Wireless Access

Reply
Highlighted
Occasional Contributor I

Power Save DoS Attack spam

Hello

 

I am looking for help to lower the massive amount of "Power Save DoS Attack" alerts I get in Airwave from my Aruba 7210 controllers.

 

The controllers are running AoS 6.5.4.0.

 

I read about the ability to change values on the Power Save IDS Event, or completely turning it off.

But I dont see these options on my controllers (working in CLI mode).

 

Does anyone know how to turn this off?

Highlighted
MVP Expert

Re: Power Save DoS Attack spam

You can disable that WIDS signature. It's HIGHLY prone to false positives and is not really a viable WIDS signature to enable anymore. You can find the settings in the CLI guide if you are working from the CLI.


Jerrod Howard
Distinguished Technologist, TME
Highlighted
Occasional Contributor I

Re: Power Save DoS Attack spam

Thank you for the reply.

 

According to the guide, I should be able to write the command "ids dos-profile <profile-name>"

 

But on my controller, working in CLI mode, I don't have this option.

The only available commands to me are:

 

(Controller) (config) #ids ?
general-profile         Configure an IDS General Profile
profile                 Configure an IDS Profile
rap-wml-server-profile  Configure an IDS RAP WML Server Profile
rap-wml-table-profile   Configure an IDS RAP WML Table Profile
unauthorized-device-p.. Configure an IDS Unauthorized Device Profile
wms-general-profile     Configure the IDS WMS General Profile
wms-local-system-prof.. Configure the IDS WMS Local System Profile

 

 

Is there a feature I need to enable or something in order to get the "dos-profile"?

Highlighted
Occasional Contributor II

Re: Power Save DoS Attack spam

I found the following article about the issue dating back a couple of years. I tried to duplicate some of the settings, but it did not resolve the issue.
How to mitigate frequently seen Power Save DoS Attack

 

To display the currently configured settings I found this command worked for me.

show ids dos-profile default | include Power
Highlighted
Occasional Contributor II

Re: Power Save DoS Attack spam

Also, with the following settings it did not aleviate the excessive notifications in the IDS. In a few days I have over 2000 entries. Our deployment is not exessively large. These are on a 7030 with AP305s

 

(Ctlr-1) #show ids dos-profile default | include Power
Detect Power Save DoS Attack                      true
Power Save DoS Detection Quiet Time               900 sec
Power Save DoS Detection Threshold                80 %
Power Save DoS Detection Minimum Frames           700

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: