Wireless Access

Reply
Contributor II
Posts: 37
Registered: ‎10-27-2011

RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

So i see a couple new IDS events, labeled "Omerta Attack"....and the mac listed for the attacker is my access point....

 

The target is a mobile client.

 

Is this a bug or is my access point attacking me?

Aruba
Posts: 349
Registered: ‎04-14-2009

Re: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

Has the AP been added to AirWave?  If yes, then this sounds like a bug. 

Moderator
Posts: 123
Registered: ‎04-17-2009

Re: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

[ Edited ]

It is actually neither.  The Omerta attack involves an attacker injecting disassociation frames to the network.  When it does it spoofs the source MAC address to match the AP of association for that client.  So if a client with MAC address 00 associates to an AP with MAC address AA the victim will be 00 and the attacker will be AA.

 

The naming is a litlte odd.  In this case the attacker is spoofing a valid AP so we don't know the true MAC address of the attacker, just the spoofed one that matches the AP of association.   Displaying this info as the attacker has some benefits.  It allows you to see if the attacks are localized to a certain area or AP which can be difficult to coorelate if you only have the victim MAC address.

Search Airheads
Showing results for 
Search instead for 
Did you mean: