Wireless Access

Reply
Frequent Contributor I
Posts: 84
Registered: ‎10-27-2013

Are we being attacked?? I am getting worried.....

Hi All

 

I have recently enabled IDS on one of my clients iAP clusters which is reporting to Airwave. Checking Airwave I see the below (Screen Snip) IDS events being logged.

In my own opinion there are to many IDS events to ignore them -- from researching the reported items I can safely say that 6 of them are false positives -- however the rest are worrying me a bit - especially the logged Omerta and Hotspotter items.

 

I do not want to start a "fire" and say we are being attacked so I am asking te community for their opinions. Below is a list of the reported IDS Events. 

IDS Events.jpeg

 

Aruba Employee
Posts: 151
Registered: ‎02-14-2013

Re: Are we being attacked?? I am getting worried.....

Hi,

 

If the RF environment is bad, due to a lot of frame corruption false positives can be expected. These are probably false positives. 

 

How freqently are the attacks reported. Is it happening only at a specific time or only during the work hours or is it happening all day? 

 

Thanks, 

Rajaguru Vincent 

 

Thanks,
Rajaguru Vincent
Frequent Contributor I
Posts: 84
Registered: ‎10-27-2013

Re: Are we being attacked?? I am getting worried.....

Hi

 

I might be mistaken, but it does appear to be quite constant (all day).

The Omerka attack mentioned has only been logged twice and both logs came in quite early this morning.

 

Though I have only enabled IDS the last 3 days because the WiFi experience degraded suddenly about a week ago. One of the main reasons I enabled it was users were reporting that they can't connect in the one section of the building (3 APs that was covering that specific area - where of the one AP seemed to be giving alot of problems).

Haven't had reports of poor WiFi since I enabled it, but that just adds to my suspisions.

Guru Elite
Posts: 21,024
Registered: ‎03-29-2007

Re: Are we being attacked?? I am getting worried.....

Hendrik,

 

I would start with looking at the RF utilization in those areas.  If it is high (30% or more), that could be the problem.  I would try enabling Broadcast Filter ARP in the Advanced Section of all of your SSIDs to see if the RF utilization goes down.  As was said before, RF issues could show up as IDS/IPS attacks, so check to make sure that the RF is good, first (low utilization).



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 84
Registered: ‎10-27-2013

Re: Are we being attacked?? I am getting worried.....

Hi

Understood. I am currently working with TAC on this --- thus far it does appear to be RF related, we are still investigating a bit further, but it does appear if it is going to come down to fixing RF in the areas.......

 

Will report back once TAC has reported back.

Search Airheads
Showing results for 
Search instead for 
Did you mean: