Security, WIDS/WIPS and Aruba ECS

Reply
MVP
Posts: 286
Registered: ‎11-04-2008

How to deal with Null Probe Response? (Repost with more information)

My equipment:
Master controller: Aruba 3600
Sites’ controller: Aruba 200
Software version 5.0.1.0 with FW and WIP modules.

One of our sites was probed constantly with “Null-Probe-Response”. So far it is a nuisance, but I’d like to find a way to contain this problem.
Recently I asked our SE, he helped me to ID the probe. It is the attack from Metasploit:
http://www.metasploit.com/modules/auxiliary/dos/wifi/probe_resp_null_ssid
I tried to duplicate the problem in my lab, hoping to find the way to deal with this probing, but I could not generate the problem.

One of the suggestions from SE is to disable "local probe responses" from the controller, but:

  • I do not have “local probe response” option in my “wlan ssid profile”
  • I’d like to keep “probe responses” enable as Aruba suggestion for “band steering” to work


(IACBWC1) #show log wireless all | include Null-Probe
Sep 26 07:26:59 :404101: |AP IACB.1.2@172.22.192.246 sapd| AM 00:0b:86:50:fb:20: Signature Match detected. SignatureName="Null-Probe-Response" src=00:00:00:00:00:00 Dst=00:02:72:6d:eb:2b Bssid=00:00:00:00:00:00 Channel=1 RSSI=8
Sep 26 07:41:22 :404101: |AP IACB.1.3@172.22.192.247 sapd| AM 00:1a:1e:dd:01:20: Signature Match detected. SignatureName="Null-Probe-Response" src=00:00:00:00:00:00 Dst=00:02:72:6d:eb:2b Bssid=00:00:00:00:00:00 Channel=1 RSSI=15
Sep 26 07:42:22 :404101: |AP IACB.1.2@172.22.192.246 sapd| AM 00:0b:86:50:fb:20: Signature Match detected. SignatureName="Null-Probe-Response" src=00:00:00:00:00:00 Dst=00:02:72:6d:eb:2b Bssid=00:00:00:00:00:00 Channel=1 RSSI=8
Sep 26 07:56:45 :404101: |AP IACB.1.3@172.22.192.247 sapd| AM 00:1a:1e:dd:01:20: Signature Match detected. SignatureName="Null-Probe-Response" src=00:00:00:00:00:00 Dst=00:02:72:6d:eb:2b Bssid=00:00:00:00:00:00 Channel=1 RSSI=15
Sep 26 07:57:47 :404101: |AP IACB.1.2@172.22.192.246 sapd| AM 00:0b:86:50:fb:20: Signature Match detected. SignatureName="Null-Probe-Response" src=00:00:00:00:00:00 Dst=00:02:72:6d:eb:2b Bssid=00:00:00:00:00:00 Channel=1 RSSI=7
Sep 26 08:12:11 :404101: |AP IACB.1.3@172.22.192.247 sapd| AM 00:1a:1e:dd:01:20: Signature Match detected. SignatureName="Null-Probe-Response" src=00:00:00:00:00:00 Dst=00:02:72:6d:eb:2b Bssid=00:00:00:00:00:00 Channel=1 RSSI=15




Anyone has seen this problems?
Thank you all

Trinh Nguyen
~Trinh Nguyen~
Boys Town
Aruba Employee
Posts: 19
Registered: ‎04-27-2009

NULL probe resonse

This event is triggered when we see someone transmit a probe response with an empty SSID. This is not allowed according to the 802.11 protocol definition and has been shown to crash some 802.11b drivers. The vulnerability was discovered in 2006 and most vendors have updated their drivers and firmware or released new products since then.

If you still have 802.11b-only devices like the old Apple Airport 802.11b cards, old Orinoco cards, etc then you should check to see if any of them are locking up and make sure they have been updated with the latest available vendor patches.

If you do not have any 802.11b devices left in your network then you can have nothing to fear.

The attack may indicate someone trying to probe you for vulnerabilities so you should make an attempt to locate the culprit. If you have Airwave this should be relatively easy. Or, a faster approach may be to look at the RSSIs reported from each AP and focus your search in the vicinity of the one with the strongest.

-J
MVP
Posts: 286
Registered: ‎11-04-2008

Re: How to deal with Null Probe Response? (Repost with more information)

Jeremy,

Thank you very much for your post. I do have Airwave, but it can only detect and report in the IDS events. The SNR from IDS are between 5-15 dB indicates the attacker is outside the building. But with almost 1000 events per day, it is a nuisance.

Regards,

Trinh Nguyen
~Trinh Nguyen~
Boys Town
Aruba Employee
Posts: 19
Registered: ‎04-27-2009

Re: How to deal with Null Probe Response? (Repost with more information)


Jeremy,

Thank you very much for your post. I do have Airwave, but it can only detect and report in the IDS events. The SNR from IDS are between 5-15 dB indicates the attacker is outside the building. But with almost 1000 events per day, it is a nuisance.

Regards,

Trinh Nguyen




That does sound like a nuisance. If you can be sure that you have no 802.11b devices that may be vulnerable then you could just ignore the event. However, the presence indicates that someone is at least playing with security tools or rattling the doorknobs.
VisualRF should be able to point you in the right direction for the device and from there you can look around for someone suspicious.
My advice is to stay vigilant and to go through your other logs looking for anything suspicious. There probably won't be anything and this is probably someone who just found metasploit and is experimenting but it is best to be safe when you can be.

-J
Aruba
Posts: 760
Registered: ‎05-31-2007

How to deal with Null Probe Response? (Repost with more information)

PS on the last post -- with the newer AOS / Airwave combination you will
be able to configure only IDS that you would like to see reported on,
rather than an 'all' or 'none' proposition that has been the standard
thus far. I think that will help your related '1000's of events' per
day experience and relieve some pressure to see only the events you
truly are interested in.
Search Airheads
Showing results for 
Search instead for 
Did you mean: