Network Management

last person joined: 18 hours ago 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

PowerSaveDOSAttack routinely seen

Jump to Best Answer
  • 1.  PowerSaveDOSAttack routinely seen

    Posted Jun 29, 2016 03:07 PM

    I recently stood up a new pair of Aruba 7205 controllers and 40 AP's in an office environment.  We are split between two lower floors near each other, and about 7 floors above those, two more floors near each other.  I set up syslog and snmp traps to forward to our monitoring platform and began reviewing the baseline information today.  I found numerous wlsxPowerSaveDosAttack entries.  


    From what I've read they appear to be harmless for the most part, and another thread mentioned how to silence them or reduce noise by changing the default minimum messages value.  It is currently set at 120 (default) and the recommended change was to 150.  Some of the syslog messages imply we are receiving several hundred of these, though:

     

    6/29/2016 11:57:45 AM	x.x.x.x	Warning	aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client a8:66:7f:15:01:cd and access point (BSSID 40:e3:d6:f3:72:d0 and SSID Corp on CHANNEL 48). SNR of client is 20. Additional Info: Pwr-Mgmt-On-Pkts:268; Pwr-Mgmt-Off-Pkts:173.
    6/29/2016 11:59:37 AM	x.x.x.x	Warning	aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 34:02:86:38:21:1a and access point (BSSID 40:e3:d6:f3:75:30 and SSID Corp on CHANNEL 48). SNR of client is 35. Additional Info: Pwr-Mgmt-On-Pkts:209; Pwr-Mgmt-Off-Pkts:169.

    So I guess my question is, how high should the threshold be set before we consider this a real attack? Should I bump up the threshold to 225 and reduce noise, then monitor for anomalies that are much much higher?

    Also, is there any way to definitively say that this is a real attack, and if so, how would I trace the source?



  • 2.  RE: PowerSaveDOSAttack routinely seen
    Best Answer

    Posted Jun 29, 2016 03:18 PM

    I would uncheck the Power Save DOS attack detection.  There are some clients that trigger this notification in error.



  • 3.  RE: PowerSaveDOSAttack routinely seen

    Posted Jun 29, 2016 03:24 PM

    Thanks Colin.  I had suspected as much after looking over the traps/syslog messages.  Each syslog message seems to focus on one client mac address, and some are active users in our system that are legitimate.  Even those that are sending 300-400+ messages are legit.