IDS 'Broadcast Probe floo' Signature attack detected

Unanswered Question
Jan 6th, 2010
User Badges:

Hi Mark,


I noticed on our WCS we are getting a few Critical Alarms - IDS 'Broadcast Probe floo' Signature attack detected . . . " what on the client would cause this?  What can I do to resolve it?  If it is not a real security issue, should I just acknowledge it?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Thomas Ley Mon, 07/09/2012 - 11:01
User Badges:

I know this is an old post, but I'm seeing the same critical alarm IDS Broadcast Probe floo and IDS NULL probe Resp1

Has anyone seen these two and what action can I take to elevate these alrms?

Thanks

Amjad Abdullah Mon, 07/09/2012 - 11:42
User Badges:
  • Red, 2250 points or more

Thomas:

This indicates some kind of Security issue. Too many probe requests detected from same client. If this is intentional attack it may cause denial of service to your AP. Sometimes however bad drivers or old devices may cause too many frames to be generating triggering this alarm.

What you need to do is to visit the area of the access point that detected the problem and find the ugly device. Fix the machine if it has bad or old driver or arrest the guy if that s an attack


Sent from Cisco Technical Support iPad App

George Stefanick Mon, 07/09/2012 - 20:37
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

The NULL probe request is a probe that doesn't have a ssid in the probe request.


Some access points that hide their ssid could and do respond with their ssid even if it's hidden. Cisco does not.


Netstumber is used in this manner, actually.


Cisco sees these probe request that ate null and flags it.




Sent from Cisco Technical Support iPhone App

Amjad Abdullah Mon, 07/09/2012 - 23:13
User Badges:
  • Red, 2250 points or more

Hey George,

Thank you for all the valuable information.

what I know is that the message indicates excessive probe requests so it is considered "flood" as per the message.

The message does not mention anything about Null probe requests.


For the other piece of info, that Cisco does not reply to null probe requests: what do you exactly mean by that?
Because when I use inSSIDer I can detect hidden networks on Cisco WLC. However, the SSID name does not appear. only the mac address appears. Does this mean that the AP does not respond to null requests? or it does?

If it does not, for the APs that do will the SSID name appear although it is hidden?


Thank you.


Amjad

George Stefanick Tue, 07/10/2012 - 07:00
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

These are 2 different alerts, as I recall. I'm not in front of my wlc at the moment.


Yes, of a client sends a null probe request, the ap will do a probe response revealing the hidden ssid.


Not all aps do this, but some do.


This why Cisco flags this as a issue cause it might mean someone is trying to gather information.




Sent from Cisco Technical Support iPhone App

Actions

This Discussion

Related Content

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode