Wireless Access

Airwave becomes an integral part of my operations and support work. I basically try to use it to discover every devices including firewall. I use Airwave to add my netscreen firewall under the category of Router/Switches.

 

However, I received some events from Airwave indicating TKIP replay attack.

Attacker is my clients mac address and target is my Firewall MAC.

 

Some instances show that my Firewall is the attacker and target is my client.

 

I am puzzled as I do not use WPA2 TKIP. I am using 7.3.5 for my Airwave and controller is 6.1.2.5.

Anybody can shed some lights>?

I'm seeing the same thing, although in my case, I see the gateway MAC address of the upstream router. Very curious about this, too.

The IDS traps are sourced from the switch or controller, AirWave merely translates for display.  The IDS event messages contain data alluding to which MAC appears to be the attacker and which MAC is the target.  Opening a support case with TAC may be the best way to investigate this behavior further.

I finally got around to opening a case for this.  I'll let people know what I find out. (Ref: case 1459957)

FYI, I received this from Aruba engineering:

 

"TKIP replay attack detection is susceptible to false alarms.  This is because we have to "guess" which frames are rekey messages by their size (since they are encrypted). If we see a rate of at least 1 rekey message every 2 minutes for 10 mins, we raise the alarm. We could raise a false alarm if there happen to be enough real data frames seen with this exact size at this rate."

 

So, I have disabled this detection since it is causing us to be inundated with false positives. Aruba has a bug opened for engineering to investigate.