Packet floods detected by AirMarshal

MAG
Here to help

Packet floods detected by AirMarshal

Hi All,

Checking Air Marshal / Packet Flood from time to time i can see some items there .

TYPE is always Single-source packet flood , and PACKET varies from Probe request, Probe response or  Beacon.

 Is there any more info about how this funcionallity works, how to get more detail on the items ,  or whats the criteria to mark them as a packet flooders ??

So far i am applying a block policy to those MAC@ ...Anyone has some experience dealing with Packet Floods?

Thanks in advanced.

4 REPLIES 4
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Packet flood detection tracks wireless management frames the AP can hear. This includes but is not limited to beacons, probe request, probe responses, association requests, etc… This information is meant to identify devices that are spamming the network with management traffic (either intentionally or unintentionally). When a certain threshold of the 12 different frame types we monitor are hit in a given amount of time; a flood is triggered. Your taking the right approach of blocking the MAC however some attacks especially with something like a WiFi pineapple needs additional research methods to finding the source device and location.

 

In my experience it is much easier tracking down non-malicious than malicious. The device in a malicious attack tends to move and easily evade. Packet captures can be key in tracking any of these floods down, some are persistent other are sporadic.

 

If others on the community have experience please chime in.

Hi ,

Thanks for the tips DCooper, so far the only fix for those floods is  as you say, to block MAC@, but still those same MAC@ are appearing as a flooders after being blocked, weird...

 

Does anyone have any experience dealing with similar issues ?

Thanks

 

 

 

DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Your going to need to get a wifi analyzer tool to track the device down. You have already checked that is isn't on your LAN correct?

You meant those MAC@ ? that is what is bugging me....MAC is blocked but AirMashall still shows that Mac and  on "Last seen" column I can read today's date.

I hope that  the AP sees the blocked MAC but does not allow it to go into the LAN, as it should be.

I've also check the Switch and that MAC is not seen on any port so...seems that is really blocked.

 

 

thanks

Miguel

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.