The Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism.
aWIPS uses an advanced approach to wireless threat detection and performance management. An AP detects threats and generates
alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly
detection to deliver highly accurate and complete wireless threat prevention.
With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both wired and wireless networks
and use that network intelligence to analyze attacks from many sources to pinpoint accurately, and proactively prevent attacks,
rather than wait until damage or exposure has occurred.
-
Authentication flood: A form of denial of service (DoS) attack that floods an APs client-state table (association table) by imitating many client
stations (MAC address spoofing), and sending authentication requests to the AP. Upon reception of each individual authentication
request, the target AP creates a client entry in State 1 of the association table. If open system authentication is used for
the AP, the AP returns an authentication success frame and moves the client to State 2. If Shared Key Authentication (SHA)
is used for the AP, the AP sends an authentication challenge to the attacker's imitated client, which does not respond, and
the AP keeps the client in State 1. In either of these scenarios, the AP contains multiple clients hanging in either State
1 or State 2, which fills up the AP association table. When the table reaches its limit, legitimate clients are not able to
authenticate and associate with this AP.
-
Association flood: A form of DoS attack that aims to exhaust an AP's resources, particularly the client association table, by flooding the
AP with many spoofed client associations. An attacker using such a vulnerability can emulate many clients to flood a target
AP's client association table by creating many clients. When the client association table overflows, legitimate clients cannot
get associated.
-
CTS Flood: A form of DoS attack when a specific device sends a bulk CTS control packet to wireless devices sharing same RF medium and
it blocks wireless devices from using RF medium until CTS flood stops.
-
RTS Flood: A form of DoS attack when a specific device sends a bulk RTS control packet to AP for blocking wireless bandwidth that leads
to performance disturbance for clients on that AP.
-
Broadcast Probe: A form of DoS attack when a specific device tries to flood a managed AP with broadcast probe requests.
-
Disassociation Flood: A form of DoS attack that aims to send an AP to the unassociated or unauthenticated State 2 by spoofing disassociation frames
from the AP to a client. With client adapter implementations, this form of attack is effective and immediate for disrupting
wireless services against this client. Typically, client stations reassociate to regain service until the attacker sends another
disassociation frame. An attacker repeatedly spoofs the disassociation frames to keep the client out of service.
-
Disassociation Broadcast: A form of DoS attack when a specific device triggers disassociation broadcast to disconnect all clients.
This attack aims to send an AP's client to the unassociated or unauthenticated State 2 by spoofing disassociation frames from
the AP to the broadcast address of all the clients. With current client adapter implementations, this form of attack immediately
disrupts wireless services against multiple clients. Typically, client stations reassociate to regain service until the attacker
sends another disassociation frame. An attacker repeatedly spoofs the disassociation frames to keep all the clients out of
service.
-
Deauthentication flood: A form of DoS attack that aims to send an AP's client to the unassociated or unauthenticated State 1 by spoofing deauthentication
frames from the AP to the client unicast address. With the current client-adapter implementations, this form of attack immediately
disrupts wireless services against the client. Typically, client stations reassociate and reauthenticate to regain service
until the attacker sends another deauthentication frame. An attacker repeatedly spoofs the deauthentication frames to keep
all the clients out of service.
-
Deauthentication broadcast: A form of DoS attack that sends all the clients of an AP to the unassociated or unauthenticated State 1 by spoofing deauthentication
frames from the AP to the broadcast address. With client adapter implementation, this form of attack immediately disrupts
wireless services against multiple clients. Typically, client stations reassociate and reauthenticate to regain service until
the attacker sends another deauthentication frame.
-
EAPOL logoff flood: A form of DoS attack when a specific device tries to send Extensible Authentication Protocol over LAN (EAPOL) logoff packets,
which are used in the WPA and WPA2 authentication for (DoS).
Because the EAPOL logoff frame is not authenticated, an attacker can potentially spoof this frame and log out a user from
an AP, thus committing a DoS attack. The fact that the client is logged out from the AP is not obvious until the client attempts
communication through the WLAN. Typically, the disruption is discovered and the client reassociates and authenticates automatically
to regain the wireless connection. The attacker can continuously transmit the spoofed EAPOL-logoff frames.
