Community Home > Discuss > Technology > Wireless Access > Re: Wifi Jammer or deauthentication attack

Wireless Access

Reply
efelipe
Contributor II
efelipe

Wifi Jammer or deauthentication attack

‎05-16-2018 03:40 AM

Hi,

in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).

I did a packet capture and see a lot of broadcast deauthentication packets.
image.jpg
I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?

Regards,

EF

Alert a Moderator
Message 1 of 6
2,230 Views
Reply
MVP
MVP
mkk

Re: Wifi Jammer or deauthentication attack

‎05-16-2018 12:23 PM

Maybe check on this...

http://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/IDS/ConfiguringWIP.htm

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Alert a Moderator
Message 2 of 6
2,176 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Wifi Jammer or deauthentication attack

‎05-16-2018 01:52 PM

@efelipe wrote:

Hi,

in one location users can´t connect to SSIDs broadcasting by a virtual controller (in other APs from the same VC do it).

I did a packet capture and see a lot of broadcast deauthentication packets.
image.jpg
I think that we are under an attack and I can´t find the source of this so, What can I configure on a aruba instant controller to avoid the attack?

Regards,

EF

Honestly, nothing can protect against a broadcast disconnect attack except for MFP (management frame protection) support on clients, which is few and far between.  I would try to shut down your entire WLAN, set a column in wireshark for signal strength while you are doing a wireless capture and see when the capture gets stronger to attempt to find the device that is generating your problem.  The problem with a disconnect attack is that the source mac address is  typically impersonated, so you might not be able to tell which access point it is coming from....


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 3 of 6
2,167 Views
Reply
0 Kudos
efelipe
Contributor II
efelipe

Re: Wifi Jammer or deauthentication attack

‎05-17-2018 03:11 AM

Hi all.

I saw in several captures that packets for deauth to a client, beacon frames , probe and response frames to association... have signal power levels about -51dBm and -55dBm because I was doing the capture near to AP, but all deauthentication frames (2,4Ghz and 5Ghz bands) have signal upper to 70dBm, it seems come from another AP even the have the same source mac address, perhaps mac spoofing?

Another point is that in this zone I can see a lot of deauthentication brodcast frames, but in other zones (remember all APs belongs to the same VC) I can´t see the same frames.

So I think is a good idea is to implement 802.1w (mfp) but I read that only can do it CLI and this VC is managed by a Airwave, so how can I do it?

Regards,

EF

Alert a Moderator
Message 4 of 6
2,143 Views
Reply
0 Kudos
Highlighted
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Wifi Jammer or deauthentication attack

‎05-17-2018 03:19 AM

MFP is only supported by a few clients, so it is not a practical solution.

 

Did you try cutting power to the whole cluster to see if the traffic is still being sent?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 5 of 6
2,136 Views
Reply
0 Kudos
efelipe
Contributor II
efelipe

Re: Wifi Jammer or deauthentication attack

‎05-17-2018 03:57 AM

Yes, I powered off the VC this morning and a while I still see packets with BSSID from one of the powered off AP, but the problem is that this is a big location inside a skyscraper and I´m not able to locate the source.

Regards,

EF

Alert a Moderator
Message 6 of 6
2,128 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium