MR18 - Single Device Packet Flood

TheAlchemist
Getting noticed

MR18 - Single Device Packet Flood

I see repeatedly a "Single Device Packet Flood" event coming out of one Access Point. Could this event lead to a packet flood and disrupt uplink traffic to internet.

 

BSSID ( hidden) 

 

bssidXX:XX:XX:XX:XX:XX
dstFF:FF:FF:FF:FF:FF
channel6
statestart
alarm_id27960
dos_count1000
inter_arrival10
1 REPLY 1
Brash
Kind of a big deal
Kind of a big deal

It seems like a device on the wifi is flooding the AP with broadcast traffic.

More info can be seen in the air marshal docs

https://documentation.meraki.com/MR/Monitoring_and_Reporting/Common_Wireless_Event_Log_Messages#Air_...

 

Typically flooding will cause problems when buffers are overloaded or specific devices (DHCP servers, gateways etc) are overwhelmed by requests.

It's difficult to say exactly whether this would cause a major impact in your environment but I would think most enterprise equipment should be able to deal with 1000 packets in a 10 second interval.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels