Hi, we have a WLC detecting every 15 min this attack for months. What does it mean? maybe a false positive? something to worry about? any workaround? Thanks
IDS 'NULL probe resp 1' Signature attack detected on AP 'AP1' protocol '802.11b/g' on Controller '192.168.128.17'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '06:xx:xx:xx:xx:xx', channel number is '11', and the number of detections is '1'.
We found that this message was received whenever one of our APs could hear a rogue AP that had a hidden SSID.
Sent from Cisco Technical Support iPhone App
Hi Thomas or anyone from CISCO,
Is this the official answer from CISCO that this error message is whenever an AP configured to WLAN Controller can hear a rogue AP with a non-broadcast SSID??
NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL
probe response to a wireless client adapter. As a result, the client adapter locks up. When aNULLprobe
response signature is used to detect such an attack, the access point identifies the wireless client and
alerts the controller. The NULL probe response signatures are as follows:
◦NULL probe resp 1 (precedence 2)
◦NULL probe resp 2 (precedence 3)
Remove the attacker from the network to avoid client lockup.