DoS Deauth Attack Defense

Hi folks,

after be affected by a deauth attack and lost many clients, I saw that nothing we can do to prevent this kinds of attack. But, seaching a little more at Internet I found that Mikrotik team maybe can modifing deauthentication method in wirelless card firmware/drives like decribed in article below. It shows how to prevent Deauth attacks hardly, very good and reliable article.

http://sysnet.ucsd.edu/~bellardo/pubs/jsoe04-80211dos-poster.pdf

It can save many clients of our friends here !!!

Regards,

Sérgio Brito

This should be relatively easy to impliment.
Unless of course, one does not want to modify the MADWIFI driver or other driver.

I do agree that this would be a great implimentation.

What is the situation on this issue now?
There is 1,5 year passed and a new ROS family with “Management frame protection” implemented.

But what about in mixed networks where other make clients work with MT-AP’s.

I can set MT-AP to “allowed” but this then means that a hacker can still spoof a mac of a non protected client and send de-auths for all unprotected clients?

The mentioned option of queuing de-auth requests by the AP sounds very good to me.
Is this already possible with MT ROS?

R

P.S.
I ask abt same issue on new topic.

Hi Rudy

Watching this thread with intrest! As you and I know from our meeting yesterday.

1: The management frame had absolutely no impact on the attack that was made against my service.

2: I can get my head around the scenario when a hacker clones a mac and sends a “deauth” to an AP to forceably disconnect same ligitimate MAC.

But I cannot get my head around what was sent to my AP in the wireless frames to disconnect every client. He was using 00:11:22:33:44:55 as the MAC…

Obviously at the time the most important thing was to recover the AP and change its frequency quickly to advoid the attack, rather than to study the content of the wireless frames.

Maybe someone here has had former experience and can advise “what could have been included in the wireless frame to bring down an entire AP”


From a legal perspective, yes its totally illegal on many grounds.

1: To Sabotage a business is a criminal act.
2: To use a wirleless device for other than its designed functions is a grey area.
3: To knowingly use a wireless device that generates interference is also a crime.

At the moment, there has been a court hearing, immediately suspended on grounds of complexity.
The Guardia whom responded rapidly, halted the transmissions, but because of complications regarding the law, ie that the crime was being committed from within the boundry of his home, a seizure warrant was necessary, signed by a judge. As yet this still has not been accomplished.

A formal notice to the judge of financial damages may be speeding things up. I am advised that in any event, when found guilty, the offender will be facing time behind bars!!

However my outrage and disappointment goes to the C.M.T in Spain who batted me from department to department, stating the obvious that its " a common frequency" but failed miserably to identify any breach of the underlying laws on the use of radio equipment, which are fundamental, whether a common frequency or not.

Hi Simon,

Last night I have been googlin’ on the issue and found several tutorials on how to do an attack and ways to detect or avoid them.

An attack can be launched against the mac address of a single client unit or the AP.
But the same attack can also be launched at the broadcast address of the network and then ALL radio’s on that network receive the de-auth header and they have to obey and disassociate from the AP and AP disassociates all clients at the same time.
After that all Clients will probably try to authenticate and associate again which creates queues in the network and when the attacker keeps on sending deauth frames the network has not a change to recuperate…

I have been playing with the MT settings last night to see how it is done in ROS but am not 100% done with that. You can set the management frame protection in the main wireless window but also in the access list and connect list.
Since most of my networks also have other vendor’s stuff around I think I have to set it on the AP in the access list only (and use “required” option) for each client while for clients that can be done in the main window.
But I did not work 100% last night. Tonight I will play with a bit more (its a live network, that’s why the night time. I also have to make sure not loosing the connection to a client due a faulty setting…)

And look at my new post http://forum.mikrotik.com/t/deauthentication-attack-issue-non-mt-clients/35007/1
I hope we get some more reactions on this issue.

R.

I am a bit confused on the De-Auth attacks and the purpose or perspective that these ‘hackers’ have when conducting the operation. Is it a tactic used to phish information from our servers, or is it more to cripple our servers…I have heard so much, but have yet to have it happen (fingers crossed). I would like to know this information because I am concerned for the security and well being of my business continuity software and file sharing codecs. Hopefully the included security measures combined with my anti-virus software will prevent the worst from happening. I have been testing the waters with my dvd burning software and all seems good to this point.

'nuff said
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Management_frame_protection

Thanx for clear explanation)) the tread makes me understand that it’s not really possible to know all the things and everyday you find something new

Was going to post this myself but Janisk beat me to it.

Deauth attacks are nothing new and there’s very little that can be done about them outside of protocol modifications to authenticate deauth frames.

Few people just do a deauth attack for DoS. The most common reason is to make points reassociate so they can collect IVs (WEP) or authentication information (WPA/WPA2) for decryption attempts.

management protection in Mikrotik routeros fixed this issue. I enabled it and the deauth stopped. Thats what happened in my experience. They where hitting our ap every day nonstop until I did this.

Dallas

Hi dallas, how did do configuration?

management-protection=allowed management-protection-key=""

is it right? Or I need to set something on management-protection-key?

Read the manual and set the key. A “” key is an empty key. You need to set your secret key on both ends.

What will if my clients only Windows users? I guess windows doesn`t support Management protection of MT.

I didn’t know Windows also makes antenna devices?
Management protection only works between ROS operated radios. On the Ethernet (LAN) side of the CPE you can hang any kind of client.

okay. Thanks WirelessRudy. MT can not solve deauth attack. Ofcourse in a office WiFi clients are always notebooks.

use WPA keys and there will be no problems with deauth.

Well, if you mean by notebooks dynamic client of which you’ll never know which one is going to connect than the suggestion of normis is the only way. Even if these would have the management protection ability you wold have to tell the client that key first as well.

And if you are in an environment that these notebooks always are the same ones (so they are considered as ‘fixed’ clients) than apart of the WPA key you can work with the access list to prevent foreign mac’s to assign and also make fixed ARP to IP resolution table in AP with ‘answer only’ option. This way IP’s are also bound to certain fixed mac’s.
All together now an intruder needs a lot of skills to still be able to ´break-in’ you system…

Thanks guys, I will change key to WPA ASAP.

From the AP log:

08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:48:23:A0, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:48:23:A0, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:5E:16:4D, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:5E:16:4D, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:48:23:A0, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:48:23:A0, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:48:23:A0, sent deauth
08:51:57 wireless,info Kenepuru: data from unknown device 00:02:6F:48:23:A0, sent deauth
08:51:58 wireless,debug Kenepuru: 00:02:6F:5E:16:4D attempts to associate
08:51:58 wireless,debug Kenepuru: 00:02:6F:5E:16:4D in local ACL, accept
08:51:58 wireless,info 00:02:6F:5E:16:4D@Kenepuru: connected
08:52:02 wireless,debug Kenepuru: 00:02:6F:48:23:A0 attempts to associate
08:52:02 wireless,debug Kenepuru: 00:02:6F:48:23:A0 in local ACL, accept
08:52:02 wireless,info 00:02:6F:48:23:A0@Kenepuru: connected

knowing that this Mca add belong to one of my station RB411 and AP is RB433

I would see this log when network is crashed and I cant ping between the two device until i reboot the AP
and for that I have to travel like 40 min . it’s frustrating please help me out and tell me what to do

This has nothing to do with DoS Deauth Attack. Probably more a case of a bad link or lots of interferences. Make a new topic in the wireless part of this forum and give us all details of the link (both end units).