Controller Based WLANs

View Only

last person joined: one year ago

APs, Controllers, VIA

Back to Library

Validate Deauth Attack

Kudos

Jun 27, 2014 04:11 PM

AnandKumar Sukumar

How to validate if a client is being disconnected via "Deauth Attack"?

There maybe instances when it would be required to validate if a client is under "Deauth Attack" from external source which spoofs Aruba AP's MAC address. This article outlines the procedure to validate such attack.

With a test client connecting to Aruba SSID; it would be noticed that the client keep reassociating with excessive association attempts (highlighted).

(003-aruba01) #show ap association | include da:94

TAC-Lab82:47         d8:c7:c8:e8:24:78  60:67:20:df:da:94  y     y      1    100    Aruba_Welcome  900      0x10043    a-HT-40sgi-2ss  0s              4          WAB


(003-aruba01) #show ap association | include da:94

TAC-Lab82:47         d8:c7:c8:e8:24:78  60:67:20:df:da:94  y     y      1    100    Aruba_Welcome  900      0x10043    a-HT-40sgi-2ss  0s              20         WAB


(003-aruba01) #show ap association | include da:94

TAC-Lab82:47         d8:c7:c8:e8:24:78  60:67:20:df:da:94  y     y      1    100    Aruba_Welcome  900      0x10043    a-HT-40sgi-2ss  0s              6          WAB

By using show ap remote debug mgmt-frames ap-name; management frames between AP & client can be viewed. It would be noticed that there are no deauths from AP but client makes continuous connection attempts.

(Aruba-TAC) #show ap remote debug mgmt-frames ap-name TAC-LAB82:47 | include df:da:94
Nov  7 11:39:38  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  39      -
Nov  7 11:39:38  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:38  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  40      -
Nov  7 11:39:38  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:38  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  40      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  38      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  39      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:37  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  37      -
Nov  7 11:39:37  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:37  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:36  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  37      -
Nov  7 11:39:36  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:36  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  38      -
Nov  7 11:39:36  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:36  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:35  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  39      -
Nov  7 11:39:35  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:35  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  36      -
Nov  7 11:39:35  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:35  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  36      -
Nov  7 11:39:35  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:35  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -
Nov  7 11:39:34  assoc-resp  d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:34  assoc-req   60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  34      -
Nov  7 11:39:34  auth        d8:c7:c8:e8:24:78  60:67:20:df:da:94  d8:c7:c8:e8:24:78  15      Success
Nov  7 11:39:34  auth        60:67:20:df:da:94  d8:c7:c8:e8:24:78  d8:c7:c8:e8:24:78  60      -

If Over-the-Air capture corresponding to the command shows Deauth frames from AP to the test client; then it would confirm that the client is under Deauth Attack from external source.

Statistics

0 Favorited

0 Views

0 Files

0 Shares

0 Downloads

Controller Based WLANs

Validate Deauth Attack

Related Entries and Links