cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7428
Views
6
Helpful
3
Replies

WLC Signature attack detected

jmprats
Level 4
Level 4

Hi, we have a WLC detecting every 15 min this attack for months. What does it mean? maybe a false positive? something to worry about? any workaround? Thanks

IDS 'NULL probe resp 1' Signature attack detected on AP 'AP1' protocol '802.11b/g' on Controller '192.168.128.17'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '06:xx:xx:xx:xx:xx', channel number is '11', and the number of detections is '1'.

(2 times)

3 Replies 3

thomas03usmcsf
Level 1
Level 1

We found that this message was received whenever one of our APs could hear a rogue AP that had a hidden SSID.

Sent from Cisco Technical Support iPhone App

Hi Thomas or anyone from CISCO,

Is this the official answer from CISCO that this error message is whenever an AP configured to WLAN Controller can hear a rogue AP with a non-broadcast SSID??

Thanks!

the_guardian

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000001.pdf

NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL

probe response to a wireless client adapter. As a result, the client adapter locks up. When aNULLprobe

response signature is used to detect such an attack, the access point identifies the wireless client and

alerts the controller. The NULL probe response signatures are as follows:

◦NULL probe resp 1 (precedence 2)

◦NULL probe resp 2 (precedence 3)

Remove the attacker from the network to avoid client lockup.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: