0

Scenario is: attacker is disconnecting devices using aireplay --deauth command on AP so none of my devices are connecting to AP. Then what do I do now when none of my device is connected to AP?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Shubham Wagh
  • 241
  • 1
  • 2
  • 11

1 Answers1

0

Fighting interference is difficult. These frequency bands are unlicensed, which gives everyone the same right to use them (subject to regulatory rules regarding power limits, etc).

There are devices like WIPS (Wireless Intrusion Prevention Systems) which can help you. I think they could be expensive for a home use. Anyway, they are able to detect and prevent this kind of attacks. There are different DoS attacks. Yours seems like this one (but there are more):

  • 802.11 Deauthenticate frames can be used to disconnect an individual station, or every station associated with a given AP. Sending a continuous stream of these forged frames is known as a Deauth Flood

Most WIPS can recognize these DoS attack signatures.

There is a wonderful article explaining all of this and from where I taken some info: How to prevent DoS attacks. Read it carefully.

If you can't get a WIPS, which is understandable, you can try to "fight" it configuring your AP with different ESSIDs on different channels as a workaround. I know is not the best solution but it works. You can do this only if your AP support multiSSID (or if you have more APS).

If you set up 4 different networks on different channels and you configure all of them on your devices, after being kicked from one, you'll connect automatically to other. The attacker needs to setup another different attack for the other channel, so he is not going to be success if he is not able to send 4 attacks at the same time, which usually requires 4 different wireless devices to perform the attacks.

All of this is assuming your DoS attack is bassed on death packets on which the attacker needs to set a channel on its monitor mode card to perform them. If you are suffering other kind of DoS attack, then this workaround maybe couldn't work. But the most common DoS attack is this "deauth framing" so maybe can work in your case.

Good luck!

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • will changing channel affect any connection? – Shubham Wagh Jan 19 '17 at 19:03
  • Do you mean changing channel of your unique SSID? Yes, the connection on your devices will be down. Is what I explained, you need multiSSID to do this. If not, ok you can change the channel, losing the connection, reconfigure it in other channel and connect your device. Maybe you'll have some time until attacker notice it and reconfigure his attack. – OscarAkaElvis Jan 19 '17 at 19:05
  • So is there any way to filter packets? – Shubham Wagh Jan 19 '17 at 19:08
  • As far as I know, no if you don't have a WIPS device. – OscarAkaElvis Jan 19 '17 at 19:10
  • So if I changed My ESSID and then set An Honeypot for my AP will it work same as your solution does? – Shubham Wagh Jan 19 '17 at 19:13
  • A honeypot? Honeypot is a word which means other thing... you want to say a "fake AP" to try to trick your attacker in order to receive all the attack on your "fake AP" and then you navigate in parallel with another AP in other channel with other SSID. Is an idea but remember this!!! attacker knows the mac of your AP (BSSID) and probably knows the mac of your devices. So is difficult to trick him. He could see your devices connected on other AP. Maybe your last shot is: New ap, different bssid, different ssid, different device to connect (or spoof your mac) and let the fake AP and the new. – OscarAkaElvis Jan 19 '17 at 19:21