Network Management

Reply
Frequent Contributor I
Posts: 63
Registered: ‎03-17-2016

PowerSaveDOSAttack routinely seen

I recently stood up a new pair of Aruba 7205 controllers and 40 AP's in an office environment.  We are split between two lower floors near each other, and about 7 floors above those, two more floors near each other.  I set up syslog and snmp traps to forward to our monitoring platform and began reviewing the baseline information today.  I found numerous wlsxPowerSaveDosAttack entries.  


From what I've read they appear to be harmless for the most part, and another thread mentioned how to silence them or reduce noise by changing the default minimum messages value.  It is currently set at 120 (default) and the recommended change was to 150.  Some of the syslog messages imply we are receiving several hundred of these, though:

 

6/29/2016 11:57:45 AM	x.x.x.x	Warning	aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client a8:66:7f:15:01:cd and access point (BSSID 40:e3:d6:f3:72:d0 and SSID Corp on CHANNEL 48). SNR of client is 20. Additional Info: Pwr-Mgmt-On-Pkts:268; Pwr-Mgmt-Off-Pkts:173.
6/29/2016 11:59:37 AM	x.x.x.x	Warning	aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 34:02:86:38:21:1a and access point (BSSID 40:e3:d6:f3:75:30 and SSID Corp on CHANNEL 48). SNR of client is 35. Additional Info: Pwr-Mgmt-On-Pkts:209; Pwr-Mgmt-Off-Pkts:169.

So I guess my question is, how high should the threshold be set before we consider this a real attack? Should I bump up the threshold to 225 and reduce noise, then monitor for anomalies that are much much higher?

Also, is there any way to definitively say that this is a real attack, and if so, how would I trace the source?

Wireless newb
Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: PowerSaveDOSAttack routinely seen

I would uncheck the Power Save DOS attack detection.  There are some clients that trigger this notification in error.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 63
Registered: ‎03-17-2016

Re: PowerSaveDOSAttack routinely seen

Thanks Colin.  I had suspected as much after looking over the traps/syslog messages.  Each syslog message seems to focus on one client mac address, and some are active users in our system that are legitimate.  Even those that are sending 300-400+ messages are legit.

Wireless newb
Search Airheads
Showing results for 
Search instead for 
Did you mean: