Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

This thread has been viewed 14 times
  • 1.  RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    Posted Apr 20, 2012 11:52 AM

    So i see a couple new IDS events, labeled "Omerta Attack"....and the mac listed for the attacker is my access point....

     

    The target is a mobile client.

     

    Is this a bug or is my access point attacking me?



  • 2.  RE: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    EMPLOYEE
    Posted Apr 20, 2012 05:57 PM

    Has the AP been added to AirWave?  If yes, then this sounds like a bug. 



  • 3.  RE: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    EMPLOYEE
    Posted Apr 23, 2012 11:04 AM

    It is actually neither.  The Omerta attack involves an attacker injecting disassociation frames to the network.  When it does it spoofs the source MAC address to match the AP of association for that client.  So if a client with MAC address 00 associates to an AP with MAC address AA the victim will be 00 and the attacker will be AA.

     

    The naming is a litlte odd.  In this case the attacker is spoofing a valid AP so we don't know the true MAC address of the attacker, just the spoofed one that matches the AP of association.   Displaying this info as the attacker has some benefits.  It allows you to see if the attacks are localized to a certain area or AP which can be difficult to coorelate if you only have the victim MAC address.



  • 4.  RE: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    Posted 24 days ago

    So, how can we mitigate the issue and stop the attacker? Do we have any other commands or options to get more insights about the attacker? 




  • 5.  RE: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    EMPLOYEE
    Posted 24 days ago

    Migrate to WPA3 or Enhanced Open with Transition Mode disabled so that all your clients use PMF.