05-03-2017 07:42 AM
Airwave is reporting hotspotter attacks everytime a client roams to a new AP. All my APs are listed in AMP. Im not sure why this is happening, and ideas?
Solved! Go to Solution.
05-03-2017 08:11 AM
May 3 11:04:23 2017 awc7240-a1-43556-505-1 wms: <126088> <3993> |ids| AP(40:e3:d6:e3:ab:66@g2-z1-door-5z3map-1): Hotspotter Attack: An AP detected that the client with MAC address a4:e4:b8:a4:9b:67 (BSSID 40:e3:d6:f6:8b:23 on CHANNEL 161 with SNR 4) may be under attack from the Hotspotter tool. The probe response was sent from AP 40:e3:d6:f6:8b:23 for SSID QPPCORP. Associated WVE ID(s): WVE-2005-0054.
QPPCORP belongs to me and the AP and BSSID belongs to me. Not sure why im getting these alerts.
05-03-2017 08:51 AM
Please check below link
I would recommand to open controller TAC ticket to know why we are receiving hotspotter attack from valid APs.
It might be false positive where detecting AP hears very less frames from a far away AP to which client trying to connect.