02-06-2012 08:24 AM
Over the past few weeks my wireless network has been attacked by intelligent students. They essentially figure out the IP's of our important servers and statically add them as Client IP address causing DoS. I have all students on a open network (not my doing) and DoS prevention set for that SSID. Besides adding all of our servers to the valid users list, is there anything else that I can adjust to prevent this from happening. Or if it does happen it only affects that open network.
Solved! Go to Solution.
02-06-2012 08:29 AM
02-06-2012 09:52 AM
Yeah, there's enforce DHCP which you could try? Came out around 6.1.x I think? Might get you around the issue if the students don't try the next bit (which would be to inject DHCP from the client, and then set a secondary IP on it). You configure it under the associated AAA profile. If they cause more trouble, put them on another VLAN where they can deal less damage if possible?
Don't confuse this with dos prevention under the VAP. That's something completely different, which means the APs ignore disassociate message from clients (which can be helpful in some circumstances, not in others).
02-06-2012 10:34 AM
One other option is to allow only the blocks of addresses that you use for your client DHCP addresses and thereby limiting the number of addresses, hopefully, that you have to put in as you could put them in as ranges on the validuser ACL.
02-06-2012 01:25 PM
If you have an open wireless network in the same vlan as your important servers you can consider yourself lucky that you only have those problems.
Provided you have a good reason not to segmet your LAN, one easy thing you could do is set up a NATed subnet for your wireless users and then connect it to your LAN.
ACMP, ACCP, ACDX#100
If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
02-07-2012 06:46 AM
Thanks everyone for your responses. I might have to consider an upgrade from 5.03 to 6.1. I think for now I will implement a simple DHCP as a valid user ACL. Keep the over head down on static entries for servers. I did put a few important ones in yesterday, but I can test the new ACL this evening.
Samuel I actually do have the wireless segemented and we are using NAT to connect to our physicall network. I even have this open network segmented from the rest of Administrative clients I served. I just wish that the DoS they are performing would only affect there segment and not the Administrative one.
Thanks again for all the advise. I will post in a day or so to let eveyone know how I made out.