Checking Air Marshal / Packet Flood from time to time i can see some items there .
TYPE is always Single-source packet flood , and PACKET varies from Probe request, Probe response or Beacon.
Is there any more info about how this funcionallity works, how to get more detail on the items , or whats the criteria to mark them as a packet flooders ??
So far i am applying a block policy to those MAC@ ...Anyone has some experience dealing with Packet Floods?
Thanks in advanced.
Packet flood detection tracks wireless management frames the AP can hear. This includes but is not limited to beacons, probe request, probe responses, association requests, etc… This information is meant to identify devices that are spamming the network with management traffic (either intentionally or unintentionally). When a certain threshold of the 12 different frame types we monitor are hit in a given amount of time; a flood is triggered. Your taking the right approach of blocking the MAC however some attacks especially with something like a WiFi pineapple needs additional research methods to finding the source device and location.
In my experience it is much easier tracking down non-malicious than malicious. The device in a malicious attack tends to move and easily evade. Packet captures can be key in tracking any of these floods down, some are persistent other are sporadic.
If others on the community have experience please chime in.
Thanks for the tips DCooper, so far the only fix for those floods is as you say, to block MAC@, but still those same MAC@ are appearing as a flooders after being blocked, weird...
Does anyone have any experience dealing with similar issues ?
Your going to need to get a wifi analyzer tool to track the device down. You have already checked that is isn't on your LAN correct?
You meant those MAC@ ? that is what is bugging me....MAC is blocked but AirMashall still shows that Mac and on "Last seen" column I can read today's date.
I hope that the AP sees the blocked MAC but does not allow it to go into the LAN, as it should be.
I've also check the Switch and that MAC is not seen on any port so...seems that is really blocked.