Wireless Access

Reply
Contributor II

Wifi Jammer or deauthentication attack

Hi,

in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).

I did a packet capture and see a lot of broadcast deauthentication packets.
image.jpg
I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?

Regards,

EF

Contributor I

Re: Wifi Jammer or deauthentication attack

Guru Elite

Re: Wifi Jammer or deauthentication attack


@efelipe wrote:

Hi,

in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).

I did a packet capture and see a lot of broadcast deauthentication packets.
image.jpg
I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?

Regards,

EF


Honestly, nothing can protect against a broadcast disconnect attack except for MFP (management frame protection) support on clients, which is few and far between.  I would try to shut down your entire WLAN, set a column in wireshark for signal strength while you are doing a wireless capture and see when the capture gets stronger to attempt to find the device that is generating your problem.  The problem with a disconnect attack is that the source mac address is  typically impersonated, so you might not be able to tell which access point it is coming from....

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Wifi Jammer or deauthentication attack

Hi all.

I saw in several captures that packets for deauth to a client, beacon frames , probe and response frames to association... have signal power levels about -51dBm and -55dBm because I was doing the capture near to AP, but all deauthentication frames (2,4Ghz and 5Ghz bands) have signal upper to 70dBm, it seems come from another AP even the have the same source mac address, perhaps mac spoofing?

Another point is that in this zone I can see a lot of deauthentication brodcast frames, but in other zones (remember all APs belongs to the same VC) I can´t see the same frames.

So I think is a good idea is to implement 802.1w (mfp) but I read that only can do it CLI and this VC is managed by a Airwave, so how can I do it?

Regards,

EF

Highlighted
Guru Elite

Re: Wifi Jammer or deauthentication attack

MFP is only supported by a few clients, so it is not a practical solution.

 

Did you try cutting power to the whole cluster to see if the traffic is still being sent?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Wifi Jammer or deauthentication attack

Yes, I powered off the VC this morning and a while I still see packets with BSSID from one of the powered off AP, but the problem is that this is a big location inside a skyscraper and I´m not able to locate the source.

Regards,

EF

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: