cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4110
Views
6
Helpful
3
Replies
Highlighted
Participant

WLC Signature attack detected

Hi, we have a WLC detecting every 15 min this attack for months. What does it mean? maybe a false positive? something to worry about? any workaround? Thanks

IDS 'NULL probe resp 1' Signature attack detected on AP 'AP1' protocol '802.11b/g' on Controller '192.168.128.17'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '06:xx:xx:xx:xx:xx', channel number is '11', and the number of detections is '1'.

(2 times)

3 REPLIES 3
Beginner

Re: WLC Signature attack detected

We found that this message was received whenever one of our APs could hear a rogue AP that had a hidden SSID.

Sent from Cisco Technical Support iPhone App

Beginner

WLC Signature attack detected

Hi Thomas or anyone from CISCO,

Is this the official answer from CISCO that this error message is whenever an AP configured to WLAN Controller can hear a rogue AP with a non-broadcast SSID??

Thanks!

the_guardian

Cisco Employee

WLC Signature attack detected

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000001.pdf

NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL

probe response to a wireless client adapter. As a result, the client adapter locks up. When aNULLprobe

response signature is used to detect such an attack, the access point identifies the wireless client and

alerts the controller. The NULL probe response signatures are as follows:

◦NULL probe resp 1 (precedence 2)

◦NULL probe resp 2 (precedence 3)

Remove the attacker from the network to avoid client lockup.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards