Network Management

last person joined: 16 hours ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Airwave Hotspotter attack from my own APs.

This thread has been viewed 8 times

  • 1.  Airwave Hotspotter attack from my own APs.

    Posted May 03, 2017 10:42 AM

    Airwave is reporting hotspotter attacks everytime a client roams to a new AP. All my APs are listed in AMP. Im not sure why this is happening, and ideas?



  • 2.  RE: Airwave Hotspotter attack from my own APs.

    EMPLOYEE
    Posted May 03, 2017 10:51 AM

    Hi Brad,

     

    could you share the screen shot for better understanding the issue.

     

    Regards,

    Pavan



  • 3.  RE: Airwave Hotspotter attack from my own APs.

    Posted May 03, 2017 11:11 AM

    May 3 11:04:23 2017 awc7240-a1-43556-505-1 wms[3993]: <126088> <3993> |ids| AP(40:e3:d6:e3:ab:66@g2-z1-door-5z3map-1): Hotspotter Attack: An AP detected that the client with MAC address a4:e4:b8:a4:9b:67 (BSSID 40:e3:d6:f6:8b:23 on CHANNEL 161 with SNR 4) may be under attack from the Hotspotter tool. The probe response was sent from AP 40:e3:d6:f6:8b:23 for SSID QPPCORP. Associated WVE ID(s): WVE-2005-0054.

     

    QPPCORP belongs to me and the AP and BSSID belongs to me. Not sure why im getting these alerts.

     

     



  • 4.  RE: Airwave Hotspotter attack from my own APs.
    Best Answer

    EMPLOYEE
    Posted May 03, 2017 11:52 AM

    Please check below link

     

    https://community.arubanetworks.com/t5/Controller-less-WLANs/What-type-of-attacks-on-clients-that-are-associated-to-Aruba/ta-p/172152

     

    I would recommand to open controller TAC ticket to know why we are receiving hotspotter attack from valid APs.

     

    It might be false positive where detecting AP hears very less frames from a far away AP to which client trying to connect.

     

    Regards,

    Pavan