Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Deauth Flood Attack

Hey Guys,

I have a site that is experiencing periodic Denial of Service Deauthentication flood attacks. There are WLAN controllers in place that are doing their job as intended. They are isolating the AP that the client is spoofing through and disabling it until the flood stops.

My question ....

what is the best way to isolate, locate and remove the attack source? Should NetStumbler be used or is their a better solution?

thanks as always,

Matt

7 REPLIES
Hall of Fame Super Silver

Re: Deauth Flood Attack

For a free tool, yeah that should work to help find the device. Finding the device is the only way to stop it.

-Scott
*** Please rate helpful posts ***
Green

Re: Deauth Flood Attack

It sounds like someone has decided that your network is a "rogue system" and their attack mitigation mechanisms are kicking in.

That is the same kind of system that Cisco can use. If you are in an area where it is possible / likely that someone else is also using a commercial-grade wireless system (Cisco or otherwise), you might want to re-survey and make sure your signals are staying within / close to your building or area (which is also just a good security measure).

If you were sloppy with your setup and are spraying the area with your overrun RF, then you are a Rogue and they are just acting to protect their system against yours.

I'm not pointing fingers, I'm just trying to point out what may be the other side of the coin.

Good Luck

Scott

New Member

Re: Deauth Flood Attack

Well, as far as I know, a valid survey was performed and all APs are under a LWAPP setup. So the WLAN controllers are just finding an internal device.....the 'rogue' is internal to the building and no one from the outside has access.

My guy in Canada brought this to my attention and I wanted to get some advice from the best in the west...you guys. :)

Thanks for the input.

Matt

Green

Re: Deauth Flood Attack

I meant that some other company or organization with their own wireless network is seeing your stuff (as a rogue) and is taking steps to suppress your "attack."

Whatever, good luck!

Scott

New Member

Re: Deauth Flood Attack

Well, as far as I know, a valid survey was performed and all APs are under a LWAPP setup. So the WLAN controllers are just finding an internal device.....the 'rogue' is internal to the building and no one from the outside has access.

My guy in Canada brought this to my attention and I wanted to get some advice from the best in the west...you guys. :)

Thanks for the input.

Matt

Re: Deauth Flood Attack

There have been some issues with this alarm actually being a false positive. What version of code are you running and have you performed all OS patches on the clients? This sometimes occurs when a WPA PSK enabled client is deauthenticated for the purpose of re-keying.

New Member

Re: Deauth Flood Attack

I experienced the same issues, I have 2 WLC running on v. 4.2.61 and my WCS is v 4.2.62.11. I was told by TAC Engineer that there is a bug in the WLC version I am running and I need to upgrade to 4.2.112.0. apparently there seems to be an issue with the false positives as mentioned here.

4248
Views
8
Helpful
7
Replies