ids dos-profile <profile-name>
ap-flood-inc-time <ap-flood-inc-time>
ap-flood-quiet-time <ap-flood-quiet-time>
ap-flood-threshold <ap-flood-threshold>
assoc-rate-thresholds <assoc-rate-thresholds>
auth-rate-thresholds <auth-rate-thresholds>
block-ack-dos-quiet-time <block-ack-dos-quiet-time>
chopchop-quiet-time <chopchop-quiet-time>
client-ht-40mhz-intol-quiet-time <client-ht-40mhz-intol-quiet=time>
client-flood-inc-time <client-flood-inc-time>
client-flood-quiet-time <client-flood-quiet-time>
client-flood-threshold <client-flood-threshold>
clone <source>
cts-rate-quiet-time <cts-rate-quiet-time>
cts-rate-threshold <cts-rate-threshold>
cts-rate-time-interval <cts-rate-time-interval>
deauth-rate-thresholds <deauth-rate-thresholds>
detect-ap-flood
detect-block-ack-dos
detect-chopchop-attack
detect-client-flood
detect-cts-rate-anomaly
detect-disconnect-sta
detect-eap-rate-anomaly
detect-fata-jack-attack
detect-ghosttunnel-client-attack
detect-ghosttunnel-server-attack
detect-ht-40mhz-intolerance
detect-invalid-address
detect-malformed-association-request
detect-malformed-auth-frame
detect-malformed-htie
detect-malformed-large-duration
detect-omerta-attack
detect-overflow-eapol-key
detect-overflow-ie
detect-power-save-dos-attack
detect-rate-anomalies
detect-rts-rate-anomaly
detect-tkip-replay-attack
detect-wpa-ft-attack
disassoc-rate-thresholds <disassoc-rate-thresholds>
disconnect-deauth-disassoc-threshold <disconnect-deauth-disassoc-threshold>
disconnect-sta-assoc-resp-threshold <disconnect-sta-assoc-resp-threshold>
disconnect-sta-quiet-time <disconnect-sta-quiet-time>
eap-rate-quiet-time <eap-rate-quiet-time>
eap-rate-threshold <eap-rate-threshold>
eap-rate-time-interval <eap-rate-time-interval>
fata-jack-quiet-time <fata-jack-quiet-time>
ghosttunnel-client-attack-interval <ghosttunnel-client-attack-interval>
ghosttunnel-client-attack-threshold <ghosttunnel-client-attack-threshold>
ghosttunnel-client-quiet-time <ghosttunnel-client-quiet-time>
ghosttunnel-server-attack-interval <ghosttunnel-server-attack-interval>
ghosttunnel-server-attack-threshold <ghosttunnel-server-attack-threshold>
ghosttunnel-server-quiet-time <ghosttunnel-server-quiet-time>
invalid-address-combination-quiet-time <invalid-address-combination-quiet-time>
malformed-association-request-quiet-time <malformed-association-request-quiet-time>
malformed-auth-frame-quiet-time <malformed-auth-frame-quiet-time>
malformed-htie-quiet-time <malformed-htie-quiet-time>
malformed-large-duration-quiet-time <malformed-large-duration-quiet-time>
no
omerta-quiet-time <omerta-quiet-time>
omerta-threshold <omerta-threshold>
overflow-eapol-key-quiet-time <overflow-eapol-key-quiet-time>
overflow-ie-quiet-time <overflow-ie-quiet-time>
power-save-dos-min-frames <power-save-dos-min-frames>
power-save-dos-quiet-time <power-save-dos-quiet-time>
power-save-dos-threshold <power-save-dos-threshold>
probe-request-rate-thresholds <probe-request-rate-thresholds>
probe-response-rate-thresholds <probe-response-rate-thresholds>
rts-rate-quiet-time <rts-rate-quiet-time>
rts-rate-threshold <rts-rate-threshold>
rts-rate-time-interval <rts-rate-time-interval>
tkip-replay-quiet-time <tkip-replay-quiet-time>
wpa-ft-quiet-time
wpa-ft-threshold
wpa-ft-time-interval
Description
This command configures traffic anomalies for DoS attacks. DoS attacks are designed to prevent or inhibit legitimate clients from accessing the network. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment.
|
Parameter |
Description |
|
<profile-name> |
Name of the IDS DoS profile. 1-63 characters “default” |
|
ap-flood-inc-time <ap-flood-inc-time> |
Time, in seconds, during which the AP count is over the threshold (AP flood). 0-36000 seconds 3600 seconds |
|
ap-flood-quiet-time <ap-flood-quiet-time> |
After an alarm has been triggered by an AP flood, the time, in seconds, that must elapse before an identical alarm may be triggered. 60-360000 seconds 900 seconds |
|
ap-flood-threshold <ap-flood-threshold> |
Threshold for the number of spurious APs in the system. 0-100,000 50 |
|
assoc-rate-thresholds <assoc-rate-thresholds> |
Rate threshold for associate request frames. |
|
auth-rate-thresholds <auth-rate-thresholds> |
Rate threshold for authenticate frames. |
|
block-ack-dos-quiet-time <block-ack-dos-quiet-time> |
Time to wait, in seconds, after detecting an attempt to reset the receive window using a forged block ACK add. 60-360000 seconds 900 seconds |
|
chopchop-quiet-time <chopchop-quiet-time> |
Time to wait, in seconds, after detecting a ChopChop attack after which the check can be resumed. 60-360000 seconds 900 seconds |
|
client-ht-40mhz-intol-quiet- <client-ht-40mhz-intol-quiet=time> |
Quiet time (when to stop reporting intolerant STAs if they have not been detected), in seconds, for detection of 802.11n 40 MHz intolerance setting. 60-360000 seconds 900 seconds |
|
client-flood-inc-time <client-flood-inc-time> |
Number of consecutive seconds over which the client count is more than the threshold. 0-36000 seconds 3 seconds |
|
client-flood-quiet-time <client-flood-quiet-time> |
Time to wait, in seconds, after detecting a client flood before continuing the check. 60-360000 seconds 900 seconds |
|
client-flood-threshold <client-flood-threshold> |
Threshold for the number of spurious clients in the system. 0-100000 150 |
|
clone <source> |
Copies data from another IDS Denial Of Service Profile. |
|
cts-rate-quiet-time <cts-rate-quiet-time> |
Time to wait, in seconds, after detecting a CTS rate anomaly after which the check can be resumed. 60-360000 seconds 900 seconds |
|
cts-rate-threshold <cts-rate-threshold> |
Number of CTS control packets over the time interval that constitutes an anomaly. 0-100000 5000 |
|
cts-rate-time-interval <cts-rate-time-interval> |
Time interval, in seconds, over which the packet count should be checked. 1-120 seconds 5 seconds |
|
deauth-rate-thresholds <deauth-rate-thresholds> |
Rate threshold for deauthenticate frames. |
|
detect-ap-flood |
Enables or disables detection of AP flood attacks. disabled |
|
detect-block-ack-dos |
Enables or disables detection of attempts to reset traffic receive windows using forged Block ACK Add messages. enabled |
|
detect-chopchop-attack |
Enables or disables detection of ChopChop attacks. disabled |
|
detect-client-flood |
Enables or disables detection of client flood attacks. disabled |
|
detect-cts-rate-anomaly |
Enables or disables detection of CTS rate anomalies. disabled |
|
detect-disconnect-sta |
In a station disconnection attack, an attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. Use this command to enable the detection of disconnect station attack. enabled |
|
detect-eap-rate-anomaly |
Enables or disables detection of the EAP handshake rate anomaly. disabled |
|
detect-fata-jack-attack |
Enables or disables detection of FATA-Jack attacks. enabled |
|
detect-ghosttunnel-client-attack |
Enables or disables detection of ghost tunnel client attacks. disabled |
|
detect-ghosttunnel-server-attack |
Enables or disables detection of ghost tunnel server attacks. disabled |
|
detect-ht-40mhz-intolerance |
Enables or disables detection of 802.11n 40 MHz intolerance setting, which controls whether stations and APs advertising 40 MHz intolerance will be reported. disabled |
|
detect-invalid-address |
Enables or disables detection of invalid address combinations. disabled |
|
detect-malformed-association- |
Enables or disables detection of malformed association requests. disabled |
|
detect-malformed-auth-frame |
Enables or disables detection of malformed authentication frames. disabled |
|
detect-malformed-htie |
Enables or disables detection of malformed HT IE. disabled |
|
detect-malformed-large-duration |
Enables or disables detection of unusually large durations in frames. enabled |
|
detect-omerta-attack |
Enables or disables detection of Omerta attacks. enabled |
|
detect-overflow-eapol-key |
Enables or disables detection of overflow EAPOL key requests. disabled |
|
detect-overflow-ie |
Enables or disables detection of overflow IEs. disabled |
|
detect-power-save-dos-attack |
Enables or disables detection of Power Save DoS attacks. enabled |
|
detect-rate-anomalies |
Enables or disables detection of rate anomalies. disabled |
|
detect-rts-rate-anomaly |
Enables or disables detection of RTS rate anomalies. disabled |
|
detect-tkip-replay-attack |
Enables or disables detection of TKIP replay attacks. disabled |
|
detect-wpa-ft-attack |
Enables or disables detection of WPA FT attacks. disabled |
|
disassoc-rate-thresholds <disassoc-rate-thresholds> |
Rate threshold for disassociate frames. |
|
disconnect-deauth-disassoc- <disconnect-deauth-disassoc-threshold> |
Number of deauthentication or disassociation frames seen in an interval of 10 seconds. 1-50 8 |
|
disconnect-sta-assoc-resp- <disconnect-sta-assoc-resp-threshold> |
The number of successful Association Response or Reassociation response frames seen in an interval of 10 seconds. 1-30 5 |
|
disconnect-sta-quiet-time <disconnect-sta-quiet-time> |
After a station disconnection attack is detected, the time, in seconds, that must elapse before the check can be resumed. 60-360000 seconds 900 seconds |
|
eap-rate-quiet-time <eap-rate-quiet-time> |
After an EAP rate anomaly alarm has been triggered, the time, in seconds, that must elapse before the check can be resumed. 60-360000 seconds 900 seconds |
|
eap-rate-threshold <eap-rate-threshold> |
Number of EAP handshakes that must be received within the EAP rate time interval to trigger an alarm. 0-100000 60 |
|
eap-rate-time-interval <eap-rate-time-interval> |
Time, in seconds, during which the configured number of EAP handshakes must be received to trigger an alarm. 1-120 seconds 3 seconds |
|
fata-jack-quiet-time <fata-jack-quiet-time> |
Time to wait, in seconds, after detecting a FATA-Jack attack after which the check can be resumed. 60-360000 seconds 900 seconds |
|
ghosttunnel-client-attack-interval <ghosttunnel-client-attack-interval> |
Time interval, in seconds, over which the packet count is checked. Default is 60 seconds. Maximum is 600 seconds. |
|
ghosttunnel-client-attack-threshold <ghosttunnel-client-attack-threshold> |
Number of probe request management packets for a fake AP over the time interval that constitutes a ghost tunnel attack. Default is 10. Maximum is 100000. |
|
ghosttunnel-client-quiet-time <ghosttunnel-client-quiet-time> |
Time to wait, in seconds, after detecting a ghost tunnel attack after which the check is resumed. Default is 900 seconds. Minimum is 60 seconds. |
|
ghosttunnel-server-attack-interval <ghosttunnel-server-attack-interval> |
Time interval, in seconds, over which the packet count is checked. Default is 60 seconds. Maximum is 600 seconds. |
|
ghosttunnel-server-attack-threshold <ghosttunnel-server-attack-threshold> |
Number of beacon management packets for a fake AP over the time interval that constitutes a ghost tunnel attack. Default is 200. Maximum is 10000. |
|
ghosttunnel-server-quiet-time <ghosttunnel-server-quiet-time> |
Time to wait, in seconds, after detecting a ghost tunnel attack after which the check is resumed. Default is 900 seconds. Minimum is 60 seconds. |
|
invalid-address-combination- <invalid-address-combination- |
Time to wait, in seconds, after detecting an invalid address combination after which the check can be resumed. 60-360000 seconds 900 seconds |
|
malformed-association-request- <malformed-association-request-quiet-time> |
Time to wait, in seconds, after detecting a malformed association request after which the check can be resumed. 60-360000 seconds 900 seconds |
|
