Validate Deauth Attack

How to validate if a client is being disconnected via "Deauth Attack"?

 

There maybe instances when it would be required to validate if a client is under "Deauth Attack" from external source which spoofs Aruba AP's MAC address. This article outlines the procedure to validate such attack.  

With a test client connecting to Aruba SSID; it would be noticed that the client keep reassociating with excessive association attempts (highlighted). 


(003-aruba01) #show ap association | include da:94

TAC-Lab82:47         d8:c7:c8:e8:24:78  60:67:20:df:da:94  y     y      1    100    Aruba_Welcome  900      0x10043    a-HT-40sgi-2ss  0s              4          WAB


(003-aruba01) #show ap association | include da:94

TAC-Lab82:47         d8:c7:c8:e8:24:78  60:67:20:df:da:94  y     y      1    100    Aruba_Welcome  900      0x10043    a-HT-40sgi-2ss  0s              20         WAB


(003-aruba01) #show ap association | include da:94

TAC-Lab82:47         d8:c7:c8:e8:24:78  60:67:20:df:da:94  y     y      1    100    Aruba_Welcome  900      0x10043    a-HT-40sgi-2ss  0s              6          WAB

By using show ap remote debug mgmt-frames ap-name; management frames between AP & client can be viewed. It would be noticed that there are no deauths from AP but client makes continuous connection attempts.
 
(Aruba-TAC) #show ap remote debug mgmt-frames ap-name TAC-LAB82:47 | include df:da:94
Nov  7 11:39:38  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  39      -
Nov  7 11:39:38  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:38  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  40      -
Nov  7 11:39:38  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  40      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  38      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  39      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  37      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:36  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  37      -
Nov  7 11:39:36  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:36  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  38      -
Nov  7 11:39:36  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:35  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  39      -
Nov  7 11:39:35  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:35  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  36      -
Nov  7 11:39:35  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:35  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  36      -
Nov  7 11:39:35  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:34  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:34  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  34      -
Nov  7 11:39:34  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:34  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -

 If Over-the-Air capture corresponding to the command shows Deauth frames from AP to the test client; then it would confirm that the client is under Deauth Attack from external source.

rtaImage.png

 

Version history
Revision #:
1 of 1
Last update:
‎06-27-2014 01:11 PM
Updated by:
 
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.