Cisco Support Community
Community Member

IDS Signature attack detected...

I think my WLAN is under two DOS attacks, Deauth flood and Reassociation flood... The following are the traps shown on the controller (WLC 4402):

IDS Signature attack detected. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-Mac, Detecting AP Name: W-Seattle-StudioRm8-02Flr-B-Fa36, Radio Type: 802.11b/g, Preced: 9, Hits: 30, Channel: 1, srcMac: 00:15:AF:ED:96:36

IDS Signature attack detected. Signature Type: Standard, Name: Reassoc flood, Description: Reassociation Request flood, Track: per-signature, Detecting AP Name: W-Seattle-StudioRm2-02Flr-B-Fa43, Radio Type: 802.11b/g, Preced: 6, Hits: 50, Channel: 6, srcMac: 00:1D:E0:99:5E

The network is for hotel guests so there is no authentication/encryption... Any suggestions about how I can mitigate those attacks?

In the trap messages they also list the Src MAC addresses. However I was reading about those two attacks and seems the attacks are actually spoofing MAC addresses of clients. So are they the real mac addresses of the hacker? Should I block them?

If I should, how can I do it? I was thinking using MAC-filter however it seems only allow clients with configured MAC addresses and will deny the ones that are not listed... As you can guess, we are hotel enviroment and we can't keep allowing new MAC addresses for new guests... So any suggestions?

Any advice is welcome! Thank you!


Re: IDS Signature attack detected...

When you see 'deauth flood' messages this means that an

AP is seeing a lot of deauths in the air. These messages

often happen when a NIC card leaves an area where there

there are dense APs.

If you want this to trigger less often:


Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack

Wireless Protection Policies > Standard Signatures > >


for example if you wanted to see the alarm on '60' detections of

'Deauth flood' instead of '50'.

Below 5.0:

You can modify the IDS settings so that the messages occurs less often

or not at all:

If you want it to trigger not at all:

Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack

Below 5.0:

Re: IDS Signature attack detected...

If you have a deauth issue you can sniff the area where the ap is reporting and see if its the controller or something else.

The controllers are very sensitive.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
CreatePlease to create content