06-29-2016 12:06 PM
I recently stood up a new pair of Aruba 7205 controllers and 40 AP's in an office environment. We are split between two lower floors near each other, and about 7 floors above those, two more floors near each other. I set up syslog and snmp traps to forward to our monitoring platform and began reviewing the baseline information today. I found numerous wlsxPowerSaveDosAttack entries.
From what I've read they appear to be harmless for the most part, and another thread mentioned how to silence them or reduce noise by changing the default minimum messages value. It is currently set at 120 (default) and the recommended change was to 150. Some of the syslog messages imply we are receiving several hundred of these, though:
6/29/2016 11:57:45 AM x.x.x.x Warning aruba-01 wms: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client a8:66:7f:15:01:cd and access point (BSSID 40:e3:d6:f3:72:d0 and SSID Corp on CHANNEL 48). SNR of client is 20. Additional Info: Pwr-Mgmt-On-Pkts:268; Pwr-Mgmt-Off-Pkts:173. 6/29/2016 11:59:37 AM x.x.x.x Warning aruba-01 wms: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 34:02:86:38:21:1a and access point (BSSID 40:e3:d6:f3:75:30 and SSID Corp on CHANNEL 48). SNR of client is 35. Additional Info: Pwr-Mgmt-On-Pkts:209; Pwr-Mgmt-Off-Pkts:169.
So I guess my question is, how high should the threshold be set before we consider this a real attack? Should I bump up the threshold to 225 and reduce noise, then monitor for anomalies that are much much higher?
Also, is there any way to definitively say that this is a real attack, and if so, how would I trace the source?
Solved! Go to Solution.
06-29-2016 12:18 PM
I would uncheck the Power Save DOS attack detection. There are some clients that trigger this notification in error.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
06-29-2016 12:23 PM
Thanks Colin. I had suspected as much after looking over the traps/syslog messages. Each syslog message seems to focus on one client mac address, and some are active users in our system that are legitimate. Even those that are sending 300-400+ messages are legit.