IDS 'Auth flood' Signature attack detected - Another AP?

Nicholas Hood · ‎04-12-2013

5508 Controller

7.4 code

=-=-=-=-=-

AP’s in an area (building) will detect themselves or a neighboring AP and flag an IDS Auth Flood Signature Attack.

We have had a steady amount of alerts on these the past week and I usually think nothing of it but today I decided to dig down. It appears that AP’s in this specific building on this controller keep flagging IDS attacks and after looking at the Attackers Mac it looks like it’s the MAC of a nearby AP.

I know I can probably change the trap threshold but thought it was odd this was happening.

Trap Message from NCS Prime…

IDS 'Auth flood' Signature attack detected on AP 'AP-1e-ef85'
protocol '802.11b/g' on Controller 'xx.xx.0.10'. The Signature
description is 'Authentication Request flood', with precedence '5'.
The channel number is '11', the number of detections is '500', and
one of potentially several attackers' mac addresses is
'xx:xx:xx:42:1a:11'. - Controller Name: CTRLR-wlc5

The above highlighted MAC is from AP (AP-2n-efb2)

The Alarm is being detected on 'AP-1e-ef85' – which is directly below the AP that it sees as IDS.

There are currently about 8 alarms at a given time between the AP's we have in this building.

Just curious.

Amjad Abdullah · ‎04-12-2013

Is it only one controller that you have? If multiple controllers, are they on same mobility domain? Do they (APs) belong to same or different RF groups?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Nicholas Hood · ‎04-12-2013

Amjad,

Yes, it is from one controller (out of 5) and they are in the same RF group. There is always one or two of these messages displaying but they show client MAC's as being the attacker, its just this particular group on this controller that seems to be seeing each other.

Amjad Abdullah · ‎04-12-2013

Nicholas:

Just double check the APs are on same WLC and on same RF group. If not, then the APs may see each other as rogue devices and if rogue containment is active they'll try to attack each other.

Do you see any "AP Impersonation" alarms as well for the mentioned APs?

It could also be a third-party attacker that is generating flood attack with a spoofed mac address.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Nicholas Hood · ‎04-16-2013

Amjad,

I double checked and all the AP's are on the same controller as well as the same RF group. We continue to get these all day every day with no break.

There are a few clients mixed in the bunch that Prime says is the attacker but mostly it seems its the other AP's that are mostly being effected.

Saravanan Lakshmanan · ‎05-20-2013

#Check what type/model wireless client connect to the affected AP reporting this AP.

#Check If you disable the radio of the attacker AP still the attack is seen, if seen get the wireless packet capture of the attack to find the spoofer's physical location and ID the DoS attacker.

#Client with bad driver spoofs AP's mac address and sends auth request, looks like that's what happening here. update the w.less client driver.

#Workaround: You can blacklist that MAC under disabled client(Security>> AAA>> disabled clients), this way all request from that MAC doesn't get forwarded to WLC.