On Aruba OS controllers we have the IDS functionality which helps to detect any WIFI attacks that is happening on our RF.
Now, there are scenarios where the controller will still show that there are attacks going on and will send alerts even though there wouldn't be any attacks going on in reality. These are the false alarms or false detection.
One such scenario is the "Power Save DoS Attack" messages seen too frequently seen on the controller logs.
Apr 15 08:28:54 sapd[1129]: <127109> <WARN> |AP A0034@10.83.1.175 sapd| |ids-ap| AP(6c:f3:7f:b1:b3:a0): Power Save DoS Attack: An AP detected a Power Save DoS attack on client f4:09:d8:b6:69:f8 and access point (BSSID 6c:f3:7f:b1:b3:a0 and SSID Aruba-AP on CHANNEL 1). SNR of client is 63. Additional Info: Pwr-Mgmt-On-Pkts:149; Pwr-Mgmt-Off-Pkts:184.
Apr 15 08:28:54 sapd[1129]: <127109> <WARN> |AP A0034@10.83.1.175 sapd| |ids-ap| AP(6c:f3:7f:b1:b3:a0): Power Save DoS Attack: An AP detected a Power Save DoS attack on client f4:09:d8:b6:69:f8 and access point (BSSID 6c:f3:7f:b1:b3:a0 and SSID Aruba-Ap on CHANNEL 1). SNR of client is 63. Additional Info: Pwr-Mgmt-On-Pkts:149; Pwr-Mgmt-Off-Pkts:184.
Apr 15 08:30:24 sapd[1129]: <127109> <WARN> |AP A0036@10.83.1.174 sapd| |ids-ap| AP(6c:f3:7f:b1:b4:e0): Power Save DoS Attack: An AP detected a Power Save DoS attack on client f4:09:d8:b6:69:f8 and access point (BSSID 6c:f3:7f:b1:b4:e0 and SSID Aruba-Ap on CHANNEL 1). SNR of client is 15. Additional Info: Pwr-Mgmt-On-Pkts:116; Pwr-Mgmt-Off-Pkts:131.
Apr 15 08:30:24 sapd[1129]: <127109> <WARN> |AP A0036@10.83.1.174 sapd| |ids-ap| AP(6c:f3:7f:b1:b4:e0): Power Save DoS Attack: An AP detected a Power Save DoS attack on client f4:09:d8:b6:69:f8 and access point (BSSID 6c:f3:7f:b1:b4:e0 and SSID Aruba-Ap on CHANNEL 1). SNR of client is 15. Additional Info: Pwr-Mgmt-On-Pkts:116; Pwr-Mgmt-Off-Pkts:131.
It is common to see false alarms as above if the default thresholds have not been changed. This is because newer model clients have very aggressive power-saving behavior, which causes them to toggle in and out of power save mode much more frequently than older client devices did. If the network admin would like to use this detection, it is recommended that the thresholds be tuned until false alarms are minimal or gone.
Below is the snip from AOS 6.4.x on how to change the threshold:
Default values:
(Aruba3400) #show ids dos-profile test | include Power
Detect Power Save DoS Attack true
Power Save DoS Detection Quiet Time 900 sec
Power Save DoS Detection Threshold 80 %
Power Save DoS Detection Minimum Frames 120 >> (default)
[Meaning: The min number of Power Management OFF packets that are required to be seen from a station, in intervals of 10 second, in order for the Power Save DoS check to be done.]
(Aruba3400) (config) #ids dos-profile test
(Aruba3400) (IDS Denial Of Service Profile "test") #power-save-dos-min-frames 150 (example)
(Aruba3400) (IDS Denial Of Service Profile "test") #exit
(Aruba3400) (config) #show ids dos-profile test | include Power
Detect Power Save DoS Attack true
Power Save DoS Detection Quiet Time 900 sec
Power Save DoS Detection Threshold 80 %
Power Save DoS Detection Minimum Frames 150
Another option is to completely shut down the Power Save Dos attack detection.
(Aruba3400) (IDS Denial Of Service Profile "test") #no detect-power-save-dos-attack
(Aruba3400) (config) #show ids dos-profile test | include Power
Detect Power Save DoS Attack false
Power Save DoS Detection Quiet Time 900 sec
Power Save DoS Detection Threshold 80 %
Power Save DoS Detection Minimum Frames 120