Hi AirHeads,
Good evening,
I would like to share with u some question , i keep asking myself,and i dont find the way to answer my client question
How do we able to prevent it? Does it really an attack? (DOS/IDS)
Today i visited one of my client site, Located in an office tower (Urban enviroment).
- IAP-135 X 10 units.
- 100-250 Clients.
- Lastest IAP OS. 6.3.1.8-4.0.0.8_46401
My clients keep complining , That once in a while some devices just cant connect , and after couple of sec/min they do,diffrent floors of the office,diffrent location,diffrent devices (it's seems , that it's effecting more on laptop)
so... i start looking on logs,and i notice that,when im running the syntax:
Show log security XX (50-200)
I keep seeing a lot of diffrent attacks,and i really started to think , that this might be the reason for what my client is suffering from.
Attached the LOG itself:
IL-AP2# show log security 200
Feb 25 10:55:26 sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d8:66:93 and SSID IL-Kaltura-Wifi on CHANNEL 44) is violating Valid SSID configuration by using a protected SSID.
Feb 25 10:55:37 sapd[2178]: <127084> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Overflow IE: An AP detected that the device with MAC address 01:b0:dc:fc:cf:ec (BSSID ab:b1:1b:aa:11:0b on CHANNEL 56 with SNR 11) has sent a malformed information element with a declared length that is too large. This could disrupt or crash the device with address aa:a0:1a:01:1a:10.
Feb 25 10:55:37 sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d9:56:f0 and SSID 76fd898f6e0bf64670ef0e9b61f3be5 on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
Feb 25 10:55:37 sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d9:56:f3 and SSID IL-Kaltura-Wifi on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
Feb 25 10:55:40 sapd[2178]: <127080> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - Assoc Request: An AP detected that the device with MAC address 1a:cc:01:c1:ba:fa (BSSID 11:11:1b:bd:0b:1f on CHANNEL 56 with SNR 4) has sent an association request containing an empty SSID. If ab:11:ab:0a:c1:ac uses a vulnerable wireless driver this could cause it to crash.
Feb 25 10:58:05 sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 22:b0:d5:6c:89:dc is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 17.
Feb 25 10:58:16 sapd[2178]: <127035> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Disconnect Station Attack: An AP detected a disconnect attack of client 28:e0:2c:68:7b:a4 and access point (BSSID 9c:1c:12:d8:6a:23 and SSID IL-Kaltura-Wifi on CHANNEL 6). SNR of client is 35. Additional Info: Avg-Deauth-Disassoc-PktRate(pps):1.5; Interval(sec):10.
Feb 25 10:58:26 sapd[2178]: <127081> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - HT IE: An AP detected that the device with MAC address bc:11:1f:a1:1d:a1 (BSSID 01:00:00:10:00:00 on CHANNEL 56 with SNR 26) has sent a management frame containing one or more malformed HT Information Elements. This may disrupt communication with 00:00:00:00:b0:11.
Feb 25 10:59:12 sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d8:68:53 and SSID IL-Kaltura-Wifi on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
Feb 25 11:03:31 sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 96:f3:23:1c:9e:f9 is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 35.
Feb 25 11:03:53 sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d8:68:50 and SSID 76fd898f6e0bf64670ef0e9b61f3be5 on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
Feb 25 11:03:58 sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 86:ae:f1:86:09:a4 is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 23.
Feb 25 11:04:04 sapd[2178]: <127109> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 98:d6:f7:99:d6:e9 and access point (BSSID 9c:1c:12:d8:6a:23 and SSID IL-Kaltura-Wifi on CHANNEL 6). SNR of client is 13. Additional Info: Pwr-Mgmt-On-Pkts:182; Pwr-Mgmt-Off-Pkts:151.
Feb 25 11:09:05 sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Adhoc Network: An AP detected an Adhoc network on CHANNEL 56 where station aa:b0:ee:fd:bf:fb is connected to the Ad hoc AP (BSSID ac:c1:ab:c1:1a:ad and SSID ). SNR value is 8.
Feb 25 11:09:35 sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 9e:38:65:c4:05:68 is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 24.
Feb 25 11:10:18 sapd[2178]: <127064> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Client Flood Attack: An AP detected that the number of potential fake clients observed across all bands has exceeded the configured IDS threshold. Additional Info: Potential-Fake-Clients:254.
Feb 25 11:10:18 sapd[2178]: <127064> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Client Flood Attack: An AP detected that the number of potential fake clients observed across all bands has exceeded the configured IDS threshold. Additional Info: Potential-Fake-Clients:254.
Feb 25 11:10:35 sapd[2178]: <127085> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - Large Duration: An AP detected that the device with MAC address c1:ac:be:cc:ba:db (CHANNEL 56 with SNR 13) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:mgmt-sapcp, Duration:60411.
Feb 25 11:10:38 sapd[2178]: <127079> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Invalid Address Combination: An AP detected a frame with an invalid source address bb:01:1d:a1:af:ea. This could be an attempt to get the receiver 00:00:b0:00:d1:10 to reply with a multicast or broadcast frame. Frame received on CHANNEL 56 with a SNR of 27
Feb 25 11:11:02 sapd[2178]: <127080> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - Assoc Request: An AP detected that the device with MAC address bc:11:0f:10:1d:a1 (BSSID 01:00:00:10:00:00 on CHANNEL 56 with SNR 26) has sent an association request containing an empty SSID. If 00:00:00:00:b0:11 uses a vulnerable wireless driver this could cause it to crash.
Feb 25 11:11:06 sapd[2178]: <127084> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Overflow IE: An AP detected that the device with MAC address d0:cf:ac:ed:bd:0d (BSSID ef:aa:fc:c1:dd:dc on CHANNEL 56 with SNR 12) has sent a malformed information element with a declared length that is too large. This could disrupt or crash the device with address a1:10:0b:a1:1c:ad.
Feb 25 11:14:08 sapd[2178]: <127081> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - HT IE: An AP detected that the device with MAC address cc:11:1f:a1:1d:a0 (BSSID 01:00:00:10:00:00 on CHANNEL 56 with SNR 28) has sent a management frame containing one or more malformed HT Information Elements. This may disrupt communication with 00:00:00:00:b0:10.
Feb 25 11:15:32 sapd[2178]: <127035> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Disconnect Station Attack: An AP detected a disconnect attack of client 28:e0:2c:68:7b:a4 and access point (BSSID 9c:1c:12:d8:6a:23 and SSID IL-Kaltura-Wifi on CHANNEL 6). SNR of client is 41. Additional Info: Avg-Deauth-Disassoc-PktRate(pps):1.4; Interval(sec):10.
========================================================================================
Please share with me your thoughts,
Have a great week,
Me :)