Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

This thread has been viewed 6 times

  • 1.  RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    Posted Apr 20, 2012 11:52 AM

    So i see a couple new IDS events, labeled "Omerta Attack"....and the mac listed for the attacker is my access point....

     

    The target is a mobile client.

     

    Is this a bug or is my access point attacking me?



  • 2.  RE: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    EMPLOYEE
    Posted Apr 20, 2012 05:57 PM

    Has the AP been added to AirWave?  If yes, then this sounds like a bug. 



  • 3.  RE: RAPIDS "Omerta Attack" shows one of my Access Points as the attacker?

    EMPLOYEE
    Posted Apr 23, 2012 11:04 AM

    It is actually neither.  The Omerta attack involves an attacker injecting disassociation frames to the network.  When it does it spoofs the source MAC address to match the AP of association for that client.  So if a client with MAC address 00 associates to an AP with MAC address AA the victim will be 00 and the attacker will be AA.

     

    The naming is a litlte odd.  In this case the attacker is spoofing a valid AP so we don't know the true MAC address of the attacker, just the spoofed one that matches the AP of association.   Displaying this info as the attacker has some benefits.  It allows you to see if the attacks are localized to a certain area or AP which can be difficult to coorelate if you only have the victim MAC address.