Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Power Save DoS Attack spam

This thread has been viewed 12 times

  • 1.  Power Save DoS Attack spam

    Posted Oct 04, 2017 07:44 AM

    Hello

     

    I am looking for help to lower the massive amount of "Power Save DoS Attack" alerts I get in Airwave from my Aruba 7210 controllers.

     

    The controllers are running AoS 6.5.4.0.

     

    I read about the ability to change values on the Power Save IDS Event, or completely turning it off.

    But I dont see these options on my controllers (working in CLI mode).

     

    Does anyone know how to turn this off?



  • 2.  RE: Power Save DoS Attack spam

    EMPLOYEE
    Posted Oct 04, 2017 11:04 AM

    You can disable that WIDS signature. It's HIGHLY prone to false positives and is not really a viable WIDS signature to enable anymore. You can find the settings in the CLI guide if you are working from the CLI.



  • 3.  RE: Power Save DoS Attack spam

    Posted Oct 05, 2017 03:44 AM

    Thank you for the reply.

     

    According to the guide, I should be able to write the command "ids dos-profile <profile-name>"

     

    But on my controller, working in CLI mode, I don't have this option.

    The only available commands to me are:

     

    (Controller) (config) #ids ?
    general-profile         Configure an IDS General Profile
    profile                 Configure an IDS Profile
    rap-wml-server-profile  Configure an IDS RAP WML Server Profile
    rap-wml-table-profile   Configure an IDS RAP WML Table Profile
    unauthorized-device-p.. Configure an IDS Unauthorized Device Profile
    wms-general-profile     Configure the IDS WMS General Profile
    wms-local-system-prof.. Configure the IDS WMS Local System Profile

     

     

    Is there a feature I need to enable or something in order to get the "dos-profile"?



  • 4.  RE: Power Save DoS Attack spam

    Posted Oct 05, 2017 01:26 PM

    I found the following article about the issue dating back a couple of years. I tried to duplicate some of the settings, but it did not resolve the issue.
    How to mitigate frequently seen Power Save DoS Attack

     

    To display the currently configured settings I found this command worked for me.

    show ids dos-profile default | include Power


  • 5.  RE: Power Save DoS Attack spam

    Posted Oct 05, 2017 01:30 PM

    Also, with the following settings it did not aleviate the excessive notifications in the IDS. In a few days I have over 2000 entries. Our deployment is not exessively large. These are on a 7030 with AP305s

     

    (Ctlr-1) #show ids dos-profile default | include Power
Detect Power Save DoS Attack                      true
Power Save DoS Detection Quiet Time               900 sec
Power Save DoS Detection Threshold                80 %
Power Save DoS Detection Minimum Frames           700