Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Are we being attacked?? I am getting worried.....

This thread has been viewed 2 times

  • 1.  Are we being attacked?? I am getting worried.....

    Posted Feb 12, 2016 01:37 AM

    Hi All

     

    I have recently enabled IDS on one of my clients iAP clusters which is reporting to Airwave. Checking Airwave I see the below (Screen Snip) IDS events being logged.

    In my own opinion there are to many IDS events to ignore them -- from researching the reported items I can safely say that 6 of them are false positives -- however the rest are worrying me a bit - especially the logged Omerta and Hotspotter items.

     

    I do not want to start a "fire" and say we are being attacked so I am asking te community for their opinions. Below is a list of the reported IDS Events. 

    IDS Events.jpeg

     



  • 2.  RE: Are we being attacked?? I am getting worried.....

    EMPLOYEE
    Posted Feb 12, 2016 07:56 AM

    Hi,

     

    If the RF environment is bad, due to a lot of frame corruption false positives can be expected. These are probably false positives. 

     

    How freqently are the attacks reported. Is it happening only at a specific time or only during the work hours or is it happening all day? 

     

    Thanks, 

    Rajaguru Vincent 

     



  • 3.  RE: Are we being attacked?? I am getting worried.....

    Posted Feb 12, 2016 08:08 AM

    Hi

     

    I might be mistaken, but it does appear to be quite constant (all day).

    The Omerka attack mentioned has only been logged twice and both logs came in quite early this morning.

     

    Though I have only enabled IDS the last 3 days because the WiFi experience degraded suddenly about a week ago. One of the main reasons I enabled it was users were reporting that they can't connect in the one section of the building (3 APs that was covering that specific area - where of the one AP seemed to be giving alot of problems).

    Haven't had reports of poor WiFi since I enabled it, but that just adds to my suspisions.



  • 4.  RE: Are we being attacked?? I am getting worried.....

    EMPLOYEE
    Posted Feb 12, 2016 09:31 AM

    Hendrik,

     

    I would start with looking at the RF utilization in those areas.  If it is high (30% or more), that could be the problem.  I would try enabling Broadcast Filter ARP in the Advanced Section of all of your SSIDs to see if the RF utilization goes down.  As was said before, RF issues could show up as IDS/IPS attacks, so check to make sure that the RF is good, first (low utilization).



  • 5.  RE: Are we being attacked?? I am getting worried.....

    Posted Feb 22, 2016 02:45 AM

    Hi

    Understood. I am currently working with TAC on this --- thus far it does appear to be RF related, we are still investigating a bit further, but it does appear if it is going to come down to fixing RF in the areas.......

     

    Will report back once TAC has reported back.