- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
05-16-2018 03:40 AM
Hi,
in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).
I did a packet capture and see a lot of broadcast deauthentication packets.
I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?
Regards,
EF
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Wifi Jammer or deauthentication attack
05-16-2018 12:23 PM
Maybe check on this...
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Wifi Jammer or deauthentication attack
05-16-2018 01:52 PM
@efelipe wrote:
Hi,
in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).
I did a packet capture and see a lot of broadcast deauthentication packets.
I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?
Regards,
EF
Honestly, nothing can protect against a broadcast disconnect attack except for MFP (management frame protection) support on clients, which is few and far between. I would try to shut down your entire WLAN, set a column in wireshark for signal strength while you are doing a wireless capture and see when the capture gets stronger to attempt to find the device that is generating your problem. The problem with a disconnect attack is that the source mac address is typically impersonated, so you might not be able to tell which access point it is coming from....
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Wifi Jammer or deauthentication attack
05-17-2018 03:11 AM
Hi all.
I saw in several captures that packets for deauth to a client, beacon frames , probe and response frames to association... have signal power levels about -51dBm and -55dBm because I was doing the capture near to AP, but all deauthentication frames (2,4Ghz and 5Ghz bands) have signal upper to 70dBm, it seems come from another AP even the have the same source mac address, perhaps mac spoofing?
Another point is that in this zone I can see a lot of deauthentication brodcast frames, but in other zones (remember all APs belongs to the same VC) I can´t see the same frames.
So I think is a good idea is to implement 802.1w (mfp) but I read that only can do it CLI and this VC is managed by a Airwave, so how can I do it?
Regards,
EF
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
05-17-2018 03:19 AM
MFP is only supported by a few clients, so it is not a practical solution.
Did you try cutting power to the whole cluster to see if the traffic is still being sent?
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Wifi Jammer or deauthentication attack
05-17-2018 03:57 AM
Yes, I powered off the VC this morning and a while I still see packets with BSSID from one of the powered off AP, but the problem is that this is a big location inside a skyscraper and I´m not able to locate the source.
Regards,
EF
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator