Network Management

Reply
Frequent Contributor II

PowerSaveDOSAttack routinely seen

I recently stood up a new pair of Aruba 7205 controllers and 40 AP's in an office environment.  We are split between two lower floors near each other, and about 7 floors above those, two more floors near each other.  I set up syslog and snmp traps to forward to our monitoring platform and began reviewing the baseline information today.  I found numerous wlsxPowerSaveDosAttack entries.  


From what I've read they appear to be harmless for the most part, and another thread mentioned how to silence them or reduce noise by changing the default minimum messages value.  It is currently set at 120 (default) and the recommended change was to 150.  Some of the syslog messages imply we are receiving several hundred of these, though:

 

6/29/2016 11:57:45 AM	x.x.x.x	Warning	aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client a8:66:7f:15:01:cd and access point (BSSID 40:e3:d6:f3:72:d0 and SSID Corp on CHANNEL 48). SNR of client is 20. Additional Info: Pwr-Mgmt-On-Pkts:268; Pwr-Mgmt-Off-Pkts:173.
6/29/2016 11:59:37 AM	x.x.x.x	Warning	aruba-01 wms[3807]: <WARN> <aruba-01 x.x.x.x> |ids| AP(40:e3:d6:f3:75:30@17-WAP-2): Power Save DoS Attack: An AP detected a Power Save DoS attack on client 34:02:86:38:21:1a and access point (BSSID 40:e3:d6:f3:75:30 and SSID Corp on CHANNEL 48). SNR of client is 35. Additional Info: Pwr-Mgmt-On-Pkts:209; Pwr-Mgmt-Off-Pkts:169.

So I guess my question is, how high should the threshold be set before we consider this a real attack? Should I bump up the threshold to 225 and reduce noise, then monitor for anomalies that are much much higher?

Also, is there any way to definitively say that this is a real attack, and if so, how would I trace the source?

rwin = 0
Guru Elite

Re: PowerSaveDOSAttack routinely seen

I would uncheck the Power Save DOS attack detection.  There are some clients that trigger this notification in error.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Frequent Contributor II

Re: PowerSaveDOSAttack routinely seen

Thanks Colin.  I had suspected as much after looking over the traps/syslog messages.  Each syslog message seems to focus on one client mac address, and some are active users in our system that are legitimate.  Even those that are sending 300-400+ messages are legit.

rwin = 0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: