< Home

Configuring WIDS Attack Detection and a Dynamic Blacklist

Context

To identify attacks on a WLAN in a timely manner, you can configure attack detection. Attack detection enables WLAN devices to detect attacks such as flood attacks, weak IV attacks, spoofing attacks, and brute force WPA-PSK/WPA2-PSK/WAPI-PSK/WEP-SK key cracking attacks, and to record information about the attacking devices. You can enable the dynamic blacklist function to handle flood attacks and brute force WPA-PSK/WPA2-PSK/WAPI-PSK/WEP-SK key cracking attacks, so that the WLAN devices automatically add the attacking devices to a dynamic blacklist and discard packets sent from the attacking devices.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Enable attack detection on radios in an AP group or on a specified AP radio.

    You can enable attack detection in the AP group radio view or AP radio view. The configuration in the AP group radio view takes effect on all AP radios in an AP group and that in the AP radio view takes effect only on a specified AP radio. The configuration in the AP radio view has a higher priority than that in the AP group radio view.

    • Enable attack detection on radios in an AP group.
      1. Run the ap-group name group-name command to enter the AP group view.
      2. Run the radio radio-id command to enter the radio view.

      3. Run the wids attack detect { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key } enable command to enable attack detection on radios in an AP group.

        By default, attack detection is enabled on radios in an AP group.

      4. Run the quit command to return to the AP group view.

    • Enable attack detection on a specified AP radio.
      1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
      2. Run the radio radio-id command to enter the radio view.

      3. Run the wids attack detect { all | flood | weak-iv | spoof | wpa-psk | wpa2-psk | wapi-psk | wep-share-key } enable command to enable attack detection on a specified AP radio.

        By default, attack detection is enabled on an AP radio.

      4. Run the quit command to return to the AP view.

  4. Run quit

    Return to the WLAN view.

  5. Run wids-profile name profile-name

    The WIDS profile view is displayed.

  6. Configure parameters according to the attack detection type set in 3.

    • Flood attack detection

      1. Run the flood-detect interval interval command to set the flood attack detection interval.

        By default, the flood attack detection interval is 10 seconds.

      2. Run the flood-detect threshold threshold command to set the flood attack detection threshold.

        By default, the flood attack detection threshold is 500.

      3. Run the flood-detect quiet-time quiet-time-value command to set the quiet time for an AP to report the detected flood attacks to the AC.

        By default, the quiet time is 600 seconds for an AP to report the detected flood attacks to the AC.

    • Weak IV attack detection

      1. Run the weak-iv-detect quiet-time quiet-time-value command to set the quiet time for an AP to report the detected weak IV attacks to the AC.

        By default, the quiet time is 600 seconds for an AP to report the detected weak IV attacks to the AC.

    • Spoofing attack detection

      1. Run the spoof-detect quiet-time quiet-time-value command to set the quiet time for an AP to report the detected spoofing attacks to the AC.

        By default, the quiet time is 600 seconds for an AP to report the detected spoofing attacks to the AC.

    • Detection of brute force key cracking attacks

      1. Run the brute-force-detect interval interval command to set the interval for detecting brute force key cracking attacks.

        By default, the interval for brute force key cracking detection is 60 seconds.

      2. Run the brute-force-detect threshold threshold command to set the maximum number of key negotiation failures allowed within the period of the detection of brute force key cracking attacks.

        By default, an AP allows a maximum of 20 key negotiation failures within a brute force key cracking attack detection period.

      3. Run the brute-force-detect quiet-time quiet-time-value command to set the quiet time for an AP to report the detected brute force key cracking attacks to the AC.

        By default, the quiet time for an AP to report brute force key attacks to an AC is 600 seconds.

  7. Run undo dynamic-blacklist disable

    The dynamic blacklist function is enabled.

    By default, the dynamic blacklist function is enabled.

    • The dynamic blacklist function takes effect only for flood attacks and brute force key cracking attacks.

    • The dynamic blacklist is saved on APs. After the dynamic blacklist function is enabled, the detected attacking devices are added to the dynamic blacklist. Within the aging time of the dynamic blacklist, the device discards packets sent from the blacklisted devices. You can run the dynamic-blacklist aging-time command to set the aging time of the dynamic blacklist.

    • When an AP is configured to work in monitor mode, the dynamic blacklist function does not take effect.

Parent Topic: Configuring Attack Detection and a Dynamic Blacklist
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >