Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
WLCCA download link: https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=wlc-conf-app-dev
To request access to WLCCA tool, please send an e-mail to wlc-conf-app-dev@cisco.com. Important: include your Cisco.com username. This forum is only for WLCCA posts, please use different forum for WLC/AP/PI questions, thanks!
Highlighted
New Member

Signature attack detected on AP

IDS 'Auth flood' Signature attack cleared on AP 'L2Z4-Columnpoint-DesignLines' protocol '802.11a' on Controller '10.0.205.10'. The Signature description is 'Authentication Request flood'.This Signature attack is still detected by 1 APs

 

IDS 'Broadcast Probe flood' Signature attack detected on AP 'P-Hall-AP-4' protocol '802.11b/g' on Controller '10.0.205.10'. The Signature description is 'Broadcast Probe Request flood', with precedence '7'. The channel number is '6', the number of detections is '500', and one of potentially several attackers' mac addresses is '1c:23:2c:1e:8f:01'

 

I have found these attack on my cisco WLC 5508. please guide and provide solution so that i may be able to remove these kind of attacks in future

 

We have currently one WLC 5508 connected with nexus switch and AP are connected with access switches which is 2960.

 

Thanks in advance

3 REPLIES

Re: Signature attack detected on AP

Hi,

 Chances are that this is a false positive. Do you have wIPS? If not, it is a good thing to have.

 

 

 

-If I helped you somehow, please, rate it as useful.-

New Member

Re: Signature attack detected on AP

Here are some good reading links...
https://supportforums.cisco.com/t5/security-and-network-management/ids-auth-flood-signature-attack-detected-another-ap/td-p/2195647
https://learningnetwork.cisco.com/thread/79682

I suggest to figure out:

- Try to find patterns:

o Time, location, source mac

- Who owns this mac address ?

o Your own Aps ? -> maybe a misconfiguration or a bug. Or someone who is spoofing your mac-address.

o Your own clients ?

o Unknown

- Tools like cisco's Mobility Service Engine or other wireless IDS Systems could help you with this.

If it is an external attacker...

- Remove the attacker physically (best), try to block the attacker (silently discard), or accept the attack message.

- In the end a flood will influence the performance of your wireless infrastructure and wireless clients.

Maybe there are some other suggestions on preventing and defenting actions to wireless attacks ?
New Member

Re: Signature attack detected on AP

Hi

 

don't worry about this signature attack this is Cisco AP intelligent feature which tells you about the rogues, other suspicious devices and signals which can interrupt cisco Aironet signal channels.

 

whenever any of other devices comes in the range of Cisco AP it detects as a signature attack. you can manually diasble it form your WLC to avoid to receive such types of traps by controller


Zain Khan
https://www.linkedin.com/in/forzain/
149
Views
0
Helpful
3
Replies
CreatePlease to create content