Network Management

last person joined: 2 days ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

This thread has been viewed 1 times

  • 1.  Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

    Posted May 23, 2014 04:42 PM

    On an average day it looks like we see in the ballpark of 1800 'Block ACK Attack' picked up by Airwave IDS. This number clearely seems large so I started looking in to it, only to find a common Mac between 97% of them. On Further Inspection, that mac was my Firewall. 

     

    I suppose my first question is. What is a Block Ack Attack? I assume it is when an Acknolwedge Packet is dropped before reaching it's destination, but I haven't seen many resources on it. 

     

    Second question. Is there any particular reason that many of these would be 'targeting' my Firewall? 

     

    Any suggestion on cleaning up this attack count? I assume we are not really begin attacked by what looks to be a majority of our users. 

     

    blockack.JPG



  • 2.  RE: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

    Posted May 23, 2014 04:53 PM
    You can look at these threads to give you some insight into that IDS signature

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Block-Ack-Attack-the-cause-of-wifi-outage/m-p/48270/highlight/true#M5523

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Block-ack-attack-causes/m-p/57184/highlight/true#M969

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Block-Ack-Request/m-p/51284/highlight/true#M965

    Definition of Block ACK
    The Block ACK mechanism that was introduced in 802.11e, and enhanced in 802.11nD3.0, has a built-in DoS vulnerability. The Block ACK mechanism allows for a sender to use the ADDBA request frame to specify the sequence number window that the receiver should expect. The receiver will only accept frames in this window. An attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and thereby drop frames that do not fall in that range.


  • 3.  RE: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

    Posted May 23, 2014 05:03 PM

    I will attempt to increase Max-TX fail to see if that makes a difference. It is currently set to 8 by default. I see that 15-20 is sugested.

     

    I had seen these posts before, but I did not see mention of a firewall or router being the target of these IDS detected 'attacks'

     

    We use our Palo Alto firewall as our router.



  • 4.  RE: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

    EMPLOYEE
    Posted May 23, 2014 05:38 PM
    Ereader22,

    What version of ArubaOS is this? I am not sure that block ack detection is perfect.


  • 5.  RE: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

    Posted May 23, 2014 05:40 PM

    It's AOS 6.4.0.3



  • 6.  RE: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

    EMPLOYEE
    Posted May 23, 2014 06:08 PM

    There are changes scheduled to go into 6.4.1 that will minimize the circumstances that trigger those messages.    For now, if you can ignore off or turn off detection in the IDS profile, that would be your best bet.