Wireless Access

Reply
New Contributor

Power Save DoS Attack spam

Hello

 

I am looking for help to lower the massive amount of "Power Save DoS Attack" alerts I get in Airwave from my Aruba 7210 controllers.

 

The controllers are running AoS 6.5.4.0.

 

I read about the ability to change values on the Power Save IDS Event, or completely turning it off.

But I dont see these options on my controllers (working in CLI mode).

 

Does anyone know how to turn this off?

Re: Power Save DoS Attack spam

You can disable that WIDS signature. It's HIGHLY prone to false positives and is not really a viable WIDS signature to enable anymore. You can find the settings in the CLI guide if you are working from the CLI.

Jerrod Howard
Sr. Technical Marketing Engineer
New Contributor

Re: Power Save DoS Attack spam

Thank you for the reply.

 

According to the guide, I should be able to write the command "ids dos-profile <profile-name>"

 

But on my controller, working in CLI mode, I don't have this option.

The only available commands to me are:

 

(Controller) (config) #ids ?
general-profile         Configure an IDS General Profile
profile                 Configure an IDS Profile
rap-wml-server-profile  Configure an IDS RAP WML Server Profile
rap-wml-table-profile   Configure an IDS RAP WML Table Profile
unauthorized-device-p.. Configure an IDS Unauthorized Device Profile
wms-general-profile     Configure the IDS WMS General Profile
wms-local-system-prof.. Configure the IDS WMS Local System Profile

 

 

Is there a feature I need to enable or something in order to get the "dos-profile"?

Occasional Contributor I

Re: Power Save DoS Attack spam

I found the following article about the issue dating back a couple of years. I tried to duplicate some of the settings, but it did not resolve the issue.
How to mitigate frequently seen Power Save DoS Attack

 

To display the currently configured settings I found this command worked for me.

show ids dos-profile default | include Power
Occasional Contributor I

Re: Power Save DoS Attack spam

Also, with the following settings it did not aleviate the excessive notifications in the IDS. In a few days I have over 2000 entries. Our deployment is not exessively large. These are on a 7030 with AP305s

 

(Ctlr-1) #show ids dos-profile default | include Power
Detect Power Save DoS Attack                      true
Power Save DoS Detection Quiet Time               900 sec
Power Save DoS Detection Threshold                80 %
Power Save DoS Detection Minimum Frames           700

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: