Symptom

A wireless LAN controller may report IDS alarms more frequently than is desired by the customer. Examples: IDS 'Deauth flood' Signature attack detected on AP 'AP001d.xxxx.yyyy' protocol '802.11b/g' on Controller 'a.b.c.d'. The Signature description is 'Deauthentication flood', with precedence '9'. The attacker's mac address is '00:1d:ww:xx:yy:zz, channel number is '6', and the number of detections is '30'. IDS Signature attack detected. Signature Type: Standard, Name: Auth Flood, Description: Authentication Request flood, Track: per-Mac, Detecting AP Name: xyzzy5, Radio Type: 802.11b/g, Preced: 5, Hits: 30, Channel: 11, srcMac: 00:22:ww:xx:yy:zz IDS Signature attack detected. Signature Type: Standard, Name: Assoc Flood, Description: Association Request flood, Track: per-Mac, Detecting AP Name: rflhqt17, Radio Type: 802.11b/g, Preced: 4, Hits: 30, Channel: 1, srcMac: 00:18:ww:xx:yy:zz

Conditions

A variety of wireless devices are in the coverage area, and are generating bursts of various 802.11 packets that are triggering IDS alerts; however, those devices are not necessarily actually deliberately launching attacks, but rather are simply misconfigured or buggy.

Workaround

Disable IDS.

More information

With WLC software with this IDS signature file enhancement implemented (i.e. 5.0 and above), the signatures can be reconfigured with measurement intervals longer than one second. This will allow WIDS to ignore very brief packet bursts. For example, by increasing the measurement interval to 15 or 30 seconds, the signature frequency (pkts/interval) to 300 pkts/interval, and the signature MAC frequency to 200 pkts/interval, this may succeed in causing the packet transmissions that the user wishes to ignore, not to trigger IDS alarms, while still generating alams in the cases that the user wishes to be informed about. For further information, see the "Configuring IDS" section of the Cisco Wireless LAN Controller Configuration Guide.

Further Problem Description