diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2005-09-30 16:50:04 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2005-09-30 16:50:04 +0000 |
| commit | 6bd954e164539db60d4af401780384d6a7c13b39 (patch) | |
| tree | 1e585148910e904d12c143e07d2fa50b6ada1b27 /usr.sbin/hostapd/hostapd.conf.5 | |
| parent | f90eba61558219c16a257f4788d9167eb3fbd7d6 (diff) | |
implement a way to match IEEE 802.11 flooding. this will help to detect
known DoS attacks, like de-auth flooding against wireless networks.
an example is provided in the manual page.
"or could you just got for it?", deraadt@
Diffstat (limited to 'usr.sbin/hostapd/hostapd.conf.5')
| -rw-r--r-- | usr.sbin/hostapd/hostapd.conf.5 | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/usr.sbin/hostapd/hostapd.conf.5 b/usr.sbin/hostapd/hostapd.conf.5 index a606ec91a62..8d032008bac 100644 --- a/usr.sbin/hostapd/hostapd.conf.5 +++ b/usr.sbin/hostapd/hostapd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: hostapd.conf.5,v 1.11 2005/09/29 23:57:00 reyk Exp $ +.\" $OpenBSD: hostapd.conf.5,v 1.12 2005/09/30 16:50:03 reyk Exp $ .\" .\" Copyright (c) 2004, 2005 Reyk Floeter <reyk@vantronix.net> .\" @@ -162,13 +162,14 @@ event rules are single line statements beginning with the mandatory .Ic hostap handle keywords and optional rule options, frame matching, -a specified action, and a limit: +a specified action, a limit, and a minimal rate: .Bd -filled -offset indent .Ic hostap handle .Op Ar option .Op Ar frame .Op Ar action .Op Ar limit +.Op Ar rate .Ed .Pp The optional parts are defined below. @@ -387,6 +388,10 @@ is Write informational messages to the local system log (see .Xr syslogd 8 ) or standard error. +If the +.Sx Rule Rate +has been specified, +log will print the actual rate. .It Ic node add | delete Ar lladdr Add or remove the specified node from the internal kernel node table. @@ -408,6 +413,23 @@ to protect .Xr hostapd 8 against excessive flooding with IEEE 802.11 frames. For example, beacon frames will be normally received every 100 ms. +.Ss Rule Rate +It is possible to tell +.Xr hostapd 8 +to trigger the action only after a specific +.Ic rate +of matched frames. +.Bd -filled -offset indent +.Ic rate +.Ar number +.Ar / +.Ar number +.Ic sec +.Ed +.Pp +This will help to detect excessive flooding of IEEE 802.11 frames. +For example, de-auth flooding is a DoS (Denial of Service) attack +against IEEE 802.11 wireless networks. .Ss Management Frame Subtypes The .Ar subtype @@ -519,6 +541,13 @@ wireless access point to access point communication. hostap handle type management subtype probe request \\ with log +# Detect flooding of management frames except beacons. +# This will detect some possible Denial of Service attacks +# against the IEEE 802.11 protocol. +hostap handle skip type management subtype ! beacon \\ + with log \\ + rate 100 / 10 sec + # Log rogue accesspoints via IAPP, limited to every second, # and skip further IAPP processing. hostap handle skip type management subtype beacon bssid !<myess> \\ |