Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Mysterious MAC Addresses

This thread has been viewed 5 times

  • 1.  Mysterious MAC Addresses

    Posted Jun 20, 2020 07:04 AM

    Perhaps there is a better place to ask this, but having just begun using Aruba access points, I've noticed that we see a lot of traffic with some very strange MAC addresses, all in the 00:00:5e OUI range that is reserved by IANA for various special uses. In particular we see a lot of 00:00:5e:00:02:50, which is reserved for VRRP, and 00:00:5e:00:03:50, which is completely unassigned.

    Since these don't seem legitimate I wonder if we have someone trying to conceal their identity, or some sort of software misconfiguration. Searches here and there on the net don't really give me any hints, so I wondered if anyone has see such addresses? Aside from VRRP use, is there any legitimate reason why such MAC addresses would appear? I wondered if there is just some standard way that the wireless world uses them, and, having spent most of my time in the wired world, I'm just not familiar with it?

    Thanks!



  • 2.  RE: Mysterious MAC Addresses

    EMPLOYEE
    Posted Jun 20, 2020 09:01 AM

    Where does it appear?



  • 3.  RE: Mysterious MAC Addresses

    Posted Jun 21, 2020 04:08 AM

    I see a lot of events like this in the syslog output from the Aruba devices:

     

    Jun 19 16:15:27 2020 192.168.100.225 sapd[3134]: <127085> <WARN> <192.168.100.225 9C:8C:D8:90:30:60> |ids-ap| AP(9c:8c:d8:90:30:60): Malformed Frame - Large Duration: An AP detected that the device with MAC address 00:00:5e:00:03:50 (CHANNEL 6 with SNR 30) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:qos-data, Duration:15063.

     

    and

     

    Jun 21 16:42:56 2020 192.168.100.226 sapd[3135]: <127065> <WARN> <192.168.100.226 9C:8C:D8:C5:5E:56> |ids-ap| AP(9c:8c:d8:5b:6f:54): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (00:00:d9:16:f4:8f) and access point (BSSID 9c:8c:d8:5b:6f:55), with source 00:00:d9:16:f4:8f and receiver 00:00:5e:00:03:50. SNR value is 18.

     

    Likewise we see the MAC in netflow records at our internal router. Obviously the fact that the Aruba is flagging this with IDS messages makes me doubly suspicious, so I wonder if using the IANA MAC ranges is just some black-hat tactic.



  • 4.  RE: Mysterious MAC Addresses

    EMPLOYEE
    Posted Jun 21, 2020 05:45 AM

    Are these Instant APs or controller-based APs?

    Also, what version of ArubaOS or InstantOS code are you running?

     

    It would appear that you might have wired traffic leaking onto your wireless network and the IDS algorithm is triggering false positives. 

     

    Do you have broadcast filtering enabled on all of your SSIDs?

     



  • 5.  RE: Mysterious MAC Addresses

    Posted Jun 21, 2020 08:33 PM

    Ah, sorry about leaving out the basics. Yes, these are Aruba 305 access points with a virtual controller (I assume that makes them Instant, as opposed to having a hardware controller?) running version 8.3.0.6. I'll check on broadcast filtering once I get in. Thanks!