Deauth attack, need help

sasskass · July 7, 2010, 2:34am

Hi,

Some time ago we noticed that strange things are happening on many wireless AP-s we have. Affected are only 2.4Ghz. The mac adress (see picture) periodically changes, also we do not have customers with such mac addresses. Tried to disable default auth and forwarding on the wireless device, permitting only mac-s we trust - but the same thing is going on. As we suspect ddos attack against us from our competitor, before going to police we want to ask an advice from You.

What is excatly going on ?

Thank you

Aleksander

Ibersystems · July 7, 2010, 4:29pm

They are injecting packets in your network.

You can avoid this using wpa keys. : /

siscom · July 7, 2010, 7:20pm

Hi,

You can try to use management frame protection which is used against ‘Deauthentication attack prevention, MAC address cloning issues.’

Try this link from the wiki manual- http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Management_frame_protection

Rgds,
Mark

Ibersystems · July 7, 2010, 9:16pm

I think you can’t use this with laptops..

adrianatkins · July 7, 2010, 9:24pm

It could be an ‘attack’ or simply an idiot with a Backtrack CD or similar WEP cracking tool.

They do not care at all if it causes you any problem. They just want free internet.

I agree with Iber : you should use a better security system, such as WPA2-AES.

That is your only defence really.

adrianatkins · July 7, 2010, 9:29pm

… alternatively, you can do what i do, and put up WEP ‘protected’ SSIDs with a HotSpot behind them.

The ‘attacker’ then spends time cracking the simple WEP key and then gets the HotSpot, with an option to Pay.

sasskass · July 8, 2010, 12:11am

Thanks guys for an advice.

wispwest · July 8, 2010, 1:22pm

I see this all the time on our AP’s with customers signals too low to connect.

adrianatkins · July 8, 2010, 9:21pm

They are injecting packets in your network.

It is more likely as wispwest suggests - i.e. low signal or a lot of interference on the channel.

The log shows only a few deauths a second, like less than 3.

A proper deauth attack would be a lot more aggressive.

Packet injection to crack WEP would also shove a lot more than a couple of packets a second at your AP, unless the attacker is a very long way away.

Well, my version of AirCrack does …

fewi · July 8, 2010, 9:29pm

I don’t do much wireless, but if you can see the client’s signal but the client can’t see you - doesn’t that often indicate that you should turn up the power a little bit, or otherwise adjust your coverage if you have multiple APs? Client radios aren’t usually very strong, and at that point you’re even weaker than that.

adrianatkins · August 9, 2010, 9:21pm

you should turn up the power a little bit

Ah. The slippery slope towards illegal EIRP.

Up the Power. More ! More !

Maybe it’s a Good thing you don’t do wireless. (definately a Smart thing).

fewi · August 10, 2010, 1:36am

That was qualified by “if the client can see you but you cannot see the client”. It’s unlikely (though possible I guess) that the client runs at more than 17dbm. So unless he has increased his gain, he can also increase transmit power to up to 17dbm.

Or is that incorrect? I’m seriously curious. As I said, I don’t do much wireless, and don’t do installs at all. I’m trying to read more about it.