Information About Advanced WIPS
The Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism. The aWIPS uses an advanced approach to wireless threat detection and performance management. The AP detects threats and generates alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention.
With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both wired and wireless networks and use that network intelligence to analyze attacks from multiple sources to accurately pinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.
The following table shows the alarms introduced from Cisco IOS XE Bengaluru 17.5.1 onwards:
Advanced WIPS Signature |
Definition |
---|---|
Deauthentication Flood by Pair |
In the enhanced context of threat, both the source (attacker) and the destination (victim) of attacks (Track by Pair) have visibility. |
Fuzzed Beacon |
Fuzzed beacon is when invalid, unexpected, or random data is introduced into the beacon and replays those modified frames into the air. This causes unexpected behavior on the destination device, including driver crashes, operating system crashes, and stack-based overflows. This in turn allows the execution of the arbitrary code of the affected system. |
Fuzzed Probe Request |
Fuzzed probe request is when invalid, unexpected, or random data is introduced into a probe request and replays those modified frames into the air. |
Fuzzed Probe Response |
Fuzzed probe response is when invalid, unexpected, or random data is introduced into a probe response and replays those modified frames into the air. |
PS Poll Flood by Signature |
PS poll flood is when a potential hacker spoofs a MAC address of a wireless client and sends out a flood of PS poll frames. The AP sends out buffered data frames to the wireless client. This results in the client missing the data frames because it could be in the power safe mode. |
Eapol Start V1 Flood by Signature |
Extensible Authentication Protocol over LAN (EAPOL) start flood is when an attacker attempts to bring down the AP by flooding the AP with EAPOL-start frames to exhaust the AP's internal resources. |
Reassociation Request Flood by Destination |
Reassociation request flood is when a specific device tries to flood the AP with a large number of emulated and spoofed client reassociations to exhaust the AP's resources, particularly the client association table. When the client association table overflows, legitimate clients are not able to associate, causing a DoS attack. |
Beacon Flood by Signature |
Beacon flood is when stations actively search for a network that is bombarded with beacons from the networks that are generated using different MAC addresses and SSIDs. This flood prevents a valid client from detecting the beacons sent by corporate APs, which in turn initiates a DoS attack. |
Probe Response Flood by Destination |
Probe response flood is when a device tries to flood clients with a large number of spoofed probe responses from the AP. This prevents clients from detecting the valid probe responses sent by the corporate APs. |
Block Ack Flood by Signature |
Block ack flood is when an attacker transmits an invalid Add Block Acknowledgement (ADDBA) frame to the AP while spoofing the MAC address of the valid client. This process causes the AP to ignore any valid traffic transmitted from the client until it reaches the invalid frame range. |
Airdrop Session |
Airdrop session refers to the Apple feature called AirDrop. AirDrop is used to set up a peer-to-peer link for file sharing. This might create a security risk because of unauthorized peer-to-peer networks created dynamically in your WLAN environment. |
Malformed Association Request |
Malformed association request is when an attacker sends a malformed association request to trigger bugs in the AP. This results in a DoS attack. |
Authentication Failure Flood by Signature |
Authentication failure flood is when a specific device tries to flood the AP with invalid authentication requests spoofed from a valid client. This results in disconnection. |
Invalid MAC OUI by Signature |
Invalid MAC OUI is when a spoofed MAC address that does not have a valid OUI is used. |
Malformed Authentication |
Malformed authentication is when an attacker sends malformed authentication frames that can expose vulnerabilities in some drivers. |
The following table shows the alarms introduced prior to Cisco IOS XE Bengaluru 17.5.1:
Advanced WIPS Signatures |
---|
Authentication Flood Alarm |
Association Flood Alarm |
Broadcast Probe Flood Alarm |
Disassociation Flood Alarm |
Broadcast Dis-Association Flood Alarm |
De-Authentication Flood Alarm |
Broadcast De-Authentication Flood Alarm |
EAPOL-Logoff Flood Alarm |
CTS Flood Alarm |
RTS Flood Alarm |
Guidelines and Restrictions
-
In the aWIPS profile, Cisco Aironet 1850 Series Access Points, Cisco Catalyst 9117 Series Access Points, and Cisco Catalyst 9130AX Series Access Points can detect EAPOL logoff attack and raise alarms accordingly, only on off-channel. They can not detect EAPOL logoff attack and raise alarms on on-channel.
-
aWIPS profile download is not supported when Cisco Catalyst Center is configured using the fully qualified domain name (FQDN).