0

I suspect that my neighbor is running multiple Wifi deauth flood attacks against my Wifi. I'm using WPA2 and I don't think he can really crack my password, but my devices keep having wifi connection problems.

  1. How can I detect and prove that a deauth flood is going on against my AP?
  2. How can I prevent it?
schroeder
  • 123,438
  • 55
  • 284
  • 319
GMX Rider
  • 345
  • 2
  • 4
  • 9

2 Answers2

3

How do I know if i'm being attacked?

Detection of de-auth frames can be difficult to spot, you'll need software like nzyme (which is WI-FI monitoring software) along with something like Graylog, a WI-FI security management tool. Graylog enables you to analyze the wireless traffic hitting your network. You'll find a much better explanation of each by just Googling the above software.

The above may help you identify if you are the target of such attacks.

Prevention

With regards to preventing it, there is no definite way of preventing de-authentication attacks.

If your AP supports it, you can enable 802.11w which increases the security of management frames and can assist with preventing these types of attacks, move info here:(802.11w)

Some people may suggest hiding your SSID. If your neighbor has a network card capable of injecting packets along with the know-how to send de-auth attacks, chances are he'll be able to suss out and discover you've hidden your SSID pretty quickly.

I can appreciate the pure annoyance of this is the entire point of wanting to block these attacks, however, these types of attacks can be much more devastating in somewhere like a coffee shop for instance, so I wouldn't be too concerned with regards to network security. (This doesn't take away from the fact this person still of course has the ability to try capturing the handshake and attempting a brute-force, see below for suggestion on how to near-eradicate this worry).

Suggestion

If this is your home network the best thing you can do if you are worried would be to create a strong, long password. Generate a 20 char one if needs be, just don't forget it!

Tipping44
  • 337
  • 1
  • 2
  • Can I detect the attack with Wireshark? Is this illegal in US? I can maybe collect evidence with Wireshark and contact FCC? – GMX Rider Mar 15 '19 at 16:23
  • 1
    @GMXRider - Wireshark can detect those types of packets, typing the below into the filter enables you to target these packets specifically : _wlan.fc.type_subtype == 0x0C_ – Tipping44 Mar 15 '19 at 20:35
  • Why not...turn off the router being attacked, buy another cheap router not connected to anything, assign it the old SSID then turn it on, leave it being attacked and then turn on the original router with the SSID hidden? – 4d4143 Nov 18 '21 at 19:08
1

Here are some suggestions for mitigating deauthentication attacks:

In a nutshell - (See Preventing deauthentication attacks)

Here is a quick summary:

  1. Use a 5Ghz 802.11ac access point - Attacking wireless cards that use 2.5 GHz will not be able to see your AP or connected devices, and Protected Management Frames (PMF)is now mandatory for 802.11ac certification (See Preventing deauthentication attacks)
  2. Ensure that 802.11w is enabled on your device (See Preventing deauthentication attacks). 802.11w encrypts management frames with the AP and ignores deauthentications that are not encrypted
  3. Monitor Wifi signal strength of the rouge AP and try track it down. You can use a network signal tool on your mobile device to physically locate the location of the rouge device and stop it.

If your goal is to simply detect the attack you can do a few things

  1. Put your wireless radio interface into monitor mode and run Wireshark(Noman, 2015). This will sniff all WiFi traffic and you can then filter for deauthentication packets. This allows you to manually check, but you could also run a short tcpdump / tshark ring-buffer and then use python to analyze the .pcap files. Below is a Wireshark filter for deauthentication packets.

    (wlan.fc.type == 0) && (wlan.fc.type_subtype == 0x0c)

  2. You can purchase a deauthentication detector device. Here is the name and link to one on Amazon (Sorry if the link breaks): MakerFocus ESP8266 WiFi Module ESP8266 WiFi Deauth Detector V3 (Pre-flashed) with Buzzer RGB LED, ESP8266 ESP12N Inside 4MB Memory USB LED NodeMCU Wi-Fi Deauther ESP8266 Starter Kit DSTIKE

Deauth Detector V3 will make a loud and annoying buzzing sound but can also be potentially programmed to say, send administration an email. The device uses a simple interval / threshold to determine that a deauthentication attack is taking place. Deauthentication packets do occasionally occur for normal network functions, so detecting one does not necessarily mean a deauth attack is taking place.

References:

Noman, Haitham & Shahidan, Mohd & Mohammed, Haydar. (2015). An Automated Approach to Detect Deauthentication and Disassociation Dos Attacks on Wireless 802.11 Networks.