cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4552
Views
15
Helpful
5
Replies
Beginner

IDS 'Broadcast Probe floo' Signature attack detected

Hi Mark,

I noticed on our WCS we are getting a few Critical Alarms - IDS 'Broadcast Probe floo' Signature attack detected . . . " what on the client would cause this?  What can I do to resolve it?  If it is not a real security issue, should I just acknowledge it?

Thanks.

Everyone's tags (1)
5 REPLIES 5
Highlighted
Beginner

IDS 'Broadcast Probe floo' Signature attack detected

I know this is an old post, but I'm seeing the same critical alarm IDS Broadcast Probe floo and IDS NULL probe Resp1

Has anyone seen these two and what action can I take to elevate these alrms?

Thanks

Re: IDS 'Broadcast Probe floo' Signature attack detected

Thomas:

This indicates some kind of Security issue. Too many probe requests detected from same client. If this is intentional attack it may cause denial of service to your AP. Sometimes however bad drivers or old devices may cause too many frames to be generating triggering this alarm.

What you need to do is to visit the area of the access point that detected the problem and find the ugly device. Fix the machine if it has bad or old driver or arrest the guy if that s an attack

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Re: IDS 'Broadcast Probe floo' Signature attack detected

The NULL probe request is a probe that doesn't have a ssid in the probe request.

Some access points that hide their ssid could and do respond with their ssid even if it's hidden. Cisco does not.

Netstumber is used in this manner, actually.

Cisco sees these probe request that ate null and flags it.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Re: IDS 'Broadcast Probe floo' Signature attack detected

Hey George,

Thank you for all the valuable information.

what I know is that the message indicates excessive probe requests so it is considered "flood" as per the message.

The message does not mention anything about Null probe requests.

For the other piece of info, that Cisco does not reply to null probe requests: what do you exactly mean by that?
Because when I use inSSIDer I can detect hidden networks on Cisco WLC. However, the SSID name does not appear. only the mac address appears. Does this mean that the AP does not respond to null requests? or it does?

If it does not, for the APs that do will the SSID name appear although it is hidden?

Thank you.

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: IDS 'Broadcast Probe floo' Signature attack detected

These are 2 different alerts, as I recall. I'm not in front of my wlc at the moment.

Yes, of a client sends a null probe request, the ap will do a probe response revealing the hidden ssid.

Not all aps do this, but some do.

This why Cisco flags this as a issue cause it might mean someone is trying to gather information.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards