02-25-2013 11:42 PM - edited 07-03-2021 11:37 PM
Hi, we have a WLC detecting every 15 min this attack for months. What does it mean? maybe a false positive? something to worry about? any workaround? Thanks
IDS 'NULL probe resp 1' Signature attack detected on AP 'AP1' protocol '802.11b/g' on Controller '192.168.128.17'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '06:xx:xx:xx:xx:xx', channel number is '11', and the number of detections is '1'.
(2 times)
02-27-2013 05:58 PM
We found that this message was received whenever one of our APs could hear a rogue AP that had a hidden SSID.
Sent from Cisco Technical Support iPhone App
05-08-2013 02:17 AM
Hi Thomas or anyone from CISCO,
Is this the official answer from CISCO that this error message is whenever an AP configured to WLAN Controller can hear a rogue AP with a non-broadcast SSID??
Thanks!
the_guardian
05-18-2013 10:08 PM
NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL
probe response to a wireless client adapter. As a result, the client adapter locks up. When aNULLprobe
response signature is used to detect such an attack, the access point identifies the wireless client and
alerts the controller. The NULL probe response signatures are as follows:
◦NULL probe resp 1 (precedence 2)
◦NULL probe resp 2 (precedence 3)
Remove the attacker from the network to avoid client lockup.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: