| |ids| AP(d8:c7:c8:xx:xx:xx@AP-135-D3:0A): Enhanced Adhoc Containment: An AP attempted to contain an adhoc node 68:a3:c4:xx:xx:xx that is part of the adhoc network (BSSID b6:9d:c2:xx:xx:xx and SSID adhoc-open-gsk on CHANNEL 10).
show ap monitor containment-info will provide the latest timer with containment request and response.
(7210-205) # show ap monitor containment-info ap-name AP-135-D3:0A
<snipped>
wifi1: Wireless Containment Counters
-------------------------------------
Parameter Value
--------- -----
Last Deauth Timer Tick 0
Deauth frames to AP 0
Deauth frames to Client 0
Last Tarpit Timer Tick 0
Tarpit Frames: Probe Response 0
Tarpit Frames: Association Response 0
Tarpit Frames: Authentication 0
Tarpit Frames: Data from AP 0
Tarpit Frames: Data from Client 0
Last Enhanced Adhoc Containment Timer Tick 157084
Enhanced Adhoc Containment: Frames To Data Sender 0
Enhanced Adhoc Containment: Frames To Data Receiver 0
Enhanced Adhoc Containment: Response to Request 16
Enhanced Adhoc Containment: Replay Response 1
7210-205) #show wms counters events
Related Event Configuration
---------------------------
Name Value
---- -----
wms-on-master enable
event-correlation logs-and-traps
event-correlation-quiet-time 900
Event Counters
--------------
ID Name Rx-AP Rx-WMS DB Updated DB Inserted DB Deleted Corr EvGen Corr EvSupp
-- ---- ----- ------ ---------- ----------- ---------- ---------- -----------
2 Rogue AP 2 0 0 0 0 0 0
73 Valid Client Not Using Encryption 8 0 7 1 0 2 6
83 Valid Client Misassociation to External AP 8 0 7 1 0 2 6
85 Valid Client Misassociation to Adhoc Network 8 0 7 1 0 2 6
95 Malformed Frame - Large Duration 4 0 4 0 0 2 2
119 Enhanced Adhoc Containment 2 0 0 2 0 2 0
(7210-205) #show ap monitor stats ap-name AP-135-D3:0A mac 68:a3:c4:xx:xx:xx
<snipped>
Monitored Time:581
Last Packet Time:157944
Uptime:157944
DoS State
----------
tx old-tx rx old-rx last-dos-time ap-ev-time sta-ev-time last-enhanced-cm-time enhanced-cm-ev-time
-- ------ -- ------ ------------- ---------- ----------- --------------------- -------------------
0 0 0 0 0 0 0 157079 157015
<snipped>