Deauth Flood Attack

matthogue · ‎03-14-2008

Hey Guys,

I have a site that is experiencing periodic Denial of Service Deauthentication flood attacks. There are WLAN controllers in place that are doing their job as intended. They are isolating the AP that the client is spoofing through and disabling it until the flood stops.

My question ....

what is the best way to isolate, locate and remove the attack source? Should NetStumbler be used or is their a better solution?

thanks as always,

Matt

Scott Fella · ‎03-14-2008

For a free tool, yeah that should work to help find the device. Finding the device is the only way to stop it.

-Scott
*** Please rate helpful posts ***

scottmac · ‎03-16-2008

It sounds like someone has decided that your network is a "rogue system" and their attack mitigation mechanisms are kicking in.

That is the same kind of system that Cisco can use. If you are in an area where it is possible / likely that someone else is also using a commercial-grade wireless system (Cisco or otherwise), you might want to re-survey and make sure your signals are staying within / close to your building or area (which is also just a good security measure).

If you were sloppy with your setup and are spraying the area with your overrun RF, then you are a Rogue and they are just acting to protect their system against yours.

I'm not pointing fingers, I'm just trying to point out what may be the other side of the coin.

Good Luck

Scott

matthogue · ‎03-28-2008

Well, as far as I know, a valid survey was performed and all APs are under a LWAPP setup. So the WLAN controllers are just finding an internal device.....the 'rogue' is internal to the building and no one from the outside has access.

My guy in Canada brought this to my attention and I wanted to get some advice from the best in the west...you guys. :)

Thanks for the input.

Matt

scottmac · ‎03-28-2008

I meant that some other company or organization with their own wireless network is seeing your stuff (as a rogue) and is taking steps to suppress your "attack."

Whatever, good luck!

Scott

matthogue · ‎03-28-2008

Well, as far as I know, a valid survey was performed and all APs are under a LWAPP setup. So the WLAN controllers are just finding an internal device.....the 'rogue' is internal to the building and no one from the outside has access.

My guy in Canada brought this to my attention and I wanted to get some advice from the best in the west...you guys. :)

Thanks for the input.

Matt

dennischolmes · ‎03-31-2008

There have been some issues with this alarm actually being a false positive. What version of code are you running and have you performed all OS patches on the clients? This sometimes occurs when a WPA PSK enabled client is deauthenticated for the purpose of re-keying.

rochoa8aeg · ‎04-04-2008

I experienced the same issues, I have 2 WLC running on v. 4.2.61 and my WCS is v 4.2.62.11. I was told by TAC Engineer that there is a bug in the WLC version I am running and I need to upgrade to 4.2.112.0. apparently there seems to be an issue with the false positives as mentioned here.