-
Airdrop Session: Airdrop session attack happens when an AirDrop, which is an Apple feature is used to set up a peer-to-peer link for file
sharing. This potentially creates a security risk due to the unauthorized peer-to-peer network being dynamically created in
your WLAN environment.
-
Authentication Failure Flood: Authentication failure flood attack happens when a specific device tries to flood the AP with invalid authentication requests
spoofed from a valid client leading to the disconnection.
-
Beacon Flood: A form of DoS attack that allows an attacker to inhibit wireless activity for the entire enterprise infrastructure by preventing
new associations between valid APs and stations. During a beacon flood attack, stations that are actively seeking a network
are bombarded with beacons from networks-generated using different MAC addresses and SSIDs. This flood can prevent a valid
client from detecting the beacons sent by the corporate APs, and hence a denial of service attack is initiated.
-
Block Ack Flood: A form of DoS attack that allows an attacker to prevent an 802.11n AP from receiving frames from a specific valid corporate
client. With the introduction of the 802.11n standard, a transaction mechanism was introduced which allows a client to transmit
a large block of frames at once, rather than dividing them up into segments. In order to initiate this exchange, the client
sends an Add Block Acknowledgment (ADDBA) to the AP, which contains sequence numbers to inform the AP of the size of the block
being transmitted. The AP then accepts all frames that fall within the specified sequence (consequently dropping any frames
that fall outside of the range) and transmits a BlockACK message back to the client when the transaction has been completed.
-
EAPOL-Start V1 Flood: EAPOL start flood is when an attacker attempts to bring down an AP by flooding it with EAPOL-Start frames to exhaust the
internal resources of an AP.
-
Fuzzed Beacon: Fuzzed Beacon is when an invalid, unexpected, or random data is introduced in the beacon and then replaying those modified
frames into the air. This can cause unexpected behavior to the destination device including driver crashes, operating system
crashes and stack based overflows which would allow execution of arbitrary code on the affected system.
-
Fuzzed Probe Request: Fuzzed probe request is when an invalid, unexpected, or random data is introduced in the probe request and then replaying
those modified frames into the air.
-
Fuzzed Probe Response: Fuzzed probe response is when an invalid, unexpected, or random data is introduced in the probe response and then replaying
those modified frames into the air.
-
Invalid MAC OUI Frame: Invalid MAC OUI is when a spoofed MAC address is used which does not have a valid OUI.
-
Malformed Association Request: Malformed association request is when an attacker sends a malformed association request which can trigger bug in AP leading
to Denial of Service.
-
Malformed Authentication: Malformed authentication is when an attacker sends malformed authentication frames which can expose vulnerabilities in some
drivers.
-
Probe Response Flood: A form of DoS that allows the attacker to prevent a station from associating to a valid corporate AP. In a typical wireless
transaction, when a station wishes to associate to an AP, it transmits a probe request from to obtain information about the
AP's network. The station will then wait for the resulting probe response frame from the AP. An attacker can take advantage
of this process by flooding the environment with invalid probe responses, thus preventing the station from receiving the response
from the valid AP. As a result, the station is rendered unable to connect to the wireless network, and a denial of service
attack is initiated.
-
PS Poll Flood: PS-Poll flood is when a potential hacker spoofs the MAC address of the wireless client and sends out a flood of PS-Poll
frames. The AP then sends out the buffered data frames to the wireless client, which leads to client missing the data frames
since it could be in the power save mode.
-
Reassociation Request Flood: A form of DoS attack that exhausts AP's resources, particularly the client association table by flooding AP with a large
number of emulated and spoofed client reassociations. Once the client association table overflows, legitimate clients are
not able to get associated causing a DoS attack.
-
Targeted Deauthentication: There is visibility into both source and destination of attacks for enhanced context of the threat.
-
CTS Virtual Carrier Sense Attack: A form of DoS attack when MAC address of an 802.11n AP is modified that allows large duration values for CTS frame types
by preventing channel access to legitimate users.
-
RTS Virtual Carrier Sense Attack: A form of DoS attack when MAC address of an 802.11n AP is modified that allows large duration values for RTS frame types
by preventing channel access to legitimate users.