Network Management

Reply
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewall

On an average day it looks like we see in the ballpark of 1800 'Block ACK Attack' picked up by Airwave IDS. This number clearely seems large so I started looking in to it, only to find a common Mac between 97% of them. On Further Inspection, that mac was my Firewall. 

 

I suppose my first question is. What is a Block Ack Attack? I assume it is when an Acknolwedge Packet is dropped before reaching it's destination, but I haven't seen many resources on it. 

 

Second question. Is there any particular reason that many of these would be 'targeting' my Firewall? 

 

Any suggestion on cleaning up this attack count? I assume we are not really begin attacked by what looks to be a majority of our users. 

 

blockack.JPG

MVP
Posts: 1,408
Registered: ‎10-25-2011

Re: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewal

You can look at these threads to give you some insight into that IDS signature

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Block-Ack-Attack-the-cause-of-wifi-outage/m-p/48270/highlight/true#M5523

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Block-ack-attack-causes/m-p/57184/highlight/true#M969

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Block-Ack-Request/m-p/51284/highlight/true#M965

Definition of Block ACK
The Block ACK mechanism that was introduced in 802.11e, and enhanced in 802.11nD3.0, has a built-in DoS vulnerability. The Block ACK mechanism allows for a sender to use the ADDBA request frame to specify the sequence number window that the receiver should expect. The receiver will only accept frames in this window. An attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and thereby drop frames that do not fall in that range.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewal

I will attempt to increase Max-TX fail to see if that makes a difference. It is currently set to 8 by default. I see that 15-20 is sugested.

 

I had seen these posts before, but I did not see mention of a firewall or router being the target of these IDS detected 'attacks'

 

We use our Palo Alto firewall as our router.

Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewal

Ereader22,

What version of ArubaOS is this? I am not sure that block ack detection is perfect.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewal

It's AOS 6.4.0.3

Guru Elite
Posts: 20,586
Registered: ‎03-29-2007

Re: Showing a lot of Black Ack Attack in Airwave 7.7.11 with the Target being our Palo Alto Firewal

There are changes scheduled to go into 6.4.1 that will minimize the circumstances that trigger those messages.    For now, if you can ignore off or turn off detection in the IDS profile, that would be your best bet.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: