Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Station Deauth-Broadcast Signature Detected

This thread has been viewed 3 times

  • 1.  Station Deauth-Broadcast Signature Detected

    Posted Jul 16, 2013 10:26 AM

    Hello,

     

    I have been receiving this SNMP trap lately. More specifically:

     

    2013-07-15 09:17:11 An air monitor 00:24:6c:cf:d6:cc on radio 2 at location peddap155 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 9

    2013-07-15 09:17:11 An air monitor 00:24:6c:cf:d6:b4 on radio 2 at location peddap156 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 11

    2013-07-15 09:17:11 An air monitor 00:24:6c:cf:d6:de on radio 2 at location peddap154 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 8

    2013-07-15 09:22:45 An air monitor 00:24:6c:cf:fc:90 on radio 2 at location peddap162 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 9

    2013-07-15 09:22:45 An air monitor 00:24:6c:cf:e8:2e on radio 2 at location peddap176 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 13

    2013-07-16 14:46:32 An air monitor 00:24:6c:cf:d6:de on radio 2 at location peddap154 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 7

    2013-07-16 14:46:32 An air monitor 00:24:6c:cf:e8:2e on radio 2 at location peddap176 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 7

    2013-07-16 14:54:41 An air monitor 00:24:6c:cf:fc:90 on radio 2 at location peddap162 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 14

    2013-07-16 14:54:41 An air monitor 00:24:6c:cf:e8:44 on radio 2 at location peddap173 has detected a factory default signature (Deauth-Broadcast) match from a station (00:25:42:e0:7e:48),SNR is 13

     

    I think it is a wireless NIC's attempt to deauthorise all the wireless clients on the network but it is blocked by the controller. Is it true? Is it worrying? Can someone give me any more details?

     

    Thanks,

    Dimitris



  • 2.  RE: Station Deauth-Broadcast Signature Detected

    MVP
    Posted Jul 16, 2013 10:54 AM

    the controller has detected the attack, not blocked it.

     

    From what I gather there's not alot you can do against a deauth attack. Anyone can spoof and perform a deauth to all your clients "on behalf of your own AP". 

     

    For the 2 cases where I ran into this the cause was always a neighbouring WLAN operation trying to 'protect' itself. A friendly chat with the person responsible solved this.

    It could however be a hacker trying to snif handshaking or whatever so you might not be so lucky ;-)

    In the least your service is being interrupted.