RF Alarm

Description

Intrusion related RF alarms

Rogue AP Detected

Rogue access point represents the biggest threat to WiFi security. Rogue access points are un-authorized accesspoints that are physically connected to your wired ethernet LAN. Examples for rogue access points are the SOHO grade APs which the employees plant in their office for want of WiFi access. Rogue access points drill a hole in the corporate security by opening up the entire network to the outside world.

Rogue Client Detected

Rogue mobile clients are un-authorized wireless clients operating in your network. With the price of WiFi cards dropping day by day more and more WiFi cards slip into enterprise LANs easily for want of mobility. Such un-authorized cards can pose serious threat to the WLAN security.

Rogue Adhoc Client Detected

Wireless devices can communicate among themselves in adhoc mode. Adhoc mode is not recommended as it does not support most security standards available in the infrastructure mode (AP-MU). Devices communicating in adhoc mode pose security threat.

AirJack Detected

AirJack is a free linux-based device driver API for 802.11 cards that enables raw frame injection into WLANs. As per 802.11 specifications "mobile clients should not refuse a de-authentication notification." AirJack uses this vulnerability and transmits de-authentication management packets (using spoofed AP MAC address) to clients forcing them to disconnect from the AP. AirJack attack can be directed towards a single mobile client or all mobile clients in a BSSID group.

AP SSID Changed

If the SSID change is not carried out by a WLAN administrator, it might indicate that an attacker is using MAC address spoofing to masquerade as a legitimate access point.

AP Channel Changed

If the channel change is either carried out by a WLAN administrator or by the AP itself (because of interference) it is normal. If not, it might indicate that an attacker is using MAC address spoofing to masquerade as a legitimate access point.

Random MAC Address Detected

Random MAC addresses indicate the presence of hacking tool such as Wellenreiter.

Spoofed MAC Address

MAC address of an AP/client has been spoofed. MAC address spoofing can lead to lot of security attacks. If MAC based authentication is employed, a spoofing attack can easily crack the system.

ASLEAP Attack Detected

ASLEAP is a tool that exploits a weakness in the Cisco proprietary LEAP protocol. LEAP uses a modified MS-CHAPv2 exchange to authenticate users which is vulnerable to dictionary and brute force attacks.

Client is Sending Spurious Traffic

If a client is sending traffic without getting connected to an AP, it is most likely a rogue client. Someone may be injecting forged 802.11 packets in an attempt to connect with an AP.

Adhoc SSID same as AP

Adhoc is the IBSS mode used to create network without the use of an AP. Each node acts as a peer capable of sending and receiving data. Malicious users could use the same SSID as an AP, fooling the client into thinking the connection is made with the legitimate AP.

Hotspotter Attack Detected

Hotspotter is a free open source tool that will passively monitor probe requests from Windows XP clients and compares them to common "hotspot" SSID names. If there is a match with the clients request, the rouge client will act as an AP with the same SSID.

Airsnarf Attack Detected

Airsnarf is an opensource tool that creates an AP with configurations similar to hotspots in an attempt to lure clients.

WEPWedgie Attack Detected

WEPWedgie is a toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams.

Constant Traffic

Device is generating a large amount of constant 802.11 data frames. This could be a problem for other users on the network if there is no load balancing.

Denial-of-service Attacks

Fata-Jack Attack Detected

Fata-jack is a modified version of Wlan-jack written by Mark Osbourne. Fata-jack sends an
Authentication-Failed packets (with a reason code of previous authentication failed) to a Wireless client PC. In addition, the source and destination MAC addresses can be spoofed so as to appear to come from the AP.

Deauthentication Storm

This could be evidence of an attack with the void11 tool. void11 is a penetration tool written by Reyk Floeter which floods wireless networks with deauthentication packets and spoofed BSSID. As a result, authenticated stations will drop their network connections.

AP Overloaded

The AP has refused a new client which attempted to associate with it. This alert could be caused by an AP under extremely heavy load from legitimate clients, or it could be evidence that a denial of service attack is underway. Some forms of denial of service attack will create many fake associations so that legitimate clients can no longer use the AP.

Disassociation Storm

Someone is sending a number of disassociation management frame packets to the AP. Under normal 802.11 conditions this means a rouge client is operating.

Association Storm

Someone is sending a number of association management frame packets to the AP. Under normal 802.11 conditions this means a rouge client is operating.

Authentication Storm

This could be evidence of an attack with the void11 tool. Void11 is a penetration tool written by Reyk Floeter which floods APs with authentication packets (random stations addresses). As a result, some APs will deny any service after excessive flooding.

RF Jamming Detected

Abnormal noise level indicates that a device is jamming your legitimate signal. Might be due to neighboring APs operating in the same channel.

EAPoL Start Storm

A client is executing excessive number of EAPoL Start commands to the AP.

Extensible Authentication Protocol (EAP) is the IETF standard for extensible authentication in network access. It is standardized for use within PPP (RFC 2284), wired IEEE 802 networks (IEEE 802.1X), and VPNs (L2TP/IPsec and PIC).

EAPoL Logoff Storm

A client is executing an excessive number of EAPoL Logoff commands to the AP.

Duration Attack Detected

The duration field in an 802.11 packet tells the other stations on the network how long they must wait before transmitting again. If one station uses values which are too large this is a denial of service because it prevents other stations from operating.

Broadcast Disassociation Packet

Device transmitted a deauthentication packet to the broadcast address. Indicates that someone could be injecting malicious packets onto the network (either actively or passively).

Broadcast Deauthentication Packet

A client transmitted a deauthentication packet to the broadcast address.

Improper Broadcast Packet

A client transmitted a non-broadcast packet to the broadcast address.

Vulnerability

Default SSID in Use

AP is using default SSID. This indicates that an unconfigured access point is available. Hackers can connect to the AP using the default SSID (Ex: Cisco default SSID is Tsunami).

AP Broadcasting SSID

AP is broadcasting its SSID. This enables one to know the SSID in use and get connected.

Ad-hoc Network Operating

An ad-hoc peer-to-peer network is operating. Adhoc networks are not secure ones.

AP Is Not Using Encryption

If AP is not using encryption then sniffers can be employed to capture and disassemble the packets to get the full data.

Station is Using Weak WEP IVs

A device in your network is using weak IVs, making it possible for an attacker to recover the WEP key. Tools which exploit this weakness include AirSnort and WEPCrack.

Authorized Client Connected to Rogue AP

An authorized client has associated with an unauthorized AP or ad-hoc network.

AP is Using Hotspot SSID

Access point is using commonly used hotspot SSID. A common attack is to create an AP which appears to use the same configuration as a "hotspot" in order to lure clients. This technique is used by the open source tools Airsnarf and Hotspotter.

NetBIOS Traffic Detected

Unencrypted NetBIOS (Network Basic Input/Output System) traffic was detected. Some common and popular applications of this include Microsoft File and Printer sharing and Samba.

HTTP Enabled

Web access is enabled in this access point.

Telnet Enabled

Telnet service is enabled in this Access point.

EAP Disabled