Network Management

Reply
Highlighted
Occasional Contributor II
Posts: 20
Registered: ‎04-18-2017

Airwave Hotspotter attack from my own APs.

Airwave is reporting hotspotter attacks everytime a client roams to a new AP. All my APs are listed in AMP. Im not sure why this is happening, and ideas?

Aruba Employee
Posts: 328
Registered: ‎02-19-2015

Re: Airwave Hotspotter attack from my own APs.

Hi Brad,

 

could you share the screen shot for better understanding the issue.

 

Regards,

Pavan

Occasional Contributor II
Posts: 20
Registered: ‎04-18-2017

Re: Airwave Hotspotter attack from my own APs.

May 3 11:04:23 2017 awc7240-a1-43556-505-1 wms[3993]: <126088> <3993> |ids| AP(40:e3:d6:e3:ab:66@g2-z1-door-5z3map-1): Hotspotter Attack: An AP detected that the client with MAC address a4:e4:b8:a4:9b:67 (BSSID 40:e3:d6:f6:8b:23 on CHANNEL 161 with SNR 4) may be under attack from the Hotspotter tool. The probe response was sent from AP 40:e3:d6:f6:8b:23 for SSID QPPCORP. Associated WVE ID(s): WVE-2005-0054.

 

QPPCORP belongs to me and the AP and BSSID belongs to me. Not sure why im getting these alerts.

 

 

Aruba Employee
Posts: 328
Registered: ‎02-19-2015

Re: Airwave Hotspotter attack from my own APs.

Please check below link

 

https://community.arubanetworks.com/t5/Controller-less-WLANs/What-type-of-attacks-on-clients-that-are-associated-to-Aruba/ta-p/172152

 

I would recommand to open controller TAC ticket to know why we are receiving hotspotter attack from valid APs.

 

It might be false positive where detecting AP hears very less frames from a far away AP to which client trying to connect.

 

Regards,

Pavan

Search Airheads
Showing results for 
Search instead for 
Did you mean: