638 Rogue detection and counter measuresNN47250-500 (320657-F Version 02.01)Disabling or reenabling logging of roguesBy default, a WSS generates a log message when a rogue is detected or disappears. To disable or reenable the logmessages, use the following command:set rfdetect log {enable | disable}To display log messages on a switch, use the following command:show log buffer(This command has optional parameters. For complete syntax information, see the Nortel WLAN Security Switch 2300Series Command Line Reference.)Enabling rogue and countermeasures notificationsBy default, all SNMP notifications (informs or traps) are disabled. To enable or disable notifications for rogue detection,Intrusion Detection System (IDS), and Denial of Service (DoS) protection, configure a notification profile that sends allthe notification types for these features. (For syntax information and an example, see “Configuring a notification profile”(page 158).)IDS and DoS alertsWSS Software can detect illegitimate network access attempts and attempts to disrupt network service. In response,WSS Software generates messages and SNMP notifications. The following sections describe the types of attacks andsecurity risks that WSS Software can detect.For examples of the log messages that WSS Software generates when DoS attacks or other security risks are detected,see “IDS log message examples” (page 641).For information about the notifications, see “Configuring a notification profile” (page 158).Flood attacksA flood attack is a type of Denial of Service attack. During a flood attack, a rogue wireless device attempts to overwhelmthe resources of other wireless devices by continuously injecting management frames into the air. For example, a rogueclient can repeatedly send association requests to try to overwhelm APs that receive the requests.The threshold for triggering a flood message is 100 frames of the same type from the same MAC address, within aone-second period. If WSS Software detects more than 100 of the same type of wireless frame within one second, WSSSoftware generates a log message. The message indicates the frame type, the MAC address of the sender, the listener(AP and radio), channel number, and RSSI.Note. To detect DoS attacks, Scheduled RF Scanning must be enabled. (See “Disablingor reenabling Scheduled RF Scanning” (page 637).)