DoS Criteria and Clients not showing in "Blocked Clients" table.

  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi All,

We currently have our ZoneDirector set to "Protect my wireless network against excessive wireless requests" under the "Configure > WIPS" menu, which is catching a few clients out following a recently password change.

Does anyone know what ZoneDirector refers to as "excessive"? E.g.: How many failed attempts before the client is blocked, or time between attempts?

When a client gets blocked it isn't appearing under "Configure > Access Control > Blocked Clients". The table is blank, so we're having to wait until the block period has expired. Is there an option I need to enable to make the blocked clients appear in this table?

Also, is it possible to whitelist client MACs to ensure they never get blocked?

Model: ZD1125, Version 9.8.0.0 build 373.

Any help would be greatly appreciated.

Thanks,

Andy
Photo of Andy Higgins

Andy Higgins

  • 2 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Hi Andy,
    If you weren't temporarily blocking repeated failure attempt clients, they would likely be classified as 'excessive'.
I found this blurb in the ZD 9.12 User guide (great reference doc) that explains why the temporarily blocked clients
don't appear as 'blocked'.

To configure the DoS protection options:
1 Go to Configure > WIPS.
2 In the Denial of Service (DoS) section, configure the following settings:
• Protect my wireless network against excessive wireless requests: If this
capability is activated, excessive 802.11 probe request frames and management
frames launched by malicious attackers will be discarded.
• Temporarily block wireless clients with repeated authentication failures
for [ ] seconds: If this capability is activated, any clients that repeatedly
fail in attempting authentication will be temporarily blocked for a period of
time (10~1200 seconds, default is 30). Clients temporarily blocked by the
Intrusion Prevention feature are not added to the Blocked Clients list on the
Configure > Access Control page, Blocked Clients section.
Photo of Andy Higgins

Andy Higgins

  • 2 Posts
  • 0 Reply Likes
Hi Michael,

Thanks for the information provided. If this is not possible I'm very surprised the option has been omitted, as it seems like it would be a simple feature to implement.

Telling a visiting company director they will need to wait half an hour to access the files and websites they need for an important board meeting can be rather embarrasing, especially when we explain we have limited control over our wireless security system.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Sorry Andy,
    A 'whitelist' allows authenticated clients to reach a server/service not allowed to
the typical member of that WLAN.  To insure clients can always access your WLAN,
you need to provide them with the PSK for your PSK WLANs, or userid/password
for 802.1x or HotSpot, or Guest Pass if using Guest Access, etc.  There is no "always
allow client MAC" to authenticate, type of feature.  Not even for Administrators.

    WIPs prevents hackers from running thru a program of trial/error PSK, userid/pws.
Normal users, and guests you provide authentication info to, should not be blocked for
excessive attempts.
(Edited)