Good night people!
I work in technology of a hotel in Brazil and use internal hotspot for guests to authenticate. We use the RouterBoard Mikrotik to create the hotspot and use the equipment of Unifi UAP AC to radiate the wireless signal to all the internal environment.
My doubt is :
How can I protect my access points (UAP AC indoor) against deauth (Deauthentication) attack ? Is there any way to protect against this attack on an internal wireless LAN of a company?
The access points Mikrotik possesses the management protection option to stop this attack. But this is not valid for a local network only for access points with external Mikrotik correct?. In the equipment Unifi UAP AC I have not found a way to avoid it within the local network.
No one in the forum of Ubiquiti could answer me about it, never heard whether there is any native protection in Ubiquiti equipment.
Step 1 is that you need to be using encrypted wireless if you want to be able to enforce any access-layer security. If it’s not encrypted, then anyone can send anything they like and there’s really nothing you can do about it.
Then it means that any Hotspot network is vulnerable to such an attack? All Hotspot networks are open without encryption, correct?
Following your line of thought, then all indoor and outdoor networks can suffer this attack.
It’s worse than that - I did some more reading on the topic after posting my reply, and learned that even when using wpa2, the management frames are still sent in the clear (unencrypted) and can be spoofed quite trivially. Apparently, beyond general mischief, the goal of a deauth attack is to force a client to join the network over and over so that the handshake (which IS encrypted) can be observed lots of times so that enough data can be gathered for a possible decrypt of the WPA2 preshared key.
802.1X (a.k.a. wpa2-enterprise) is probably going to be the last line of defense in such a situation, especially if the system requires client certificates - so that even joining the network won’t help authentication to the network itself - you may join the AP, but the authentication is encrypted in its own tunnel between the client device and the AAA server.
I haven’t ever actually worked out the details of this idea, but I feel like a good solution would be an open SSID “myhotspot-signup” which is walled garden for the (ssl-based) signup page where users make their username/password. This network cannot do anything but go to the signup page. The main network is wpa2-enterprise protected using the uid/password. 802.1X should have a default (i.e. failed auth / expired account) that connects unauthorized clients to the -signup wlan, but successful auths should be connected to the “myhotspot” main wlan, and get network access without any kind of captive portal being necessary (and god, do I hate captive portals)
My friend, the way is to wait for the equipment to implement the protocol 802.11w become popular because studies show that this protocol already deploy protection at points of access to this type of attack. I believe that nothing can stop this attack on an indoor network. This Cisco RV1800W K9 maybe can stop this because it deploys native 802.11w protocol. In outdoor networks it is possible to protect with the use of the option (managment frames protection), but to protect it is necessary that all radios on your network, whether from the same manufacturer with this same option selected in all radios, otherwise, the outdoor nets will have the same problem!
The attack occurs directly on the access point. Just identify the BSSID of equipment to start the attack and all clients disconnect automatically. This is very easy to do with AIRPLAY-NG in kali Linux.
I think we need wait for a solution coming from manufacturers own.
The equipment could have come with this protocol implemented manufactures.