IDS DOS-PROFILE

IDS

IDS DOS-PROFILE

ap-flood-incime

ap-flood Quiet时间

ap-flood-threshold

联合利率阈值

auth-rate-thresholds

block-ack-dos-quiet-time

Chopchop-Quiet时间

client-ht-40mhz-intol-quiet-time

client-flood-inc-time

客户 - 豪华Quiet时间

客户 - 洪水阈值<客户 - 洪水阈值>

clone

cts-rate-quiet-time

cts-rate-threshold

cts-rate-time-interval

deauth-rate-thresholds

detect-ap-flood

检测障碍物

detect-chopchop-attack

detect-client-flood

detect-cts-rate-anomaly

detect-disconnect-sta

detect-eap-rate-anomaly

detect-fata-jack-attack

detect-ghosttunnel-client-attack

检测GhostTunnel-Server-攻击

检测HT-40MHz-Intererance

检测活气化地址

detect-malformed-association-request

detect-malformed-auth-frame

detect-malformed-htie

detect-malformed-large-duration

detect-omerta-attack

检测流动键

检测流出

检测功率弹药攻击

检测率 - 异常

detect-rts-rate-anomaly

detect-tkip-replay-attack

detect-wpa-ft-attack

disassoc-rate-thresholds

断开连接deauth-disassoc-threshold <断开连接 - deauth-disassoc-threshold>

脱节 - sta-assoc-resp-threshold

disconnect-sta-quiet-time

EAP-rate-Quiet时间

EAP率 - 阈值

eap-rate-time-interval

fata-jack-quiet-time

ghosttunnel-cantact-interval

ghosttunnel-client-attack-threshold

ghosttunnel-client-quiet time

ghosttunnel-server-attack-interval

GhostTunnel-Server-Attack-Threshold

ghosttunnel-server-quiet-time

无效的地址 - 分组Quiet时间<无效的 - 地址 - 构想 - Quiet-Quiet-time>

畸形 - 协会 - 要求 -安静的时光

畸形的frame-quiet时间<畸形的作者Quiet-Quiet-time>

畸形的htie-quiet时间<畸形htie-quiet time>

畸形的大型武器Quiet-Quiet <畸形的大型持续时间Quiet-Quiet-time>

Omerta-Quiet时间

omerta-threshold

溢出量表Quiet-Quiet-Quiet

溢出的时间

电力 - 驱动式速率框架

电力驱动器时间

电力驱动阈值

probe-request-rate-thresholds

探针响应利率阈值<探针 - 响应率 - 阈值>

RTS-rate-Quiet-Quiet

rts-rate-threshold

RTS利率时间间隔

tkip-Replay-Quiet

wpa-ft-Quiet时间

wpa-ft-threshold

wpa-ft时间间隔

Description

This command configures traffic anomalies for DoS attacks. DoS attacks are designed to prevent or inhibit legitimate clients from accessing the network. This includes blocking network access completely, degrading network service, and increasing processing load on clients and network equipment.

范围	Description
	Name of the IDS DoS profile. Range:1-63 characters 默认：“default”
ap-flood-incime	时间，在几秒钟内，在此期间，AP计数超过了阈值（AP洪水）。 Range:0-36000秒默认：3600 seconds
ap-flood-quiet-time	After an alarm has been triggered by an AP flood, the time, in seconds, that must elapse before an identical alarm may be triggered. Range:60-360000秒默认：900秒
ap-flood-threshold	Threshold for the number of spurious APs in the system. Range:0-100,000 默认：50
阈值 <联合利率 - 阈值>	关联请求帧的费率阈值。
auth-rate-thresholds	身份验证帧的速率阈值。
block-ack-dos-quiet-time	Time to wait, in seconds, after detecting an attempt to reset the receive window using a forged block ACK add. Range:60-360000秒默认：900秒
chopchop-quiet-time	Time to wait, in seconds, after detecting a ChopChop attack after which the check can be resumed. Range:60-360000秒默认：900秒
client-ht-40mhz-intol-quiet- time	Quiet time (when to stop reporting intolerant STAs if they have not been detected), in seconds, for detection of 802.11n 40 MHz intolerance setting. Range:60-360000秒默认：900秒
client-flood-inc-time	Number of consecutive seconds over which the client count is more than the threshold. Range:0-36000秒默认：3秒
客户 - 豪华Quiet时间	Time to wait, in seconds, after detecting a client flood before continuing the check. Range:60-360000秒默认：900秒
client-flood-threshold	Threshold for the number of spurious clients in the system. Range:0-100000 默认：150
clone	从另一个ID复制数据S Denial Of Service Profile.
cts-rate-quiet-time	Time to wait, in seconds, after detecting a CTS rate anomaly after which the check can be resumed. Range:60-360000秒默认：900秒
cts-rate-threshold	Number of CTS control packets over the time interval that constitutes an anomaly. Range:0-100000 默认：5000
cts-rate-time-interval	Time interval, in seconds, over which the packet count should be checked. Range:1-120秒默认：5秒
deauth-rate-thresholds	率阈值的阈值。
detect-ap-flood	启用或禁用AP洪水攻击的检测。默认：禁用
检测障碍物	启用或禁用检测尝试使用Forged Block ACK添加消息重置流量接收窗口的尝试。默认：enabled
detect-chopchop-attack	启用或禁用Chopchop攻击的检测。默认：禁用
detect-client-flood	Enables or disables detection of client flood attacks. 默认：禁用
detect-cts-rate-anomaly	Enables or disables detection of CTS rate anomalies. 默认：禁用
detect-disconnect-sta	在电台断开攻击中，攻击者欺骗了活动客户端或活动AP的MAC地址。然后，攻击者将非限化帧发送到目标设备，从而失去其主动关联。 Use this command to enable the detection of disconnect station attack. 默认：enabled
detect-eap-rate-anomaly	Enables or disables detection of the EAP handshake rate anomaly. 默认：禁用
detect-fata-jack-attack	Enables or disables detection of FATA-Jack attacks. 默认：enabled
detect-ghosttunnel-client-attack	启用或禁用幽灵隧道客户端攻击的检测。默认：禁用
检测GhostTunnel-Server-攻击	启用或禁用幽灵隧道服务器攻击的检测。默认：禁用
检测HT-40MHz-Intererance	Enables or disables detection of 802.11n 40 MHz intolerance setting, which controls whether stations and APs advertising 40 MHz intolerance will be reported. 默认：禁用
检测活气化地址	Enables or disables detection of invalid address combinations. 默认：禁用
detect-malformed-association- request	启用或禁用检测错误的关联请求。默认：禁用
detect-malformed-auth-frame	启用或禁用检测错误的身份验证框架。默认：禁用
detect-malformed-htie	Enables or disables detection of malformed HT IE. 默认：禁用
detect-malformed-large-duration	Enables or disables detection of unusually large durations in frames. 默认：enabled
detect-omerta-attack	启用或禁用OMERTA攻击的检测。默认：enabled
检测流动键	Enables or disables detection of overflow EAPOL key requests. 默认：禁用
检测流出	启用或禁用溢出IE的检测。默认：禁用
检测功率弹药攻击	启用或禁用电源的检测节省DOS攻击。默认：enabled
检测率 - 异常	启用或禁用速率异常检测。默认：禁用
detect-rts-rate-anomaly	启用或禁用RTS速率异常的检测。默认：禁用
detect-tkip-replay-attack	Enables or disables detection of TKIP replay attacks. 默认：禁用
detect-wpa-ft-attack	Enables or disables detection of WPA FT attacks. 默认：禁用
disassoc-rate-thresholds	Rate threshold for disassociate frames.
disconnect-deauth-disassoc- threshold	Number of deauthentication or disassociation frames seen in an interval of 10 seconds. Range:1-50 默认：8
断开sta-assoc-resp- threshold	The number of successful Association Response or Reassociation response frames seen in an interval of 10 seconds. Range:1-30 默认：5
disconnect-sta-quiet-time	在检测到电台断开攻击后，在恢复检查之前必须在几秒钟内进行的时间。 Range:60-360000秒默认：900秒
eap-rate-quiet-time	After an EAP rate anomaly alarm has been triggered, the time, in seconds, that must elapse before the check can be resumed. Range:60-360000秒默认：900秒
EAP率阈值	必须在EAP速率时间间隔内接收的EAP握手数量才能触发警报。 Range:0-100000 默认：60
eap-rate-time-interval	Time, in seconds, during which the configured number of EAP handshakes must be received to trigger an alarm. Range:1-120秒默认：3秒
fata-jack-quiet-time	在发现FATA杰克攻击之后，可以在几秒钟内等待，然后可以恢复检查。 Range:60-360000秒默认：900秒
ghosttunnel-cantact-interval	Time interval, in seconds, over which the packet count is checked. Default is 60 seconds. Maximum is 600 seconds.
ghosttunnel-client-attack-threshold	在构成幽灵隧道攻击的时间间隔内，伪造AP的探测请求管理数据包数量。默认值为10。最大值为100000。
ghosttunnel-client-Quiet时间	在发现幽灵隧道攻击之后，该恢复了检查后等待几秒钟的时间。默认值为900秒。至少为60秒。
ghosttunnel-server-attack-interval	Time interval, in seconds, over which the packet count is checked. Default is 60 seconds. Maximum is 600 seconds.
GhostTunnel-Server-Satpack-Threshold	Number of beacon management packets for a fake AP over the time interval that constitutes a ghost tunnel attack. Default is 200. Maximum is 10000.
ghosttunnel-server-quiet-time	在发现幽灵隧道攻击之后，该恢复了检查后等待几秒钟的时间。默认值为900秒。至少为60秒。
invalid-address-combination- 安静的时光安静的时间>	时间等,以秒为单位,在检测invalid address combination after which the check can be resumed. Range:60-360000秒默认：900秒
畸形 - 协会 - 要求 - 安静的时光	Time to wait, in seconds, after detecting a malformed association request after which the check can be resumed. Range:60-360000秒默认：900秒
畸形的作者Quiet时间 <畸形的作者 - Quiet-Quiet-time>	Time to wait, in seconds, after detecting a malformed authentication frame after which the check can be resumed. Range:60-360000秒默认：900秒
malformed-htie-quiet-time	Time to wait, in seconds, after detecting a malformed HT IE after which the check can be resumed. Range:60-360000秒默认：900秒
malformed-large-duration-quiet-time	Time to wait, in seconds, after detecting a large duration for a frame after which the check can be resumed. Range:60-360000秒默认：900秒
no	Negates any configured parameter.
omerta-quiet-time	在发现omerta攻击之后，可以在几秒钟内等待，然后可以恢复检查。 Range:60-360000秒默认：900秒
omerta-threshold	The Disassociation packets received by a station as a percentage of the number of data packets sent, in an interval of 10 seconds. Range:1-100 默认：10%
溢出量的Quiet时间	Time to wait, in seconds, after detecting a overflow EAPOL key request after which the check can be resumed. Range:60-360000秒默认：900秒
溢出的时间	Time to wait, in seconds, after detecting a overflow IE after which the check can be resumed. Range:60-360000秒默认：900秒
电力驱动器式框架	The minimum number of Power Management OFF packets that are required to be seen from a station, in intervals of 10 second, in order for the Power Save DoS check to be done. Range:1-1000 默认：120
电力驱动器时间	在检测到电源节省DOS攻击之后，可以在几秒钟内等待，然后可以恢复检查。 Range:60-360000秒默认：900秒
电力驱动阈值	The Power Management ON packets sent by a station as a percentage of the Power Management OFF packets sent, in intervals of 10 second, which will trigger this event. Range:1- 100% 默认：80％
probe-request-rate-thresholds <探针 - 重新定价阈值>	Rate threshold for probe request frames.
probe-response-rate-thresholds	探针响应帧的速率阈值。
RTS-rate-Quiet时间	Time to wait, in seconds, after detecting an RTS rate anomaly after which the check can be resumed. Range:60-360000秒默认：900秒
rts-rate-threshold	Number of RTS control packets over the time interval that constitutes an anomaly. Range:0-100000 默认：5000
RTS利率时间间隔	Time interval, in seconds, over which the packet count should be checked. Range:1-120秒默认：5秒
tkip-replay-quiet-time	Time to wait, in seconds, after detecting a TKIP replay attack after which the check can be resumed. Range:60-360000秒默认：900秒
wpa-ft-Quiet时间	Time to wait, in seconds, after detecting a WPA FT attack after which the check can be resumed. Range:60-360000秒默认：900秒
wpa-ft-threshold	Number of reassociation management packets for a particular client over the time interval that constitutes a WPA FT attack. Range:0-100000 默认：45
wpa-ft时间间隔	Time interval, in seconds, over which the packet count should be checked. Range:1-120秒默认：60seconds

范围

Description

Name of the IDS DoS profile.

Range:1-63 characters

默认：“default”

ap-flood-incime

时间，在几秒钟内，在此期间，AP计数超过了阈值（AP洪水）。

Range:0-36000秒

默认：3600 seconds

ap-flood-quiet-time

After an alarm has been triggered by an AP flood, the time, in seconds, that must elapse before an identical alarm may be triggered.

Range:60-360000秒

默认：900秒

ap-flood-threshold

Threshold for the number of spurious APs in the system.

Range:0-100,000

默认：50

阈值

<联合利率 - 阈值>

关联请求帧的费率阈值。

auth-rate-thresholds

身份验证帧的速率阈值。

block-ack-dos-quiet-time

Time to wait, in seconds, after detecting an attempt to reset the receive window using a forged block ACK add.

Range:60-360000秒

默认：900秒

chopchop-quiet-time

Time to wait, in seconds, after detecting a ChopChop attack after which the check can be resumed.

Range:60-360000秒

默认：900秒

client-ht-40mhz-intol-quiet-
time

Quiet time (when to stop reporting intolerant STAs if they have not been detected), in seconds, for detection of 802.11n 40 MHz intolerance setting.

Range:60-360000秒

默认：900秒

client-flood-inc-time

Number of consecutive seconds over which the client count is more than the threshold.

Range:0-36000秒

默认：3秒

客户 - 豪华Quiet时间

Time to wait, in seconds, after detecting a client flood before continuing the check.

Range:60-360000秒

默认：900秒

client-flood-threshold

Threshold for the number of spurious clients in the system.

Range:0-100000

默认：150

clone

从另一个ID复制数据S Denial Of Service Profile.

cts-rate-quiet-time

Time to wait, in seconds, after detecting a CTS rate anomaly after which the check can be resumed.

Range:60-360000秒

默认：900秒

cts-rate-threshold

Number of CTS control packets over the time interval that constitutes an anomaly.

Range:0-100000

默认：5000

cts-rate-time-interval

Time interval, in seconds, over which the packet count should be checked.

Range:1-120秒

默认：5秒

deauth-rate-thresholds

率阈值的阈值。

detect-ap-flood

启用或禁用AP洪水攻击的检测。

默认：禁用

检测障碍物

启用或禁用检测尝试使用Forged Block ACK添加消息重置流量接收窗口的尝试。

默认：enabled

detect-chopchop-attack

启用或禁用Chopchop攻击的检测。

默认：禁用

detect-client-flood

Enables or disables detection of client flood attacks.

默认：禁用

detect-cts-rate-anomaly

Enables or disables detection of CTS rate anomalies.

默认：禁用

detect-disconnect-sta

在电台断开攻击中，攻击者欺骗了活动客户端或活动AP的MAC地址。然后，攻击者将非限化帧发送到目标设备，从而失去其主动关联。

Use this command to enable the detection of disconnect station attack.

默认：enabled

detect-eap-rate-anomaly

Enables or disables detection of the EAP handshake rate anomaly.

默认：禁用

detect-fata-jack-attack

Enables or disables detection of FATA-Jack attacks.

默认：enabled

detect-ghosttunnel-client-attack

启用或禁用幽灵隧道客户端攻击的检测。

默认：禁用

检测GhostTunnel-Server-攻击

启用或禁用幽灵隧道服务器攻击的检测。

默认：禁用

检测HT-40MHz-Intererance

Enables or disables detection of 802.11n 40 MHz intolerance setting, which controls whether stations and APs advertising 40 MHz intolerance will be reported.

默认：禁用

检测活气化地址

Enables or disables detection of invalid address combinations.

默认：禁用

detect-malformed-association-
request

启用或禁用检测错误的关联请求。

默认：禁用

detect-malformed-auth-frame

启用或禁用检测错误的身份验证框架。

默认：禁用

detect-malformed-htie

Enables or disables detection of malformed HT IE.

默认：禁用

detect-malformed-large-duration

Enables or disables detection of unusually large durations in frames.

默认：enabled

detect-omerta-attack

启用或禁用OMERTA攻击的检测。

默认：enabled

检测流动键

Enables or disables detection of overflow EAPOL key requests.

默认：禁用

检测流出

启用或禁用溢出IE的检测。

默认：禁用

检测功率弹药攻击

启用或禁用电源的检测节省DOS攻击。

默认：enabled

检测率 - 异常

启用或禁用速率异常检测。

默认：禁用

detect-rts-rate-anomaly

启用或禁用RTS速率异常的检测。

默认：禁用

detect-tkip-replay-attack

Enables or disables detection of TKIP replay attacks.

默认：禁用

detect-wpa-ft-attack

Enables or disables detection of WPA FT attacks.

默认：禁用

disassoc-rate-thresholds

Rate threshold for disassociate frames.

disconnect-deauth-disassoc-
threshold

Number of deauthentication or disassociation frames seen in an interval of 10 seconds.

Range:1-50

默认：8

断开sta-assoc-resp-
threshold

The number of successful Association Response or Reassociation response frames seen in an interval of 10 seconds.

Range:1-30

默认：5

disconnect-sta-quiet-time

在检测到电台断开攻击后，在恢复检查之前必须在几秒钟内进行的时间。

Range:60-360000秒

默认：900秒

eap-rate-quiet-time

After an EAP rate anomaly alarm has been triggered, the time, in seconds, that must elapse before the check can be resumed.

Range:60-360000秒

默认：900秒

EAP率阈值

必须在EAP速率时间间隔内接收的EAP握手数量才能触发警报。

Range:0-100000

默认：60

eap-rate-time-interval

Time, in seconds, during which the configured number of EAP handshakes must be received to trigger an alarm.

Range:1-120秒

默认：3秒

fata-jack-quiet-time

在发现FATA杰克攻击之后，可以在几秒钟内等待，然后可以恢复检查。

Range:60-360000秒

默认：900秒

ghosttunnel-cantact-interval

Time interval, in seconds, over which the packet count is checked. Default is 60 seconds. Maximum is 600 seconds.

ghosttunnel-client-attack-threshold

在构成幽灵隧道攻击的时间间隔内，伪造AP的探测请求管理数据包数量。默认值为10。最大值为100000。

ghosttunnel-client-Quiet时间

在发现幽灵隧道攻击之后，该恢复了检查后等待几秒钟的时间。默认值为900秒。至少为60秒。

ghosttunnel-server-attack-interval

Time interval, in seconds, over which the packet count is checked. Default is 60 seconds. Maximum is 600 seconds.

GhostTunnel-Server-Satpack-Threshold

Number of beacon management packets for a fake AP over the time interval that constitutes a ghost tunnel attack. Default is 200. Maximum is 10000.

ghosttunnel-server-quiet-time

在发现幽灵隧道攻击之后，该恢复了检查后等待几秒钟的时间。默认值为900秒。至少为60秒。

invalid-address-combination-
安静的时光

安静的时间>

时间等,以秒为单位,在检测invalid address combination after which the check can be resumed.

Range:60-360000秒

默认：900秒

畸形 - 协会 - 要求 -
安静的时光

Time to wait, in seconds, after detecting a malformed association request after which the check can be resumed.

Range:60-360000秒

默认：900秒

畸形的作者Quiet时间

<畸形的作者 - Quiet-Quiet-time>

Time to wait, in seconds, after detecting a malformed authentication frame after which the check can be resumed.

Range:60-360000秒

默认：900秒

malformed-htie-quiet-time

Time to wait, in seconds, after detecting a malformed HT IE after which the check can be resumed.

Range:60-360000秒

默认：900秒

malformed-large-duration-quiet-time

Time to wait, in seconds, after detecting a large duration for a frame after which the check can be resumed.

Range:60-360000秒

默认：900秒

Negates any configured parameter.

omerta-quiet-time

在发现omerta攻击之后，可以在几秒钟内等待，然后可以恢复检查。

Range:60-360000秒

默认：900秒

omerta-threshold

The Disassociation packets received by a station as a percentage of the number of data packets sent, in an interval of 10 seconds.

Range:1-100

默认：10%

溢出量的Quiet时间

Time to wait, in seconds, after detecting a overflow EAPOL key request after which the check can be resumed.

Range:60-360000秒

默认：900秒

溢出的时间

Time to wait, in seconds, after detecting a overflow IE after which the check can be resumed.

Range:60-360000秒

默认：900秒

电力驱动器式框架

The minimum number of Power Management OFF packets that are required to be seen from a station, in intervals of 10 second, in order for the Power Save DoS check to be done.

Range:1-1000

默认：120

电力驱动器时间

在检测到电源节省DOS攻击之后，可以在几秒钟内等待，然后可以恢复检查。

Range:60-360000秒

默认：900秒

电力驱动阈值

The Power Management ON packets sent by a station as a percentage of the Power Management OFF packets sent, in intervals of 10 second, which will trigger this event.

Range:1- 100%

默认：80％

probe-request-rate-thresholds

<探针 - 重新定价阈值>

Rate threshold for probe request frames.

probe-response-rate-thresholds

探针响应帧的速率阈值。

RTS-rate-Quiet时间

Time to wait, in seconds, after detecting an RTS rate anomaly after which the check can be resumed.

Range:60-360000秒

默认：900秒

rts-rate-threshold

Number of RTS control packets over the time interval that constitutes an anomaly.

Range:0-100000

默认：5000

RTS利率时间间隔

Time interval, in seconds, over which the packet count should be checked.

Range:1-120秒

默认：5秒

tkip-replay-quiet-time

Time to wait, in seconds, after detecting a TKIP replay attack after which the check can be resumed.

Range:60-360000秒

默认：900秒

wpa-ft-Quiet时间

Time to wait, in seconds, after detecting a WPA FT attack after which the check can be resumed.

Range:60-360000秒

默认：900秒

wpa-ft-threshold

Number of reassociation management packets for a particular client over the time interval that constitutes a WPA FT attack.

Range:0-100000

默认：45

wpa-ft时间间隔

Time interval, in seconds, over which the packet count should be checked.

Range:1-120秒

默认：60seconds

Example

The following command enables a detection in the DoS profile named “floor2”:

(host) [mynode] (config) #ids dos-profile floor2

(host) [mynode] (IDS Denial Of Service Profile "floor2") detect-ap-flood

Related Command

Command	Description
show ids dos-profile	Displays the IDS DoS profile.

Command History

Release	Modification
ArubaOS8。10.0.0	添加了以下参数： `detect-ghosttunnel-client-attack` `检测GhostTunnel-Server-攻击` `ghosttunnel-cantact-interval` `ghosttunnel-client-attack-threshold` `ghosttunnel-client-Quiet时间` `ghosttunnel-server-attack-interval` `GhostTunnel-Server-Satpack-Threshold` `ghosttunnel-server-quiet-time`
ArubaOS8。6.0.0	删除`欺骗的Deauth Blacklist`parameter.
ArubaOS8.2.0.0	添加了以下参数： `detect-wpa-ft-attack` `wpa-ft-Quiet时间` `wpa-ft-threshold` `wpa-ft时间间隔`
ArubaOS8.0.0.0	介绍了命令。

命令信息

Platforms	License	Command Mode
All platforms	需要RFProtect许可证。	配置模式开Mobility Conductor。