"Fake AP or other attack may be in progress." WCS 4.1.83

jpeterson6 · ‎08-08-2007

Hello.

I am receiving this critical alarm usually 1-3 times a day and it doesn't make any sense. I was hoping someone here could let me know if this is a legit problem or just another convenient "cosmetic bug" (There seem to be alot of those with 4.1).

The full message is:

"Fake AP or other attack may be in progress. Rogue AP count on system 'xxx.xxx.xxx.xxx' has exceeded the security warning threshold of '625'."

(IP address above was purposely hidden)

There are, as of typing this, 200 rogue APs reported by both controllers (combined, one has 110 the other 90). This alarm is still 'active' in WCS. Even if there were "fake ap"s, wouldn't the controllers report them as rogues into their count?

Thanks for any input,

Jeff

johnruffing · ‎08-09-2007

Jeff:

I can relate to what you are saying about the so-called "cosmetic" or "feature request" status of these bugs.

TAC keeps bouncing us back to sales - who bounces us back to TAC... but I digress.

Back to your issue:

That sure is a lot of rogue APs!

One key is to determine if there really are 200 physical access points out there or if someone is out there "spoofing" multiple APs.

Do you think that these are real APs? Have you tried locating them (using the "High Resolution Map" drop down in the rogue AP detail screen) to see if a large number of these aps are in the same location or found by the same AP? If so, that may indicate that this is a spoofed attack going on.

Are you sure that your controllers are in the same mobility group? If not, I believe that one controller will see the other controller's APs as rogue (even though they are not).

Another observation, if the rogue APs you are seeing utilize the "virtual mac" (like Cisco), one physical AP can have multiple virtual mac addresses (one for each SSID with separate sets for 802.11b/g and 802.11a). That means that one physical AP could appear to be as many as 16 or even 32 APs (in the case of AireSpace LWAPS) if both bands are lit up and all SSIDs are lit up as well. One way to help identify this is to note that if you sort the radio mac addresses, you will note that the there will be blocks of APs with identical mac addreses except for the last character which might be nearly sequential.

For example, what appears to five APs is really the same AP with different SSIDs assigned to it:

01:02:03:04:05:00

01:02:03:04:05:01

01:02:03:04:05:03

01:02:03:04:05:02

01:02:03:04:05:04

Have you categorized at least some of these as "Known External" (assuming, of course, that they are)? I am wonding if that would help the system ignore some or not...

Please refer to the following link:

http://www.cisco.com/en/US/docs/wireless/wcs/4.0/configuration/guide/wcsevent.html

The following condition is referenced:

AP_MAX_ROGUE_COUNT_EXCEEDED

Field Description

MIB Name

bsnApMaxRogueCountExceeded.

WCS Message

Fake AP or other attack may be in progress. Rogue AP count on AP with MAC address ''{0}'' associated with Switch ''{2}'' has exceeded the security warning threshold of ''{1}''.

Symptoms

The number of rogues detected by a switch (controller) exceeds the internal threshold.

WCS Severity

Critical.

Probable Causes

?There may be too many rogue access points in the network.

?A fake access point attack may be in progress.

Recommended Actions

Identify the source of the rogue access points.

========================

As an aside,

We have asked Cisco for documentation of these various "attacks" as well as for some valid values for the IDS signature file in order to be able to "tune" some of these better as well.

- John

jpeterson6 · ‎08-14-2007

Thanks for the great reply.

I have been busy lately with other things but I will definitely try to get some extra time to look into this issue.

As a note though; the campus I work at is in the middle of downtown, so I honestly wouldn't be surprised if there really were 200 rogue AP's in the area.

I don't recall any rogue AP's having the first 6 Hex digits for CISCO (00:0b:85), but I will look at the MAC's more closely like you suggest.

Thanks again, i'll let you know if I find anything.

jpeterson6 · ‎08-14-2007

Hi John,

I did a bit of digging and didn't find much that would relate to AP's using a style similar to CISCO to duplicate MACs for each SSID.. I did however find one pair that was identical on all octets except the last one, other than that they all seem unique.

Also it's unfortunate but I am unable to check the maps for the physical location of the rogue AP's.. our campus design is a bit odd in that many buildings overlap one another on different floors, so it's not possible for us to make a map via WCS- the program doesn't seem to support overlapping buildings.

Other than that, most have already been flagged as known external, so it's not that either that could be triggering the alarms.

Any thoughts?

johnruffing · ‎08-30-2007

As an aside, I believe that the current version of WCS 4.1 now supports overlapping buildings... if that helps.

Have you had any success in discussing this issue with TAC? One reason I ask is that there must be a similar problem on these outdoor municipal mesh networks where there could be hundreds or thousands of rogue APs being detected by the system as it spans across a city.

It may be that for certain high-density, urban-area applications that Cisco may need to expand their table of rogue APs to be able to include more entries.

Somehow, I can't believe that your experience is unique.

It may require your putting together a formal "feature request" (which needs to be coordinated through your Cisco sales team) in order to expand the system to accomodate more rogue APs.

However, I would touch base with TAC first to determine if new versions of the code may have already addressed your issue or if this expansion is already in the works.

- John