Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

DoS Prevention

This thread has been viewed 14 times

  • 1.  DoS Prevention

    Posted Feb 06, 2012 11:24 AM

    Over the past few weeks my wireless network has been attacked by intelligent students. They essentially figure out the IP's of our important servers and statically add them as Client IP address causing DoS. I have all students on a open network (not my doing) and DoS prevention set for that SSID. Besides adding all of our servers to the valid users list, is there anything else that I can adjust to prevent this from happening. Or if it does happen it only affects that open network. 

     

     

    Thanks, 

    Chris



  • 2.  RE: DoS Prevention
    Best Answer

    Posted Feb 06, 2012 11:29 AM
    What version of ArubaOS? There is a knob in the newer versions called "Enforce DHCP" that will force all clients to use DHCP before they are allowed to pass data through the controller. If you have static IPs or an older ArubaOS, this won't work. The validuser ACL would be very tedious, since as you stated, you would have to add every "important" IP address.


  • 3.  RE: DoS Prevention

    Posted Feb 06, 2012 12:53 PM

    Yeah, there's enforce DHCP which you could try? Came out around 6.1.x I think? Might get you around the issue if the students don't try the next bit (which would be to inject DHCP from the client, and then set a secondary IP on it). You configure it under the associated AAA profile. If they cause more trouble, put them on another VLAN where they can deal less damage if possible?

     

    Don't confuse this with dos prevention under the VAP. That's something completely different, which means the APs ignore disassociate message from clients (which can be helpful in some circumstances, not in others).

     

    Thanks.

     



  • 4.  RE: DoS Prevention

    Posted Feb 06, 2012 01:35 PM

    One other option is to allow only the blocks of addresses that you use for your client DHCP addresses and thereby limiting the number of addresses, hopefully, that you have to put in as you could put them in as ranges on the validuser ACL.



  • 5.  RE: DoS Prevention

    EMPLOYEE
    Posted Feb 06, 2012 04:26 PM

    If you have an open wireless network in the same vlan as your important servers you can consider yourself lucky that you only have those problems.

     

    Provided you have a good reason not to segmet your LAN, one easy thing you could do is set up a NATed subnet for your wireless users and then connect it to your LAN.

     

    Regards



  • 6.  RE: DoS Prevention

    Posted Feb 07, 2012 09:47 AM

    Thanks everyone for your responses. I might have to consider an upgrade from 5.03 to 6.1. I think for now I will implement a simple DHCP as a valid user ACL. Keep the over head down on static entries for servers. I did put a few important ones in yesterday, but I can test the new ACL this evening. 

     

    Samuel I actually do have the wireless segemented and we are using NAT to connect to our physicall network. I even have this open network segmented from the rest of Administrative clients I served. I just wish that the DoS they are performing would only affect there segment and not the Administrative one.

     

    Thanks again for all the advise. I will post in a day or so to let eveyone know how I made out.