Wireless Access

Reply
Occasional Contributor II
Posts: 10
Registered: ‎02-07-2011

IDS Events

Airwave becomes an integral part of my operations and support work. I basically try to use it to discover every devices including firewall. I use Airwave to add my netscreen firewall under the category of Router/Switches.

 

However, I received some events from Airwave indicating TKIP replay attack.

Attacker is my clients mac address and target is my Firewall MAC.

 

Some instances show that my Firewall is the attacker and target is my client.

 

I am puzzled as I do not use WPA2 TKIP. I am using 7.3.5 for my Airwave and controller is 6.1.2.5.


Anybody can shed some lights>?

MVP
Posts: 498
Registered: ‎04-03-2007

Re: IDS Events

I'm seeing the same thing, although in my case, I see the gateway MAC address of the upstream router. Very curious about this, too.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Moderator
Posts: 1,252
Registered: ‎10-16-2008

Re: IDS Events

[ Edited ]

The IDS traps are sourced from the switch or controller, AirWave merely translates for display.  The IDS event messages contain data alluding to which MAC appears to be the attacker and which MAC is the target.  Opening a support case with TAC may be the best way to investigate this behavior further.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 498
Registered: ‎04-03-2007

Re: IDS Events

I finally got around to opening a case for this.  I'll let people know what I find out. (Ref: case 1459957)

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 498
Registered: ‎04-03-2007

Re: IDS Events

FYI, I received this from Aruba engineering:

 

"TKIP replay attack detection is susceptible to false alarms.  This is because we have to "guess" which frames are rekey messages by their size (since they are encrypted). If we see a rate of at least 1 rekey message every 2 minutes for 10 mins, we raise the alarm. We could raise a false alarm if there happen to be enough real data frames seen with this exact size at this rate."

 

So, I have disabled this detection since it is causing us to be inundated with false positives. Aruba has a bug opened for engineering to investigate.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: