Perhaps there is a better place to ask this, but having just begun using Aruba access points, I've noticed that we see a lot of traffic with some very strange MAC addresses, all in the 00:00:5e OUI range that is reserved by IANA for various special uses. In particular we see a lot of 00:00:5e:00:02:50, which is reserved for VRRP, and 00:00:5e:00:03:50, which is completely unassigned.
Since these don't seem legitimate I wonder if we have someone trying to conceal their identity, or some sort of software misconfiguration. Searches here and there on the net don't really give me any hints, so I wondered if anyone has see such addresses? Aside from VRRP use, is there any legitimate reason why such MAC addresses would appear? I wondered if there is just some standard way that the wireless world uses them, and, having spent most of my time in the wired world, I'm just not familiar with it?
Where does it appear?
I see a lot of events like this in the syslog output from the Aruba devices:
Jun 19 16:15:27 2020 192.168.100.225 sapd: <127085> <WARN> <192.168.100.225 9C:8C:D8:90:30:60> |ids-ap| AP(9c:8c:d8:90:30:60): Malformed Frame - Large Duration: An AP detected that the device with MAC address 00:00:5e:00:03:50 (CHANNEL 6 with SNR 30) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:qos-data, Duration:15063.
Jun 21 16:42:56 2020 192.168.100.226 sapd: <127065> <WARN> <192.168.100.226 9C:8C:D8:C5:5E:56> |ids-ap| AP(9c:8c:d8:5b:6f:54): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (00:00:d9:16:f4:8f) and access point (BSSID 9c:8c:d8:5b:6f:55), with source 00:00:d9:16:f4:8f and receiver 00:00:5e:00:03:50. SNR value is 18.
Likewise we see the MAC in netflow records at our internal router. Obviously the fact that the Aruba is flagging this with IDS messages makes me doubly suspicious, so I wonder if using the IANA MAC ranges is just some black-hat tactic.
Are these Instant APs or controller-based APs?
Also, what version of ArubaOS or InstantOS code are you running?
It would appear that you might have wired traffic leaking onto your wireless network and the IDS algorithm is triggering false positives.
Do you have broadcast filtering enabled on all of your SSIDs?
Ah, sorry about leaving out the basics. Yes, these are Aruba 305 access points with a virtual controller (I assume that makes them Instant, as opposed to having a hardware controller?) running version 126.96.36.199. I'll check on broadcast filtering once I get in. Thanks!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.