IDS Signature attack detected on a Wireless Network

joel.gabriel · ‎05-09-2007

Hello all

I have a little Wireless netwok ( 1 WLC 2200 and 6 AP 1100 series )and since few days I have the following message :" IDS Signature attack detected. Signature Type:Standard, Name: Assoc flood, Description: Association Request flood, Track:per-signature, Detecting AP Name: AP3, Radio Type: 802.11b/g, Preced:4,Hits: 50, Channel: 6, srcMac: 00:16:6F:49:C6:8A " and don't know how to resolve !

Help is welcome !

Thanks a lot

da.beaver · ‎05-09-2007

What version of code are you running on the 2002?

mghcisco · ‎05-09-2007

I just received the following from TAC today:

In regards to the "IDS 'Disassoc flood' Signature attack detected on AP" log, please refer to following bug:

Title:

IDS:AP impersonation alerts against own AP mac address

Symptom:

WLC is reporting AP impersonation alerts for the same MAC address of the AP.

Tha MAC address corresponds to the first WLAN configured

AP Impersonation with MAC 'xx:xx:xx:xx:xx:xx' is detected by authenticated AP 'xx:xx:xx:xx:xx:xx' on '802.11b/g' radio and Slot ID '0'.

The event can be triggered if AP can hear itself due to RF conditions, and there is no AP authentication enabled in controllers

Workaround:

Enable "AP Authentication feature" and trigger set to 2.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg44344 (Requires CCO Login)

Please go into your controller GUI>>Security>>Wireless Protection

Policies>>AP Authentication/MFP and for Protection Type set that to AP

Authentication and trigger set to 2

isdept · ‎05-09-2007

Wow, I was also getting these alerts. I just implemented the suggestion and will see how it goes.

derek.james · ‎10-05-2007

I am running MFP on my WLC.

I recieved the same error message with MFP anomolies (NO MIC). Under wireless peotecion policies I have MFP enabled. Should I disable MFP and change it to AP authentication?