malformed-auth-frame-quiet-time <malformed-auth-frame-quiet-time> |
Time to wait, in seconds, after detecting a malformed authentication frame after which the check can be resumed. 60-360000 seconds 900 seconds |
|
malformed-htie-quiet-time <malformed-htie-quiet-time> |
Time to wait, in seconds, after detecting a malformed HT IE after which the check can be resumed. 60-360000 seconds 900 seconds |
|
malformed-large-duration-quiet-time <malformed-large-duration-quiet-time> |
Time to wait, in seconds, after detecting a large duration for a frame after which the check can be resumed. 60-360000 seconds 900 seconds |
|
no |
Negates any configured parameter. |
|
omerta-quiet-time <omerta-quiet-time> |
Time to wait, in seconds, after detecting an Omerta attack after which the check can be resumed. 60-360000 seconds 900 seconds |
|
omerta-threshold <omerta-threshold> |
The Disassociation packets received by a station as a percentage of the number of data packets sent, in an interval of 10 seconds. 1-100 10% |
|
overflow-eapol-key-quiet-time <overflow-eapol-key-quiet-time> |
Time to wait, in seconds, after detecting a overflow EAPOL key request after which the check can be resumed. 60-360000 seconds 900 seconds |
|
overflow-ie-quiet-time <overflow-ie-quiet-time> |
Time to wait, in seconds, after detecting a overflow IE after which the check can be resumed. 60-360000 seconds 900 seconds |
|
power-save-dos-min-frames <power-save-dos-min-frames> |
The minimum number of Power Management OFF packets that are required to be seen from a station, in intervals of 10 second, in order for the Power Save DoS check to be done. 1-1000 120 |
|
power-save-dos-quiet-time <power-save-dos-quiet-time> |
Time to wait, in seconds, after detecting a Power Save DoS attack after which the check can be resumed. 60-360000 seconds 900 seconds |
|
power-save-dos-threshold <power-save-dos-threshold> |
The Power Management ON packets sent by a station as a percentage of the Power Management OFF packets sent, in intervals of 10 second, which will trigger this event. 1- 100% 80% |
|
probe-request-rate-thresholds <probe-request-rate-thresholds>
|
Rate threshold for probe request frames. |
|
probe-response-rate-thresholds <probe-response-rate-thresholds> |
Rate threshold for probe response frames. |
|
rts-rate-quiet-time <rts-rate-quiet-time> |
Time to wait, in seconds, after detecting an RTS rate anomaly after which the check can be resumed. 60-360000 seconds 900 seconds |
|
rts-rate-threshold <rts-rate-threshold> |
Number of RTS control packets over the time interval that constitutes an anomaly. 0-100000 5000 |
|
rts-rate-time-interval <rts-rate-time-interval> |
Time interval, in seconds, over which the packet count should be checked. 1-120 seconds 5 seconds |
|
tkip-replay-quiet-time <tkip-replay-quiet-time> |
Time to wait, in seconds, after detecting a TKIP replay attack after which the check can be resumed. 60-360000 seconds 900 seconds |
|
wpa-ft-quiet-time <wpa-ft-quiet-time> |
Time to wait, in seconds, after detecting a WPA FT attack after which the check can be resumed. 60-360000 seconds 900 seconds |
|
wpa-ft-threshold <wpa-ft-threshold> |
Number of reassociation management packets for a particular client over the time interval that constitutes a WPA FT attack. 0-100000 45 |
|
wpa-ft-time-interval <wpa-ft-time-interval> |
Time interval, in seconds, over which the packet count should be checked. 1-120 seconds 60 seconds |
Example
The following command enables a detection in the DoS profile named “floor2”:
(host) [mynode] (config) #ids dos-profile floor2
(host) [mynode] (IDS Denial Of Service Profile "floor2") detect-ap-flood
Related Command
|
Command |
Description |
|
Displays the IDS DoS profile. |
Command History
|
Release |
Modification |
|
AOS 8.10.0.0 |
The following parameters were added:
|
|
AOS 8.6.0.0 |
Removed |
|
AOS 8.2.0.0 |
The following parameters were added:
|
|
AOS 8.0.0.0 |
Command Introduced. |
Command Information
|
Platforms |
License |
Command Mode |
|
All platforms |
Requires the RFprotect license. |
Config mode on Mobility Conductor. |
