I recently stood up a new pair of Aruba 7205 controllers and 40 AP's in an office environment. We are split between two lower floors near each other, and about 7 floors above those, two more floors near each other. I set up syslog and snmp traps to forward to our monitoring platform and began reviewing the baseline information today. I found numerous wlsxPowerSaveDosAttack entries.
From what I've read they appear to be harmless for the most part, and another thread mentioned how to silence them or reduce noise by changing the default minimum messages value. It is currently set at 120 (default) and the recommended change was to 150. Some of the syslog messages imply we are receiving several hundred of these, though:
6/29/2016 11:57:45 AM x.x.x.x Warning aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client a8:66:7f:15:01:cd and access point (BSSID 40:e3:d6:f3:72:d0 and SSID Corp on CHANNEL 48). SNR of client is 20. Additional Info: Pwr-Mgmt-On-Pkts:268; Pwr-Mgmt-Off-Pkts:173.
6/29/2016 11:59:37 AM x.x.x.x Warning aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 34:02:86:38:21:1a and access point (BSSID 40:e3:d6:f3:75:30 and SSID Corp on CHANNEL 48). SNR of client is 35. Additional Info: Pwr-Mgmt-On-Pkts:209; Pwr-Mgmt-Off-Pkts:169.
So I guess my question is, how high should the threshold be set before we consider this a real attack? Should I bump up the threshold to 225 and reduce noise, then monitor for anomalies that are much much higher?
Also, is there any way to definitively say that this is a real attack, and if so, how would I trace the source?