The Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism.
aWIPS uses an advanced approach to wireless threat detection and performance management. An AP detects threats and generates
alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly
detection to deliver highly accurate and complete wireless threat prevention.
With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both wired and wireless networks
and use that network intelligence to analyze attacks from many sources to pinpoint accurately, and proactively prevent attacks,
rather than wait until damage or exposure has occurred.
-
Authentication flood: A form of DoS attack that floods an AP's client-state table (association table) by imitating many client stations (MAC address
spoofing), and sending authentication requests to the AP. Upon reception of each individual authentication request, the target
AP creates a client entry in State 1 of the association table. If open system authentication is used for the AP, the AP returns
an authentication success frame and moves the client to State 2. If Shared Key Authentication (SHA) is used for the AP, the
AP sends an authentication challenge to the attacker's imitated client, which does not respond, and the AP keeps the client
in State 1. In either of these scenarios, the AP contains multiple clients hanging in either State 1 or State 2, which fills
up the AP association table. When the table reaches its limit, legitimate clients are not able to authenticate and associate
with this AP.
-
Association flood: A form of DoS attack that aims to exhaust an AP's resources, particularly the client association table, by flooding the
AP with many spoofed client associations. An attacker using such a vulnerability can emulate many clients to flood a target
AP's client association table by creating many clients. When the client association table overflows, legitimate clients cannot
get associated.
-
CTS Flood: A form of DoS attack when a specific device sends a bulk Clear To Send (CTS) control packet to wireless devices sharing
the same radio frequency (RF) medium, and blocking wireless devices from using the RF medium until CTS flood stops.
-
RTS Flood: A form of DoS attack when a specific device sends a bulk RTS control packet to an AP for blocking wireless bandwidth, which
leads to performance disturbance for the clients on that AP.
-
Broadcast Probe: A form of DoS attack when a specific device tries to flood a managed AP with broadcast probe requests.
-
Disassociation Flood: A form of DoS attack that aims to send an AP to the unassociated or unauthenticated State 2 by spoofing disassociation frames
from the AP to a client. With client adapter implementations, this form of attack is effective in immediately disrupting wireless
services against this client. Typically, client stations reassociate to regain service until the attacker sends another disassociation
frame. An attacker repeatedly spoofs the disassociation frames to keep the client out of service.
-
Disassociation Broadcast: A form of DoS attack when a specific device triggers a disassociation broadcast to disconnect all the clients.
This attack aims to send an AP's client to the unassociated or unauthenticated State 2 by spoofing disassociation frames from
the AP to the broadcast address of all the clients. With current client adapter implementations, this form of attack immediately
disrupts wireless services against multiple clients. Typically, client stations reassociate to regain service until the attacker
sends another disassociation frame. An attacker repeatedly spoofs the disassociation frames to keep all the clients out of
service.
-
Deauthentication flood: A form of DoS attack that aims to send an AP's client to the unassociated or unauthenticated State 1 by spoofing deauthentication
frames from the AP to the client unicast address. With the current client-adapter implementations, this form of attack immediately
disrupts wireless services against the client. Typically, client stations reassociate and reauthenticate to regain service
until the attacker sends another deauthentication frame. An attacker repeatedly spoofs the deauthentication frames to keep
all the clients out of service.
-
Deauthentication broadcast: A form of DoS attack that sends all the clients of an AP to the unassociated or unauthenticated State 1 by spoofing deauthentication
frames from the AP to the broadcast address. With client adapter implementation, this form of attack immediately disrupts
wireless services against multiple clients. Typically, client stations reassociate and reauthenticate to regain service until
the attacker sends another deauthentication frame.
-
EAPOL logoff flood: A form of DoS attack when a specific device tries to send Extensible Authentication Protocol over LAN (EAPOL) logoff packets,
which are used in the WPA and WPA2 authentication for (DoS).
Because the EAPOL logoff frame is not authenticated, an attacker can potentially spoof this frame and log out a user from
an AP, thus committing a DoS attack. The fact that the client is logged out from the AP is not obvious until the client attempts
communication through the WLAN. Typically, the disruption is discovered and the client reassociates and authenticates automatically
to regain the wireless connection. The attacker can continuously transmit the spoofed EAPOL-logoff frames.
-
Airdrop Session: Airdrop session attack happens when an AirDrop, which is an Apple feature is used to set up a peer-to-peer link for file
sharing. This potentially creates a security risk because of the unauthorized peer-to-peer network being dynamically created
in your WLAN environment.
-
Authentication Failure Flood: Authentication failure flood attack happens when a specific device tries to flood the AP with invalid authentication requests
spoofed from a valid client, leading to disconnection.
-
Beacon Flood: A form of DoS attack that allows an attacker to inhibit wireless activity for the entire enterprise infrastructure by preventing
new associations between valid APs and stations. During a beacon flood attack, stations that are actively seeking a network
are bombarded with beacons from networks generated using different MAC addresses and SSIDs. This flood can prevent a valid
client from detecting the beacons sent by the corporate APs, and thus, a DoS attack is initiated.
-
Block Ack Flood: A form of DoS attack that allows an attacker to prevent an 802.11n AP from receiving frames from a specific valid corporate
client. With the introduction of the 802.11n standard, a transaction mechanism is introduced, which allows a client to transmit
a large block of frames at once, rather than dividing them up into segments. In order to initiate this exchange, the client
sends an Add Block Add Acknowledgment (ADDBA) request to the AP. This request contains sequence numbers to inform the AP of
the size of the block being transmitted. The AP then accepts all the frames that fall within the specified sequence (consequently
dropping any frames that fall outside of the range) and transmits a BlockACK message back to the client when the transaction
is completed.
-
EAPOL-Start V1 Flood: An attacker attempts to bring down an AP by flooding it with EAPOL-Start frames to exhaust the internal resources of an
AP.
-
Fuzzed Beacon: An invalid, unexpected, or random data is introduced into the beacon. The modified frames are then replayed into the air.
This can cause unexpected behavior in the destination device, including driver crashes, operating system crashes, and stack-based
overflows, which allows execution of arbitrary code on the affected system.
-
Fuzzed Probe Request: An invalid, unexpected, or random data is introduced into a probe request. The modified frames are then replayed into the
air.
-
Fuzzed Probe Response: An invalid, unexpected, or random data is introduced into a probe response. The modified frames are then replayed into the
air.
-
Invalid MAC OUI Frame: A spoofed MAC address, which does not have a valid OUI, is used.
-
Malformed Association Request: An attacker sends a malformed association request, which can trigger a bug in an AP, leading to a DoS attack.
-
Malformed Authentication: An attacker sends malformed authentication frames, which can expose vulnerabilities, if any, in some drivers.
-
Probe Response Flood: A form of DoS that allows an attacker to prevent a station from associating with a valid corporate AP. In a typical wireless
transaction, when a station wants to associate with an AP, it transmits a probe request from to obtain information about the
AP's network. The station then waits for the resulting probe response frame from the AP. An attacker can take advantage of
this process by flooding the environment with invalid probe responses, thus preventing the station from receiving the response
from the valid AP. As a result, the station is rendered unable to connect to the wireless network, and a DoS attack is initiated.
-
PS Poll Flood: A potential hacker spoofs the MAC address of a wireless client and sends out a flood of PS-Poll frames. The AP then sends
out the buffered data frames to the wireless client, which leads to the client missing the data frames because it could be
in the power save mode.
-
Reassociation Request Flood: A form of DoS attack that exhausts an AP's resources, particularly the client association table by flooding the AP with
a large number of emulated and spoofed client reassociations. When the client association table overflows, legitimate clients
are not able to get associated, causing a DoS attack.
-
Targeted Deauthentication: There is visibility into both the source and the destination of attacks for enhanced context of the threat.
-
CTS Virtual Carrier Sense Attack: A form of DoS attack when the MAC address of an 802.11n AP is modified. This allows large-duration values for CTS frame
types by preventing channel access to legitimate users.
-
RTS Virtual Carrier Sense Attack: A form of DoS attack when the MAC address of an 802.11n AP is modified. This allows large-duration values for Request To
Send (RTS) frame types by preventing channel access to legitimate users.