IDS Signature attack detected...

Unanswered Question
Jul 31st, 2009
User Badges:

I think my WLAN is under two DOS attacks, Deauth flood and Reassociation flood... The following are the traps shown on the controller (WLC 4402):


IDS Signature attack detected. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-Mac, Detecting AP Name: W-Seattle-StudioRm8-02Flr-B-Fa36, Radio Type: 802.11b/g, Preced: 9, Hits: 30, Channel: 1, srcMac: 00:15:AF:ED:96:36


IDS Signature attack detected. Signature Type: Standard, Name: Reassoc flood, Description: Reassociation Request flood, Track: per-signature, Detecting AP Name: W-Seattle-StudioRm2-02Flr-B-Fa43, Radio Type: 802.11b/g, Preced: 6, Hits: 50, Channel: 6, srcMac: 00:1D:E0:99:5E


The network is for hotel guests so there is no authentication/encryption... Any suggestions about how I can mitigate those attacks?


In the trap messages they also list the Src MAC addresses. However I was reading about those two attacks and seems the attacks are actually spoofing MAC addresses of clients. So are they the real mac addresses of the hacker? Should I block them?


If I should, how can I do it? I was thinking using MAC-filter however it seems only allow clients with configured MAC addresses and will deny the ones that are not listed... As you can guess, we are hotel enviroment and we can't keep allowing new MAC addresses for new guests... So any suggestions?


Any advice is welcome! Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lucien Avramov Sat, 08/01/2009 - 13:10
User Badges:
  • Red, 2250 points or more

When you see 'deauth flood' messages this means that an

AP is seeing a lot of deauths in the air. These messages

often happen when a NIC card leaves an area where there

there are dense APs.


If you want this to trigger less often:

5.0:

Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack

Wireless Protection Policies > Standard Signatures > >

modify/save

for example if you wanted to see the alarm on '60' detections of

'Deauth flood' instead of '50'.


Below 5.0:

You can modify the IDS settings so that the messages occurs less often

or not at all:

http://www.cisco.com/warp/public/102/controller_ids_sig.html


If you want it to trigger not at all:

Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack


Below 5.0:

http://www.cisco.com/warp/public/102/controller_ids_sig.html

George Stefanick Sun, 08/02/2009 - 13:12
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

If you have a deauth issue you can sniff the area where the ap is reporting and see if its the controller or something else.


The controllers are very sensitive.

Actions

This Discussion

 

 

Trending Topics - Security & Network