MR52 Packet Flood

buddysHung
Comes here often

MR52 Packet Flood

Below are packet floods from 3 MAC addresses. 

Is this something malicious besides the slow network?

Jul 9 01:09:25 AP / client flood
radio: 1, state: end, alarm_id: 14917  more »
Jul 9 01:09:19 AP / client flood
packet: beacon, radio: 1, bssid: DE:CB:AC:51:90:B6  « hide
dstFF:FF:FF:FF:FF:FF
channel36
statestart
alarm_id14917
dos_count2500
inter_arrival2
Jul 9 01:08:25 AP / client flood
radio: 1, state: end, alarm_id: 14916  « hide
reasontimer_expired
Jul 9 01:08:18 AP / client flood
packet: beacon, radio: 1, bssid: EA:CB:AC:51:90:B6  more »
Jul 9 01:07:25 AP / client flood
radio: 1, state: end, alarm_id: 14915  more »
    
    
    
    
    
    
    
Jul 8 23:30:06 AP / client flood
radio: 1, state: end, alarm_id: 14911  more »
Jul 8 23:30:05 AP / client flood
packet: beacon, radio: 1, bssid: 28:24:FF:7A:8E:A2  « hide
dstFF:FF:FF:FF:FF:FF
channel36
statestart
alarm_id14911
dos_count2500
inter_arrival2
Jul 8 23:25:26 Single device packet flood
radio: 1, state: end, alarm_id: 14910  more »
Jul 8 23:25:24 Single device packet flood
packet: probe_resp, device: DE:CB:AC:51:FB:22, radio: 1  more »
Jul 8 22:55:46 AP / client flood
radio: 1, state: end, alarm_id: 14909  more »
Jul 8 22:55:41 AP / client flood
packet: beacon, radio: 1, bssid: 28:24:FF:7A:8E:A2  more »
Jul 8 22:51:26 AP / client flood
radio: 1, state: end, alarm_id: 14908  more »
Jul 8 22:51:25 AP / client flood
packet: beacon, radio: 1, bssid: 40:01:7A:CC:3B:9E  « hide
dstFF:FF:FF:FF:FF:FF
channel36
statestart
alarm_id14908
dos_count2500
inter_arrival2
Jul 8 22:43:56 Single device packet flood
radio: 1, state: end, alarm_id: 14907  more »
Jul 8 22:43:49 Single device packet flood
packet: probe_resp, device: 28:24:FF:7A:8E:A2, radio: 1  more »

 

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

You would need to find out what those clients are to gauge if it is malicious.  If it has only happened a small number of times I would not worry about it.  If it is ongoing you should track down the clients and figure out what is causing it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels