Lots of IDS Deauth flood messages

patoberli — Mon, 05 Jul 2021 15:48:35 GMT

Hi all

Since upgrading my WLC to 8.5.131.0 I get a lot of IDS 'Deauth flood' Signature attack messages (and a few other IDS ones) from my Prime Infrastructure.

The attacker's mac is varies, sometimes it's a normal client, sometimes even an AP interface from one of the attached APs. I think the messages are not correct.

APs in use are 3500, 2700, 3700 and 2800, all attached to the same (HA) WLC.

I haven't enough history of those, as they usually clear within 10 minutes, but at this moment it looks like the reporting APs are the older models, the 3500, 3700 and 2700.

Checked the bug toolkit, but couldn't find a matching bug affecting an 8.5.13x version.

Here a message from prime:

Message: IDS 'Deauth flood' Signature attack detected on AP '3502AGN-2104-1' protocol '802.11b/g' on Controller '172.16.102.xx'. The Signature description is 'Deauthentication flood', with precedence '9'. The attacker's mac address is 'b8:27:eb:7c:11:9f', channel number is '1', and the number of detections is '400'. - Device Name: wlc-5520-1 - Reporting Address: 172.16.102.xx Failure Source: WLAN Controller wlc-5520-1/172.16.102.xx

I have even increased the detection threshold by 100 (other numbers are on default), but that didn't reduce the amount of messages.

Do you also have this since 8.5?

Re: Lots of IDS Deauth flood messages

dimosatteia — Mon, 03 Sep 2018 15:48:38 GMT

Cisco WLC 3504 - Software Version 8.8.100.0
Cisco Prime Infrastructure version 3.4
Severity - Critical
Failure Source - WLAN Controller CISCO-CAPWAP-CONTROLLER/xxx.xxx.xxx.xxx
Category - Security
Condition - Signature attack
Message
IDS 'Auth flood' Signature attack cleared on AP 'xxxxxxxx' protocol
'802.11b/g' on Controller 'xxx.xxx.xxx.xxx'. The Signature description
is 'Authentication Request flood'.This Signature attack is still
detected by 15 APs.

topic Re: Lots of IDS Deauth flood messages in Wireless

Lots of IDS Deauth flood messages

Re: Lots of IDS Deauth flood messages