Wireless Access

Reply
Occasional Contributor II

Block ack attack causes

we are detecting lot of block ack attacks from clients inside our corporate network.

 

I wish to understand if this cause any harm to wifi network in terms of security ?

 

how can we detect source of this attack ?

 

thanks for help.

Guru Elite

Re: Block ack attack causes

What version of ArubaOS?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Block ack attack causes

6.1.3.6

Occasional Contributor II

Re: Block ack attack causes

This Block Ack is Causing Intermittent drops on client. my concern is how is this Block Ack attack generated ?

 

Would there be any cause on overall wireless network bcoz of that one client sending block ack attacks ?

Guru Elite

Re: Block ack attack causes

Please open a support case.  It is entirely possible that the block ACK attacks are a false positive.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Block ack attack causes

Just curious if you were able to find a resolution to this issue.. I have been experiencing the same problem with a Linux based mobile router (InMotion Router OMM).

 

I have tried turning on BC/MC Optimization, increasing the "Max Transmit Failures" to 20 under the SSID settings. Also tried turning off "Detect Block ACK DoS" under IDS settings.

 

The device is deleted from the controller causing the connection to drop on the router device. Although the device reports that the wireless connection is fine, no traffic (ping packets in this case) are able to go through. This happens every 1 minute or so which is very disturbing for any continous wireless communication.

 

Here are some other posts regarding the Block ACK packets but there are no resolutions posted:

 


http://community.arubanetworks.com/t5/802-11n-and-802-11ac-Basics-RF/Block-Ack-Request/td-p/51284

 

http://community.arubanetworks.com/t5/Wireless-IPS-and-Content/Block-Ack-Attack-the-cause-of-wifi-outage/td-p/48270

 

http://community.arubanetworks.com/t5/802-11n-and-802-11ac-Basics-RF/Block-ack-attack-causes/td-p/57184

 

 

Thanks!

Guru Elite

Re: Block ack attack causes

A number of Block ACK attacks were logged as false positives and this was fixed in 6.1.3.6.  You should upgrade to 6.1.3.6 or later to see if the messages still exist.  If they still exist or if you still have client issues, please open a support case.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Block ack attack causes

What good is the IDS detection if everything you see on has most likely been a false positive.???

Everytime I have inquired with support about a supposed attack.... it have been a false positive.

& I see that comment alot on all the BB....thanks

Re: Block ack attack causes

It honestly depends on what the alert is and why you have it enabled. Specific to Block ACK, it's very suceptible to clients with bad driver support, or when loads of clients have low SNR. From a WIDS perspective, the threat vector is VERY low (any high security concious customers should be using dot1x to which this attack is only a DoS anyway, akin to generating tons of noise targeted at one client).

 

So Block ACK, like many other signatures, requires a certain level of 'baselining' your environment first, then adjusting the triggers and thresholds in the controller so that the normal background noise of WIDS alerts is ignored and if there's an 'event' such that the triggers exceeds your modified thresholds, then you may or may not have something to investigate (though if you have an influx of new devices or clients are moving into low coverage areas, it might just be your new 'normal'). Some signatures, if seen, are actionable immediately, others may be trend or environmental without being a 'new threat'. As you may have found out, you can easily overload yourself with things that sound bad that turn out to be nascent, or are just 'normal noise'.

 

After Atmosphere, I will be writing up a WIDS VRD for AOS, Instant, and AirWave. I have all the moving parts, just not the time to sit and pound it all out, but I would expect the April time frame to expect it. It should have common vernacular descriptions of the signatures, a chart with best practices and recommendations based on your vertical, etc.  

Jerrod Howard
Sr. Techical Marketing Engineer
Occasional Contributor I

Re: Block ack attack causes

I see lots of information here .... Little of it is actionable, or documented what to do with it, or what it might mean, or how to investigate it.

This makes it a waste the admins time.... More information on what to do, what it means, & how to stop it is needed but
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: