Controllerless Networks

last person joined: 15 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Show log security | Does my client site is under attack? | I need to find solution for my client

This thread has been viewed 6 times

  • 1.  Show log security | Does my client site is under attack? | I need to find solution for my client

    Posted Feb 25, 2015 11:56 AM

    Hi AirHeads,

    Good evening,

    I would like to share with u some question , i keep asking myself,and i dont find the way to answer my client question

     

    How do we able to prevent it? Does it really an attack? (DOS/IDS)

     

    Today i visited one of my client site, Located in an office tower (Urban enviroment).

     

    • IAP-135 X 10 units.
    • 100-250 Clients.
    • Lastest IAP OS. 6.3.1.8-4.0.0.8_46401

     

    My clients keep complining , That once in a while some devices just cant connect , and after couple of sec/min they do,diffrent floors of the office,diffrent location,diffrent devices (it's seems , that it's effecting more on laptop)

     

    so... i start looking on logs,and i notice that,when im running the syntax:

    Show log security XX (50-200)

    I keep seeing a lot of diffrent attacks,and i really started to think , that this might be the reason for what my client is suffering from.

     

    Attached the LOG itself:

    IL-AP2# show log security 200


    Feb 25 10:55:26  sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d8:66:93 and SSID IL-Kaltura-Wifi on CHANNEL 44) is violating Valid SSID configuration by using a protected SSID.
    Feb 25 10:55:37  sapd[2178]: <127084> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Overflow IE: An AP detected that the device with MAC address 01:b0:dc:fc:cf:ec (BSSID ab:b1:1b:aa:11:0b on CHANNEL 56 with SNR 11) has sent a malformed information element with a declared length that is too large. This could disrupt or crash the device with address aa:a0:1a:01:1a:10.
    Feb 25 10:55:37  sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d9:56:f0 and SSID 76fd898f6e0bf64670ef0e9b61f3be5 on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
    Feb 25 10:55:37  sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d9:56:f3 and SSID IL-Kaltura-Wifi on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
    Feb 25 10:55:40  sapd[2178]: <127080> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - Assoc Request: An AP detected that the device with MAC address 1a:cc:01:c1:ba:fa (BSSID 11:11:1b:bd:0b:1f on CHANNEL 56 with SNR 4) has sent an association request containing an empty SSID. If ab:11:ab:0a:c1:ac uses a vulnerable wireless driver this could cause it to crash.
    Feb 25 10:58:05  sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 22:b0:d5:6c:89:dc is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 17.
    Feb 25 10:58:16  sapd[2178]: <127035> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Disconnect Station Attack: An AP detected a disconnect attack of client 28:e0:2c:68:7b:a4 and access point (BSSID 9c:1c:12:d8:6a:23 and SSID IL-Kaltura-Wifi on CHANNEL 6). SNR of client is 35. Additional Info: Avg-Deauth-Disassoc-PktRate(pps):1.5; Interval(sec):10.
    Feb 25 10:58:26  sapd[2178]: <127081> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - HT IE: An AP detected that the device with MAC address bc:11:1f:a1:1d:a1 (BSSID 01:00:00:10:00:00 on CHANNEL 56 with SNR 26) has sent a management frame containing one or more malformed HT Information Elements. This may disrupt communication with 00:00:00:00:b0:11.
    Feb 25 10:59:12  sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d8:68:53 and SSID IL-Kaltura-Wifi on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
    Feb 25 11:03:31  sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 96:f3:23:1c:9e:f9 is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 35.
    Feb 25 11:03:53  sapd[2178]: <127007> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Multi-tenancy SSID Violation: An AP detected an access point (BSSID 9c:1c:12:d8:68:50 and SSID 76fd898f6e0bf64670ef0e9b61f3be5 on CHANNEL 52) is violating Valid SSID configuration by using a protected SSID.
    Feb 25 11:03:58  sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 86:ae:f1:86:09:a4 is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 23.


    Feb 25 11:04:04  sapd[2178]: <127109> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 98:d6:f7:99:d6:e9 and access point (BSSID 9c:1c:12:d8:6a:23 and SSID IL-Kaltura-Wifi on CHANNEL 6). SNR of client is 13. Additional Info: Pwr-Mgmt-On-Pkts:182; Pwr-Mgmt-Off-Pkts:151.
    Feb 25 11:09:05  sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Adhoc Network: An AP detected an Adhoc network on CHANNEL 56 where station aa:b0:ee:fd:bf:fb is connected to the Ad hoc AP (BSSID ac:c1:ab:c1:1a:ad and SSID ). SNR value is 8.
    Feb 25 11:09:35  sapd[2178]: <127033> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Adhoc Network: An AP detected an Adhoc network on CHANNEL 6 where station 9e:38:65:c4:05:68 is connected to the Ad hoc AP (BSSID 00:25:00:ff:94:73 and SSID ). SNR value is 24.
    Feb 25 11:10:18  sapd[2178]: <127064> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Client Flood Attack: An AP detected that the number of potential fake clients observed across all bands has exceeded the configured IDS threshold. Additional Info: Potential-Fake-Clients:254.
    Feb 25 11:10:18  sapd[2178]: <127064> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Client Flood Attack: An AP detected that the number of potential fake clients observed across all bands has exceeded the configured IDS threshold. Additional Info: Potential-Fake-Clients:254.
    Feb 25 11:10:35  sapd[2178]: <127085> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - Large Duration: An AP detected that the device with MAC address c1:ac:be:cc:ba:db (CHANNEL 56 with SNR 13) has sent a frame with an unusually large duration. This could be an attempt to deny service to all devices on this channel. Additional Info: Frame:mgmt-sapcp, Duration:60411.
    Feb 25 11:10:38  sapd[2178]: <127079> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Invalid Address Combination: An AP detected a frame with an invalid source address bb:01:1d:a1:af:ea. This could be an attempt to get the receiver 00:00:b0:00:d1:10 to reply with a multicast or broadcast frame. Frame received on CHANNEL 56 with a SNR of 27
    Feb 25 11:11:02  sapd[2178]: <127080> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - Assoc Request: An AP detected that the device with MAC address bc:11:0f:10:1d:a1 (BSSID 01:00:00:10:00:00 on CHANNEL 56 with SNR 26) has sent an association request containing an empty SSID. If 00:00:00:00:b0:11 uses a vulnerable wireless driver this could cause it to crash.
    Feb 25 11:11:06  sapd[2178]: <127084> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Overflow IE: An AP detected that the device with MAC address d0:cf:ac:ed:bd:0d (BSSID ef:aa:fc:c1:dd:dc on CHANNEL 56 with SNR 12) has sent a malformed information element with a declared length that is too large. This could disrupt or crash the device with address a1:10:0b:a1:1c:ad.
    Feb 25 11:14:08  sapd[2178]: <127081> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:30): Malformed Frame - HT IE: An AP detected that the device with MAC address cc:11:1f:a1:1d:a0 (BSSID 01:00:00:10:00:00 on CHANNEL 56 with SNR 28) has sent a management frame containing one or more malformed HT Information Elements. This may disrupt communication with 00:00:00:00:b0:10.
    Feb 25 11:15:32  sapd[2178]: <127035> <WARN> |AP IL-AP2@10.0.20.51 sapd| |ids-ap| AP(9c:1c:12:d8:6a:20): Disconnect Station Attack: An AP detected a disconnect attack of client 28:e0:2c:68:7b:a4 and access point (BSSID 9c:1c:12:d8:6a:23 and SSID IL-Kaltura-Wifi on CHANNEL 6). SNR of client is 41. Additional Info: Avg-Deauth-Disassoc-PktRate(pps):1.4; Interval(sec):10.

     

     

    ========================================================================================

     

    Please share with me your thoughts,

     

    Have a great week,

     

    Me :)