Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Wifi Jammer or deauthentication attack

Jump to Best Answer
  • 1.  Wifi Jammer or deauthentication attack

    Posted May 16, 2018 06:40 AM

    Hi,

    in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).

    I did a packet capture and see a lot of broadcast deauthentication packets.
    image.jpg
    I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?

    Regards,

    EF



  • 2.  RE: Wifi Jammer or deauthentication attack

    Posted May 16, 2018 03:23 PM


  • 3.  RE: Wifi Jammer or deauthentication attack

    Posted May 16, 2018 04:52 PM

    @efelipe wrote:

    Hi,

    in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).

    I did a packet capture and see a lot of broadcast deauthentication packets.
    image.jpg
    I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?

    Regards,

    EF


    Honestly, nothing can protect against a broadcast disconnect attack except for MFP (management frame protection) support on clients, which is few and far between.  I would try to shut down your entire WLAN, set a column in wireshark for signal strength while you are doing a wireless capture and see when the capture gets stronger to attempt to find the device that is generating your problem.  The problem with a disconnect attack is that the source mac address is  typically impersonated, so you might not be able to tell which access point it is coming from....



  • 4.  RE: Wifi Jammer or deauthentication attack

    Posted May 17, 2018 06:12 AM

    Hi all.

    I saw in several captures that packets for deauth to a client, beacon frames , probe and response frames to association... have signal power levels about -51dBm and -55dBm because I was doing the capture near to AP, but all deauthentication frames (2,4Ghz and 5Ghz bands) have signal upper to 70dBm, it seems come from another AP even the have the same source mac address, perhaps mac spoofing?

    Another point is that in this zone I can see a lot of deauthentication brodcast frames, but in other zones (remember all APs belongs to the same VC) I can´t see the same frames.

    So I think is a good idea is to implement 802.1w (mfp) but I read that only can do it CLI and this VC is managed by a Airwave, so how can I do it?

    Regards,

    EF



  • 5.  RE: Wifi Jammer or deauthentication attack
    Best Answer

    Posted May 17, 2018 06:20 AM

    MFP is only supported by a few clients, so it is not a practical solution.

     

    Did you try cutting power to the whole cluster to see if the traffic is still being sent?



  • 6.  RE: Wifi Jammer or deauthentication attack

    Posted May 17, 2018 06:58 AM

    Yes, I powered off the VC this morning and a while I still see packets with BSSID from one of the powered off AP, but the problem is that this is a big location inside a skyscraper and I´m not able to locate the source.

    Regards,

    EF