Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Signature attack

All,

i have been getting below messages since the time wifi has been deployed in my site. We have recently implemented wifi at my site which involves WLC 2504, NCS Prime, MSE & Cisco ISE.

----------------------------------------------------------------------------------------------------------------------------

Virtual Domain: ROOT-DOMAIN

NCS has detected one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:

1. Alarm Condition:Signature attack

Message: IDS 'NULL probe resp 1' Signature attack detected on AP 'AP3502-04' protocol '802.11b/g' on Controller '10.150.10.101'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '32:02:6f:ec:92:bb', channel number is '1', and the number of detections is '1'.

E-mail will be suppressed up to 30 minutes for these alarms.

-----------------------------------------------------------------------------------------------------------------------------------

is someone trying to attack? let me know how can i avoid this attack?

Thanks,

Sridhar

  • Getting Started with Wireless
4 REPLIES
VIP Purple

Signature attack

HI Sridher,

this post says all:

https://supportforums.cisco.com/thread/2179944

or

During a NULL probe response attack, a hacker sends a NULL,

probe response to a wireless client adapter. As a result, the client adapter locks up. When aNULLprobe

response signature is used to detect such an attack, the access point identifies the wireless client and

alerts the controller. The NULL probe response signatures are as follows:

◦NULL probe resp 1 (precedence 2)

◦NULL probe resp 2 (precedence 3)

Remove the machine/ attacker from the network to avoid client lockup.

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000001.pdf

Hope it helps.

Reagrds

Dont forget to rate helpful posts

New Member

Signature attack

thanks sandeep, i am also getting the below alerts.

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack detected on AP 'AP3502-06' protocol '802.11b/g' on Controller '10.150.10.11'. The Signature description is 'Authentication Request flood', with precedence '5'. The attacker's mac address is '98:0d:2e:03:36:c6', channel number is '6', and the number of detections is '300'.

is this also kind of attack?

VIP Purple

Signature attack

Hi Sridher,

I dont think so that its a kind of attack.

This is just information for you that some devices are sending null

When you see 'deauth flood' messages this means that an AP is seeing a lot of deauths in the air.

If you dont want see again then go to

Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack

Wireless Protection Policies > Standard Signatures > >

Deuth Issue: you can sniff the area where the ap is reporting and see if its the controller or something else.

Reagrds

Dont forget to rate helpful posts

New Member

Signature attack

yes.. this is kind of wireless attack "auth flood" like bruteforce method..

it's mean the signature attack the "auth flood" are registered method of the attack.. the wireless router have some list method of the attack, if known attack in a list.. the alarm inform to you.. hei,, someone try "hack or attack" you AP.. we just found method of the attack, the name kind attack is "auth flood".

sorry for bad english..

1411
Views
0
Helpful
4
Replies
This widget could not be displayed.