Rogue detection and counter measures 639Nortel WLAN—Security Switch 2300 Series Configuration GuideDoS attacksWhen Scheduled RF Scanning is enabled on APs, WSS Software can detect the following types of DoS attacks:• RF Jamming—The goal of an RF jamming attack is to take down an entire WLAN by overwhelming the radioenvironment with high-power noise. A symptom of an RF jamming attack is excessive interference. If an AP radiodetects excessive interference on a channel, and Auto-RF is enabled, WSS Software changes the radio to a differentchannel.• Deauthenticate frames—Spoofed deauthenticate frames form the basis for most DoS attacks, and are the basis forother types of attacks including man-in-the-middle attacks. The source MAC address is spoofed so that clients thinkthe packet is coming from a legitimate AP. If an AP detects a packet with its own source MAC address, the APknows that the packet was spoofed.• Broadcast deauthenticate frames—Similar to the spoofed deauthenticate frame attack above, a broadcastdeauthenticate frame attack generates spoofed deauthenticate frames, with a broadcast destination address insteadof the address of a specific client. The intent of the attack is to disconnect all stations attached to an AP.• Disassociation frames—A disassociation frame from an AP instructs the client to end its association with the AP.The intent of this attack is to disconnect clients from the AP.• Null probe responses—A client’s probe request frame is answered by a probe response containing a null SSID.Some NIC cards lock up upon receiving such a probe response.• Decrypt errors—An excessive number of decrypt errors can indicate that multiple clients are using the same MACaddress. A device’s MAC address is supposed to be unique. Multiple instances of the same address can indicate thata rogue device is pretending to be a legitimate device by spoofing its MAC address.• Fake AP—A rogue device sends beacon frames for randomly generated SSIDs or BSSIDs. This type of attack cancause clients to become confused by the presence of so many SSIDs and BSSIDs, and thus interferes with theclients’ ability to connect to valid APs. This type of attack can also interfere with Auto-RF when an AP is trying toadjust to its RF neighborhood.• SSID masquerade—A rogue device pretends to be a legitimate AP by sending beacon frames for a valid SSIDserviced by APs in your network. Data from clients that associate with the rogue device can be accessed by thehacker controlling the rogue device.• Spoofed AP—A rogue device pretends to be a Nortel AP by sending packets with the source MAC address of theNortel AP. Data from clients that associate with the rogue device can be accessed by the hacker controlling therogue device.Netstumbler and Wellenreiter applicationsNetstumbler and Wellenreiter are widely available applications that hackers can use to gather information about the APsin your network, including location, manufacturer, and encryption settings.Note. WSS Software detects a spoofed AP attack based on the fingerprint ofthe spoofed AP. Packets from the real AP have the correct signature, whilespoofed packets lack the signature. (See “Enabling AP signatures” (page 637).)