Occasional Contributor I

DoS Prevention

Over the past few weeks my wireless network has been attacked by intelligent students. They essentially figure out the IP's of our important servers and statically add them as Client IP address causing DoS. I have all students on a open network (not my doing) and DoS prevention set for that SSID. Besides adding all of our servers to the valid users list, is there anything else that I can adjust to prevent this from happening. Or if it does happen it only affects that open network. 





Aruba Employee

Re: DoS Prevention

What version of ArubaOS? There is a knob in the newer versions called "Enforce DHCP" that will force all clients to use DHCP before they are allowed to pass data through the controller. If you have static IPs or an older ArubaOS, this won't work. The validuser ACL would be very tedious, since as you stated, you would have to add every "important" IP address.
Valued Contributor I

Re: DoS Prevention

Yeah, there's enforce DHCP which you could try? Came out around 6.1.x I think? Might get you around the issue if the students don't try the next bit (which would be to inject DHCP from the client, and then set a secondary IP on it). You configure it under the associated AAA profile. If they cause more trouble, put them on another VLAN where they can deal less damage if possible?


Don't confuse this with dos prevention under the VAP. That's something completely different, which means the APs ignore disassociate message from clients (which can be helpful in some circumstances, not in others).




Kudos appreciated, but I'm not hunting! (ACMX 104)
Aruba Employee

Re: DoS Prevention

One other option is to allow only the blocks of addresses that you use for your client DHCP addresses and thereby limiting the number of addresses, hopefully, that you have to put in as you could put them in as ranges on the validuser ACL.


Re: DoS Prevention

If you have an open wireless network in the same vlan as your important servers you can consider yourself lucky that you only have those problems.


Provided you have a good reason not to segmet your LAN, one easy thing you could do is set up a NATed subnet for your wireless users and then connect it to your LAN.



Samuel Pérez


If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Occasional Contributor I

Re: DoS Prevention

Thanks everyone for your responses. I might have to consider an upgrade from 5.03 to 6.1. I think for now I will implement a simple DHCP as a valid user ACL. Keep the over head down on static entries for servers. I did put a few important ones in yesterday, but I can test the new ACL this evening. 


Samuel I actually do have the wireless segemented and we are using NAT to connect to our physicall network. I even have this open network segmented from the rest of Administrative clients I served. I just wish that the DoS they are performing would only affect there segment and not the Administrative one.


Thanks again for all the advise. I will post in a day or so to let eveyone know how I made out. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: