Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5794
Views
5
Helpful
5
Replies

WLC - IDS Signature attack detected

limtohsoon
Level 1
Level 1

‎01-21-2007 10:07 PM - edited ‎07-03-2021 01:30 PM

Hi Sir,

My WLC4404-100 is reporting detection of the following floods of IDS signature attacks:

------------------------------------------------------------------------------------

2007-01-22 10:40:24 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:2A:80 : Alarm ON, standard sig Disassoc flood, track=per-Mac preced=7 hits=30 slot=0 channle=6

2007-01-22 10:42:02 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:33:80 : Alarm ON, standard sig Assoc flood, track=per-Mac preced=4 hits=30 slot=0 channle=1

2007-01-22 10:43:09 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:29:80 : Alarm ON, standard sig Assoc flood, track=per-Mac preced=4 hits=30 slot=0 channle=1

2007-01-22 10:45:23 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:33:80 : Alarm ON, standard sig Assoc flood, track=per-Mac preced=4 hits=30 slot=0 channle=1

2007-01-22 10:49:21 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:18:70 : Alarm ON, standard sig Assoc flood, track=per-Mac preced=4 hits=30 slot=0 channle=6

2007-01-22 10:50:09 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:23:60 : Alarm ON, standard sig Disassoc flood, track=per-Mac preced=7 hits=30 slot=0 channle=1

2007-01-22 10:50:09 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:23:A0 : Alarm ON, standard sig Disassoc flood, track=per-Mac preced=7 hits=30 slot=0 channle=1

2007-01-22 10:52:32 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:28:10 : Alarm ON, standard sig Disassoc flood, track=per-Mac preced=7 hits=30 slot=0 channle=6

2007-01-22 10:52:32 Local0.Notice 10.0.0.1 [WARNING] spam_lrad.c 16508: AP 00:19:07:58:18:70 : Alarm ON, standard sig Disassoc flood, track=per-Mac preced=7 hits=30 slot=0 channle=6

------------------------------------------------------------------------------------

Around the same time, many clients were not able to authenticate with the WLC. The WLC reported many of the following messages:

------------------------------------------------------------------------------------

2007-01-22 10:39:55 Local0.Error 10.0.0.1 [SECURITY] 1x_ptsm.c 407: MAX EAP retransmissions reached for mobile 00:13:ce:10:7f:ed

2007-01-22 10:40:01 Local0.Notice 10.0.0.1 [WARNING] apf_80211.c 2408: Received a message with an invalid supported rate from station 00:12:17:83:ec:b8.

2007-01-22 10:40:02 Local0.Error 10.0.0.1 [SECURITY] 1x_auth_pae.c 2417: Reached Max EAP-Identity Request retries (21) for STA 00:13:ce:10:82:b3

2007-01-22 10:40:03 Local0.Error 10.0.0.1 [SECURITY] 1x_bauth_sm.c 423: Backend Authentication SM: abortAuth: Authentication Aborted.

2007-01-22 10:45:05 Local0.Error 10.0.0.1 [SECURITY] 1x_eapkey.c 344: EAPOL Key message with invalid authenticator replay counter (got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03) from mobile 00:16:6f:66:e6:c8

2007-01-22 10:58:41 Local0.Error 10.0.0.1 [SECURITY] dtl_net.c 1176: STA [00:16:6f:4b:ea:7f, 0.0.0.0] ARP (op 1) received with invalid SPA 10.238.4.248/TPA 10.238.4.1

2007-01-22 11:05:16 Local0.Error 10.0.0.1 [SECURITY] 1x_ptsm.c 391: MAX EAPOL-Key M3 retransmissions reached for mobile 00:16:6f:4b:ea:7f

------------------------------------------------------------------------------------

Please advise if the problem is caused by the attacks and what can I configure on the WLC to mitigate the attacks.

Thank you.

B.Rgds,

Lim TS

Labels:
0 Helpful
5 Replies 5

drolemc
Level 6
Level 6

‎01-25-2007 02:32 PM

This one looks like a configuration error. Can you post the configuration of the WLC so that we can trace the problem?

0 Helpful

limtohsoon
Level 1
Level 1
In response to drolemc

‎01-25-2007 06:02 PM

Hi,

I'm afraid I can't post the WLC config because it's my customer's device.

However, are you able to tell which part of the config potentially have error?

Thank you.

B.Rgds,

Lim TS

0 Helpful

johnruffing
Level 4
Level 4

‎01-30-2007 01:16 PM

We observed this in one of our customer's installation. It turned out to be a false positive and was based, in part, on the fact that in high-density installations (where an LWAP can hear many other neighbors) its table of neighboring LWAPs overflows, causing the IDS to go off because the legitimate LWAPs no longer appear in the LWAP table.

It is possible that you are experiencing this same error.

You may want to review the latest version of the WLC firmware and determine if it is worth an upgrade.

(Our customer is going to upgrade tomorrow morning to fix this and some other related false-positive IDS messages such as Net Stumbler Attack, AP Impersonation Attack, Dissasoc Flood, etc.).

However, that does not necessarily mean that you do not currently have an adjacent neighbor running a wireless system, such as Aruba, that is able to perform auto-containment.

We experienced this first-hand last summer and had to go next door and nicely ask the administrator of the Aruba WLAN to kindly stop jamming us. It can be very difficult to "see" where the jamming/dissassociation is coming from since the AP doing the jamming is attempting to "spoof" (impersonate) the real LWAP and/or client - sending dissassociation messages as if it were them. However, you might be able to use a product such as Ekahau to see if the location of your LWAP appears to be at a different location than it should be. This might be a clue as to where the jamming LWAP might be located (or at least it's general direction away from your LWAP).

- John

limtohsoon
Level 1
Level 1
In response to johnruffing

‎01-31-2007 02:38 AM

Hi John,

Thanks for your detailed explanation.

My current version is 4.0.179.8. May I know which version your customer is upgrading to? And is it stable?

I face a lot of issue with built-in Intel wireless adapters on Compaq or Dell notebooks.

Thank you.

B.Rgds,

Lim TS

0 Helpful

johnruffing
Level 4
Level 4
In response to limtohsoon

‎01-31-2007 11:46 AM

I believe that our customer just upgraded to the 4.0.206 version this morning. So far, there have been no snags.

However, he is still seeing false positive IDS errors after the upgrade.

In my conversations with Cisco TAC, they have stated that there is going to be an IDS signature ugrade sometime in the spring which may further address these issues.

However, there had been some hopes that the .206 December release (that became available in January) would fix this and, apparently, there are a number of issues that remain.

If you read the release notes for .206, you will see that one of the known issues is that the table of neigboring APs is too short and in high-density installations (where lots of APs close to each other), if too many APs are detected, then the table overflows, causing legitimate APs to look like rogues.

As far as the built-in Intel Centrino wireless adapter issues, there are some updated drivers available from Intel that are supposed to help.

I also believe that Cisco TAC may have some suggested settings regarding power saving mode that may help as well.

- John

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card