56Flood attack detectionA flood attack refers to the case where WLAN devices receive large volumes of frames of the samekind within a short span of time. When this occurs, the WLAN devices are overwhelmed.Consequently, they are unable to service normal clients.WIDS attacks detection counters flood attacks by constantly keeping track of the density of trafficgenerated by each device. When the traffic density of a device exceeds the limit, the device isconsidered flooding the network and, if the dynamic blacklist feature is enabled, is added to theblacklist and forbidden to access the WLAN for a period of time.WIDS inspects the following types of frames:• Authentication requests and de-authentication requests• Association requests, disassociation requests and reassociation requests• Probe requests• 802.11 null data frames• 802.11 action frames.Spoofing attack detectionIn this kind of attack, a potential attacker can send frames in the air on behalf of another device. Forinstance, a client in a WLAN has been associated with an AP and operates correctly. In this case, aspoofed de-authentication frame can cause a client to get de-authenticated from the network andcan affect the normal operation of the WLAN.At present, spoofing attack detection counters this type of attack by detecting broadcastde-authentication and disassociation frames sent on behalf of an AP. When such a frame is received,it is identified as a spoofed frame, and the attack is immediately logged.Weak IV detectionWEP uses an IV to encrypt each frame. An IV and a key are used to generate a key stream, and thusencryptions using the same key have different results. When a WEP frame is sent, the IV used inencrypting the frame is also sent as part of the frame header.However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for allframes, the shared secret key might be exposed to any potential attackers. When the shared secretkey is compromised, the attacker can access network resources.Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with aweak IV is detected, it is immediately logged.Blacklist and white listYou can configure the blacklist and white list functions to filter frames from WLAN clients andimplement client access control.WLAN client access control is accomplished through the following types of lists.• White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist is used, only permitted clients can access the WLAN, and all frames from other clients arediscarded.• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. Thislist is manually configured.• Dynamic blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. Aclient is dynamically added to the list if it is considered sending attacking frames until the timerof the entry expires.When an AP receives an 802.11 frame, it checks the source MAC address of the frame andprocesses the frame by following these rules: