We have a hive of about 30 APs. On Saturday, the server sent a message to all of the APs at the same time using upd port 5555. .

  • 1
  • Question
  • Updated 2 years ago

I used a netflow tool to show that the server sent out a message to all of the APs at the same time and then all of the APs sent a continuous flow to each other.  This caused up to 4 Mbps of traffic that crushed our sites that have 2 T1s.  The source and destination ports were UDP 5555.  I had to apply an acl on the routers to block these flows.  The flows were ongoing from 9:13 AM until 12:45 the next morning when I applied the ACL.  After I woke up, I checked again and all of the flows had stopped. 

So what happened?


Photo of Gary Asher

Gary Asher

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
When you say "server", do you mean the Hivemanager that is used to manage the Access Points? Do you run your own Hivemanager (HMOP), not HMOL? Just to be clear...

Can you add some screenshots showing the traffic between the server and APs?
Photo of Gary Asher

Gary Asher

  • 4 Posts
  • 0 Reply Likes

Yes, Hivemanager, the appliance from Aerohive.



Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Interesting question. This sounds like something Aerohive internally would be best suited to comment on. Have you also considered opening a support case over your observations and its impact?
(Edited)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Gary,
I don't believe this is legitimate HiveManager traffic. I don't recognize that particular UDP port, and a very quick Googling of it turns up this site (http://www.speedguide.net/port.php?port=5555) which indicates it may be a trojan attack of some sort, a game, or a backup utility. The use of the same port for source and destination makes me think it's a trojan or game...

The associated trojans appear to target Windows machines, so your Aerohive complex of access points, switches, and branch routers are merely forwarding the traffic and won't be infected by it.
Photo of Gary Asher

Gary Asher

  • 4 Posts
  • 0 Reply Likes

This image shows the source of the flow as 197.98.10.15 and the destination is one Aero Hive AP at this site.  197.98.5.22.  The source is the Hive Manager.



Photo of Gary Asher

Gary Asher

  • 4 Posts
  • 0 Reply Likes

Then in the very next frame, 30 seconds later, this happened.  These are all Aerohive APs and the Hive Manager.  Each of the sites that have AeroHive APs had this exact scenario play out at the same time.  I added an acl on each of the remote routers to block the traffic. I did that at 2 am, and then when I got up at 7 am, I checked and found the ACLs weren't incrementing and the flows actually stopped.

So, I don't think this is caused by a virus. 

Photo of Alex

Alex

  • 9 Posts
  • 0 Reply Likes
We had this issue as well. About 20k packets per second on UDP port 5555. Turned out to be the BonjourGateway configuration in our APs. Do you have a BonjourGateway object as a part of your Wireless Policy?