Jump to content

Recommended Posts

Posted

WIFI DDoS Attack and how to stop it

I have a N00b DDoS my Wifi Router and I can not stop it I try Mac Filtering

my bad I try stop it I try Mac Filtering

Posted

um....... What???

Posted (edited)

...erp? Was that as concise as it should've been?.

Edited by Pwnd2Pwnr
Posted (edited)

Not a whole lot you can do depending on the router type, deauth attacks in most cases can't be mitigated. MAC address filtering only limite the physical devices that are allowed to be on the network and connect to the router, but they can be both spoofed, and aren't needed to send deauths to clients themselves, since you can impersonate the AP and deauth the clients.

Few things you can try, and this may sound like I am joking, but I am not. shield your room the router is in. Radio can not, or has a very difficult time at all, moving through metal. If you can move the router to a side of the room away from the outer walls of the house, and shield the house/room wall nearest the outside, you can prevent outside interference. And as silly as it may sound, tinfoil will work, but they also sell a special paint, that can shield wifi. You paint the room with this paint, or at least the outer facing walls, outside wifi can't enter the room. You also, won't be able to use wifi outside of that room though if you pain all the walls, so know that head of time. A simple cardboard box lined with tinfoil at one side though, so the radio only faces at your devices, can help somewhat. needs to be wide though. Covering windows also helps.

To anyone laughing, this is not some tinfoil hat joke, I am being dead serious here, metal shielding can limit exposure and attack against your wifi device. Either that, or nix wifi all together, and go wired only and disalbe the wifi.

One other thing I forgot to mention, configure your clients,so they do not to auto reconnect, if using WPA/WPA2, since that allows an attacker, to capture the hand shake for cracking your WPA password. DO NOT USE WEP, and do not leave the AP open, without any form of authentication, but that goes without saying.

Edited by digip
Posted

Haha - I'm laughing more at the tinfoil lining some poor guys outside facing walls...but the paint thing is awesome! I've heard of it being used in R&D environments, but I thought it was outside the reach of your average consumer. After a quick google, the stuff is pricey but still do-able. http://www.slt.co/products/RFShieldingPaint/ShieldingPaint-YShield-HSF54.aspx

telot

Posted (edited)

Haha - I'm laughing more at the tinfoil lining some poor guys outside facing walls...but the paint thing is awesome! I've heard of it being used in R&D environments, but I thought it was outside the reach of your average consumer. After a quick google, the stuff is pricey but still do-able. http://www.slt.co/pr...ield-HSF54.aspx

telot

Yeah, I wasn't joking about deflection with tinfoil. Taping large cardboard panels over windows and specific wall areas covered in foil, will stop a lot of attacks, and in reality, if making an antenna dish, can focus the wifi back at your devices too, and increases reception to some extent in the home.

http://revision3.com...ls-download-MP4

Oh, and on the paint, make sure its not the iron oxide/aluminum kind. Thats basically, like, super thermite, explosive and highly flammable.

Edited by digip
Posted

First thing to do would be figuring out how they are DOSing you, is it over the wireless (which unless they live in range is almost impossible for a noob to keep up), or are they DOSing your broadband connection from over the internet?

If they are attacking your wireless then the easiest way could be to switch away from wireless for a while (till they get bored). A cat 5e network cable would let you connect your machine directly to the switch in your router. If you have a number of machines located around the house that need to connect then you could also invest in some homeplug adapters, which will let you run your network over your house electrics. Actually I prefer them over wireless for stationary devices as this then leaves your wireless network free for your mobile devices.

If they are DOSing your broadband connection then you could just see if you can get a new IP, If your router doesn't have an option to release your IP and then switching off you router for a while and then turning it back on could achieve this. Of course if the noob gets your new IP and starts another attack then you will be back in the same place.

  • 1 month later...
Posted

Are you sure its a death attack and not wifi saturation in your area? Try different channels? Switching to N only(if the device is capable and your wifi cards can too), changing to 5ghz vs 2.4 if capable, etc.

I've never actually looked, but if anyone has a wireshark or pcap of what deauth packets look like, post a pick or pcap, then he can compare, or check if its actually happening or just some other interference issue.

Posted

yes I am sure when I run airodump-ng and tcpdump on my wireless network lots of fake mac address show up and tcpdump pickup deauth

Posted

The first thing to check is that you aren't using the same SSID as someone else nearby, as some enterprise wireless networks will actually automatically deauth people from other networks if they have the same SSID and the access point isn't registered as belonging to their network (effectively a kind of defence against people using a pineapple close to the network).

You can try to triangulate the attackers location if you have a directional antenna (the more directional the better) and a laptop.

Use the directional antenna with the laptop and then run wireshark to show live packet dumps (perhaps with a filter for deauth packets).

  • Then watch the number of packets received as you slowly rotate the directional antenna through 360 degrees.
  • Make a note of where you start picking up the packets and where you stop picking them up.
  • Plot this on a map of your local area.
  • Move to a different location and repeat the process.
  • Once you have plotted both sets onto the map you should see the area where your attacker is most likely situated.
  • If the area shown on the map is still too large to identify the attacker from then you can repeat the process but pick locations closer to the area you have identified.
Posted

The other thing is, have you tried ANY shielding of any kind and moving the access point, changing channels, as mentioned above, changing the SSID, etc.

Posted

I can not use shielding I am allowing my neighbor next door in apartment C to use my wireless AP and I did change my channel 1 to 12 and add Mac

address filtering

Posted

The other thing is, have you tried ANY shielding of any kind and moving the access point, changing channels, as mentioned above, changing the SSID, etc.

Digip won't stop until the world is covered in tinfoil. =P

Seriously though I would change the SSID. Other than that I would make your AP mobile and see if you can find where the deauth is coming from.

Posted

Or use directional antenna on your alfa and triangulate where it comes from? ( its harder if the other persone is using a directional antenna to attack )

And make sure it isnt your neighbor who is sending all the crap :p

Posted

It's a bit hard to stop DDOS on a Wireless infrastructure, however there are a few things you could do to mitigate it.

1) May not be possible on some consumer routers due to it's firmware, but if upgraded to a custom firmware such as Tomato or DD-WRT, you can change the Router MAC address.

2) Definitely change the SSID, this will confuse the attacker. However the 1) option must be attempted first, because if only the SSID is changed and not the MAC address you are back to square on, because the attacker already knows what your wireless router MAC address is.

This method may not stop the attacker altogether, but it's a mitigation strategy.

Posted

<- Hides tinfoil hat. Ahem. What are you guys talking about? Oh, yes. Why can't this stuff happen to me? I get all the complex roadblocks. I even thought that perhaps you were my neighbor. When I moved in last year he was "Bitch_Please". So I pleased him alright. Favorite thing to do to him: crack wpa key and use it to name a soft ap using airdrop-ng. So only he knows that this strange ssid is his wpa key.

I would be thrilled to take on this challenge. Sounds fun, but what do I know, eh? He could be something to contend with. I used to have the license plate: r00tm3, lol. I make crazy ssid's all the time to hopefully instigate a local attack. Even set up an internet facing honeynet to learn from live attacks.

I recommend turning this into a learning experience. Think about how much you dislike this, and remember that when you are on the other side (attacking).

Perhaps use a wifi card and airdrop-ng to attempt communicating with this hidden attacker. Pretty diverse group, hackers of all hats. But in my travels; most of them would love to share their information and possibly gain partner to play with....

...try ego stroking. This will also tell you quite a bit about the person.

Posted

Just change your SSID to FBIVAN and see what happens. (kidding)

Posted

Stepping in... could it be an over zealous AP trying to connect everything in sight?

Posted (edited)

Stepping in... could it be an over zealous AP trying to connect everything in sight?

Or just a shitty router with foobared wifi. Your neighbors NIC could be causing all the issues for you. I still say shielding it, to test your own home network first, to try and block the deauths from outside should be tested first, move it to another room, (and yes, TINFOIL DOES WORK, to an extent). Directional antennas between you and the neighbor are also options to try, but if you can isolate the AP in your own home from any outside network(including the neighbor for now, just to test) and keep the AP up, then you know its not a faulty wifi device. Then work in the neighbor, and see what happens. If it only happens when the neighbor is on, its possible their equipment is the issue, but if you've observed beacon floods from someone and known attacking deauths, then you need to find a way to shield against that traffic. Edited by digip
Posted

I am genuinely interested in the outcome of a shielding attempt. I would have to agree with digip, it sounds quite logical.

If it works, and works well, my wife is gonna flip when i do up a lab in the basement.

"no honey, I'm not growing weed."

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...