Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎03-01-2012

Station Deauth-Broadcast Signature Detected

Hello,

 

I have been receiving this SNMP trap lately. More specifically:

 

2013-07-15 09:17:11 An air monitor 00:24:6c:cf:d6:cc on radio 2 at location peddap155 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 9

2013-07-15 09:17:11 An air monitor 00:24:6c:cf:d6:b4 on radio 2 at location peddap156 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 11

2013-07-15 09:17:11 An air monitor 00:24:6c:cf:d6:de on radio 2 at location peddap154 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 8

2013-07-15 09:22:45 An air monitor 00:24:6c:cf:fc:90 on radio 2 at location peddap162 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 9

2013-07-15 09:22:45 An air monitor 00:24:6c:cf:e8:2e on radio 2 at location peddap176 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 13

2013-07-16 14:46:32 An air monitor 00:24:6c:cf:d6:de on radio 2 at location peddap154 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 7

2013-07-16 14:46:32 An air monitor 00:24:6c:cf:e8:2e on radio 2 at location peddap176 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 7

2013-07-16 14:54:41 An air monitor 00:24:6c:cf:fc:90 on radio 2 at location peddap162 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 14

2013-07-16 14:54:41 An air monitor 00:24:6c:cf:e8:44 on radio 2 at location peddap173 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 13

 

I think it is a wireless NIC's attempt to deauthorise all the wireless clients on the network but it is blocked by the controller. Is it true? Is it worrying? Can someone give me any more details?

 

Thanks,

Dimitris

MVP
Posts: 777
Registered: ‎03-25-2009

Re: Station Deauth-Broadcast Signature Detected

the controller has detected the attack, not blocked it.

 

From what I gather there's not alot you can do against a deauth attack. Anyone can spoof and perform a deauth to all your clients "on behalf of your own AP". 

 

For the 2 cases where I ran into this the cause was always a neighbouring WLAN operation trying to 'protect' itself. A friendly chat with the person responsible solved this.

It could however be a hacker trying to snif handshaking or whatever so you might not be so lucky ;-)

In the least your service is being interrupted.

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: