Network Management

 View Only
last person joined: 3 days ago 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

Broadcast Disassociation - FF:FF:FF:FF:FF:FF

Jump to Best Answer
This thread has been viewed 10 times
  • 1.  Broadcast Disassociation - FF:FF:FF:FF:FF:FF

    Posted Aug 15, 2022 01:50 PM
    Hello,

    I'm quite new to Aruba Wireless and trying to understand how to prevent/remedy these Disassociated Broadcast Attacks which are identified as exploits.

    Currently Running Mobility Master 8.7.1.6>WLC's in a cluster on 8.7.16>Airwave is running 8.2.13.1 and then we also have ClearPass.

    The biggest concern would be by sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF), an attacker can disconnect all stations on a network for a widespread DoS. It seems like it's happening from multiple MAC addresses within the "Attacker" column. Are these legitimate events/something I should look into more? How would I go about resolving this?

    Please let me know if any additional info might be needed.

    Thank you,
    Eric Berg




  • 2.  RE: Broadcast Disassociation - FF:FF:FF:FF:FF:FF
    Best Answer

    EMPLOYEE
    Posted Aug 15, 2022 03:16 PM
    In my experience, that signature is prone to false positives.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Broadcast Disassociation - FF:FF:FF:FF:FF:FF

    Posted Aug 15, 2022 03:34 PM
    Ok that's good to know on this issue so I don't over analyze it.

    I've also discovered the Apple TV's broadcasting 00:25:00:ff:94:73 which seems to be part of the new "adhoc airplay" that Apple can do
    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=799

    so getting all kinds of info that looks worrisome when it's not but that's good to know.