Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6581
Views
15
Helpful
5
Replies

IDS 'Broadcast Probe floo' Signature attack detected

christy.kim
Level 1
Level 1

‎01-06-2010 05:09 PM - edited ‎07-03-2021 06:23 PM

Hi Mark,

I noticed on our WCS we are getting a few Critical Alarms - IDS 'Broadcast Probe floo' Signature attack detected . . . " what on the client would cause this?  What can I do to resolve it?  If it is not a real security issue, should I just acknowledge it?

Thanks.

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Thomas Ley
Level 1
Level 1

‎07-09-2012 11:01 AM

I know this is an old post, but I'm seeing the same critical alarm IDS Broadcast Probe floo and IDS NULL probe Resp1

Has anyone seen these two and what action can I take to elevate these alrms?

Thanks

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Thomas Ley

‎07-09-2012 11:42 AM

Thomas:

This indicates some kind of Security issue. Too many probe requests detected from same client. If this is intentional attack it may cause denial of service to your AP. Sometimes however bad drivers or old devices may cause too many frames to be generating triggering this alarm.

What you need to do is to visit the area of the access point that detected the problem and find the ugly device. Fix the machine if it has bad or old driver or arrest the guy if that s an attack

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

George Stefanick
VIP Alumni
VIP Alumni

‎07-09-2012 08:37 PM

The NULL probe request is a probe that doesn't have a ssid in the probe request.

Some access points that hide their ssid could and do respond with their ssid even if it's hidden. Cisco does not.

Netstumber is used in this manner, actually.

Cisco sees these probe request that ate null and flags it.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to George Stefanick

‎07-09-2012 11:13 PM

Hey George,

Thank you for all the valuable information.

what I know is that the message indicates excessive probe requests so it is considered "flood" as per the message.

The message does not mention anything about Null probe requests.

For the other piece of info, that Cisco does not reply to null probe requests: what do you exactly mean by that?
Because when I use inSSIDer I can detect hidden networks on Cisco WLC. However, the SSID name does not appear. only the mac address appears. Does this mean that the AP does not respond to null requests? or it does?

If it does not, for the APs that do will the SSID name appear although it is hidden?

Thank you.

Amjad

Rating useful replies is more useful than saying "Thank you"

George Stefanick
VIP Alumni
VIP Alumni

‎07-10-2012 07:00 AM

These are 2 different alerts, as I recall. I'm not in front of my wlc at the moment.

Yes, of a client sends a null probe request, the ap will do a probe response revealing the hidden ssid.

Not all aps do this, but some do.

This why Cisco flags this as a issue cause it might mean someone is trying to gather information.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card