cDot11WidsEapolFloodTable
CISCO-DOT11-WIDS-MIB ·
.1.3.6.1.4.1.9.9.456.1.1.7
Object
table
This table gives the statistics on the EAPOL flood
attacks observed at this radio interface.
An entry in this table is created by the agent when
this 802.11 station detects an EAPOL flood attack.
All the columns in the entries except the
cDot11WidsEapolFloodStopTime are populated when
the attack is observed first. The object
cDot11WidsEapolFloodStopTime is populated when no
flood conditions are observed following the initial
observation at the time indicated by
cDot11WidsEapolFloodStartTime.
This can be illustrated by the following example.
Assume that the monitoring interval is configured
to 1 minute through the
cDot11WidsEapolFloodInterval object and the number
of attempts is set to 5.
At the end of the first minute after this
configuration is made, client c1 is found to
have made 4 attempts and another client c2 have
made 3. Hence, in total, the attempt count
exceeds 7 and the agent adds a new row to this
table. The cDot11WidsFloodStopTime carries a
value of 0 at this point in the newly added row.
The MIB object cDot11WidsEapolFloodClientMac
at this point holds the MAC address of c1
and cDot11WidsEapolFloodClientCount holds the
value of 4.
At the end of the second interval, assume that
the clients are found to have made only 4
attempts in total with c1 and c2 making 3 and 1
attempt(s) respectively. Now the total count
is not found to exceed the threshold. Hence
the flood is observed to be stopped. The
object cDot11WidsEapolFloodStopTime is now
populated with this time at which the flood is
observed to be stopped. The MIB object
cDot11WidsEapolFloodClientMac at this point
holds c1's MAC address and
cDot11WidsEapolFloodClientCount would hold a
value of 7. If the count is found to exceed in
the next interval, it will be treated as a
beginning of a new flood event and hence a new
entry will be created for the same.
Assume the case where, at the end of the second
interval, the total count continues at the
rate above the threshold, with c1 making 5 and
c2 making 2 attempts respectively. Since the
flood is not observed to be stopped, the
object cDot11WidsFloodStopTime continues to
hold a value of zero.
The agent at anytime will retain only the most
recent and maximum number of entries, as given
by cDot11WidsFloodMaxEntriesPerIntf, for a
particular value of ifIndex. The older entries
are purged automatically when the number of
entries for a particular ifIndex reaches its
maximum.
This table has a expansion dependent relationship
with ifTable defined in IF-MIB. There exists a
row in this table corresponding to the row for each
interface of iftype ieee80211(71) found in ifTable.
cDot11WidsEapolFloodIndex acts as the
expansion index.
Context
- MIB
- CISCO-DOT11-WIDS-MIB
- OID
.1.3.6.1.4.1.9.9.456.1.1.7- Type
- table
- Status
- current
- Parent
- ciscoDot11WidsAuthFailures
- Siblings
- 7
- Children
- 1
Syntax
No syntax metadata recorded.
Values & Constraints
No enumerated values or constraints recorded.
Related Objects
Sibling Objects
| Object | Type | Syntax | OID |
|---|---|---|---|
| cDot11WidsFloodDetectEnable This object is used to enable or disable the WIDS
flood detection feature.
Set this MIB object to 'true' to enable the
flood detection and 'false' to disable it.
… | scalar | SNMPv2-TCTruthValue | .1.3.6.1.4.1.9.9.456.1.1.1 |
| cDot11WidsEapolFloodThreshold This object specifies the maximum number of
authentication attempts allowed for all the clients
taken together in the interval specified by
cDot11WidsEapolFloodInterval. The atte… | scalar | attempts Unsigned32 | .1.3.6.1.4.1.9.9.456.1.1.2 |
| cDot11WidsEapolFloodInterval This object specifies the time duration for
which the client authentication attempts have to
be monitored for detecting the flood attack. | scalar | seconds Unsigned32 | .1.3.6.1.4.1.9.9.456.1.1.3 |
| cDot11WidsBlackListThreshold This object configures the maximum threshold on
the number of unsuccessful authentication attempts,
that can be made by a particular client. Once the
threshold is reached, the cl… | scalar | attempts Unsigned32 | .1.3.6.1.4.1.9.9.456.1.1.4 |
| cDot11WidsBlackListDuration This object indicates the time duration for which a
particular client has to be kept in the black list
after the number of unsuccessful attempts reach the
threshold given by cDot1… | scalar | seconds Unsigned32 | .1.3.6.1.4.1.9.9.456.1.1.5 |
| cDot11WidsFloodMaxEntriesPerIntf This object indicates the maximum number of entries
that can be held for a particular 802.11 radio
interface identified by ifIndex. | scalar | Integer32 | .1.3.6.1.4.1.9.9.456.1.1.6 |
| cDot11WidsBlackListTable This table gives the information about the
802.11 wireless clients that have been blacklisted
while attempting to get authenticated with this
802.11 station at this radio interfac… | table | - | .1.3.6.1.4.1.9.9.456.1.1.8 |
Child Objects
| Object | Type | Syntax | OID |
|---|---|---|---|
| cDot11WidsEapolFloodEntry An entry holds the statistics about one instance of
EAPOL flood attack observed at this particular
radio interface. | row | - | .1.3.6.1.4.1.9.9.456.1.1.7.1 |