NoahC Posted January 3, 2013 Posted January 3, 2013 WIFI DDoS Attack and how to stop it I have a N00b DDoS my Wifi Router and I can not stop it I try Mac Filtering my bad I try stop it I try Mac Filtering Quote
GuardMoony Posted January 3, 2013 Posted January 3, 2013 I'm guessing some1 is deauth attacking him. Quote
Pwnd2Pwnr Posted January 3, 2013 Posted January 3, 2013 (edited) ...erp? Was that as concise as it should've been?. Edited January 3, 2013 by Pwnd2Pwnr Quote
digip Posted January 3, 2013 Posted January 3, 2013 (edited) Not a whole lot you can do depending on the router type, deauth attacks in most cases can't be mitigated. MAC address filtering only limite the physical devices that are allowed to be on the network and connect to the router, but they can be both spoofed, and aren't needed to send deauths to clients themselves, since you can impersonate the AP and deauth the clients. Few things you can try, and this may sound like I am joking, but I am not. shield your room the router is in. Radio can not, or has a very difficult time at all, moving through metal. If you can move the router to a side of the room away from the outer walls of the house, and shield the house/room wall nearest the outside, you can prevent outside interference. And as silly as it may sound, tinfoil will work, but they also sell a special paint, that can shield wifi. You paint the room with this paint, or at least the outer facing walls, outside wifi can't enter the room. You also, won't be able to use wifi outside of that room though if you pain all the walls, so know that head of time. A simple cardboard box lined with tinfoil at one side though, so the radio only faces at your devices, can help somewhat. needs to be wide though. Covering windows also helps. To anyone laughing, this is not some tinfoil hat joke, I am being dead serious here, metal shielding can limit exposure and attack against your wifi device. Either that, or nix wifi all together, and go wired only and disalbe the wifi. One other thing I forgot to mention, configure your clients,so they do not to auto reconnect, if using WPA/WPA2, since that allows an attacker, to capture the hand shake for cracking your WPA password. DO NOT USE WEP, and do not leave the AP open, without any form of authentication, but that goes without saying. Edited January 3, 2013 by digip Quote
telot Posted January 3, 2013 Posted January 3, 2013 Haha - I'm laughing more at the tinfoil lining some poor guys outside facing walls...but the paint thing is awesome! I've heard of it being used in R&D environments, but I thought it was outside the reach of your average consumer. After a quick google, the stuff is pricey but still do-able. http://www.slt.co/products/RFShieldingPaint/ShieldingPaint-YShield-HSF54.aspx telot Quote
digip Posted January 3, 2013 Posted January 3, 2013 (edited) Haha - I'm laughing more at the tinfoil lining some poor guys outside facing walls...but the paint thing is awesome! I've heard of it being used in R&D environments, but I thought it was outside the reach of your average consumer. After a quick google, the stuff is pricey but still do-able. http://www.slt.co/pr...ield-HSF54.aspx telot Yeah, I wasn't joking about deflection with tinfoil. Taping large cardboard panels over windows and specific wall areas covered in foil, will stop a lot of attacks, and in reality, if making an antenna dish, can focus the wifi back at your devices too, and increases reception to some extent in the home. http://revision3.com...ls-download-MP4 Oh, and on the paint, make sure its not the iron oxide/aluminum kind. Thats basically, like, super thermite, explosive and highly flammable. Edited January 3, 2013 by digip Quote
Jason Cooper Posted January 3, 2013 Posted January 3, 2013 First thing to do would be figuring out how they are DOSing you, is it over the wireless (which unless they live in range is almost impossible for a noob to keep up), or are they DOSing your broadband connection from over the internet? If they are attacking your wireless then the easiest way could be to switch away from wireless for a while (till they get bored). A cat 5e network cable would let you connect your machine directly to the switch in your router. If you have a number of machines located around the house that need to connect then you could also invest in some homeplug adapters, which will let you run your network over your house electrics. Actually I prefer them over wireless for stationary devices as this then leaves your wireless network free for your mobile devices. If they are DOSing your broadband connection then you could just see if you can get a new IP, If your router doesn't have an option to release your IP and then switching off you router for a while and then turning it back on could achieve this. Of course if the noob gets your new IP and starts another attack then you will be back in the same place. Quote
NoahC Posted February 6, 2013 Author Posted February 6, 2013 yes the attacker DDoSing my wireless side Quote
NoahC Posted February 6, 2013 Author Posted February 6, 2013 I turn of wireless for one week then turn it back on and it start up 3 days later is there way to trace the attacker Quote
digip Posted February 6, 2013 Posted February 6, 2013 Are you sure its a death attack and not wifi saturation in your area? Try different channels? Switching to N only(if the device is capable and your wifi cards can too), changing to 5ghz vs 2.4 if capable, etc. I've never actually looked, but if anyone has a wireshark or pcap of what deauth packets look like, post a pick or pcap, then he can compare, or check if its actually happening or just some other interference issue. Quote
NoahC Posted February 6, 2013 Author Posted February 6, 2013 yes I am sure when I run airodump-ng and tcpdump on my wireless network lots of fake mac address show up and tcpdump pickup deauth Quote
NoahC Posted February 6, 2013 Author Posted February 6, 2013 thank the attacker is becon flooding Quote
Jason Cooper Posted February 6, 2013 Posted February 6, 2013 The first thing to check is that you aren't using the same SSID as someone else nearby, as some enterprise wireless networks will actually automatically deauth people from other networks if they have the same SSID and the access point isn't registered as belonging to their network (effectively a kind of defence against people using a pineapple close to the network). You can try to triangulate the attackers location if you have a directional antenna (the more directional the better) and a laptop. Use the directional antenna with the laptop and then run wireshark to show live packet dumps (perhaps with a filter for deauth packets). Then watch the number of packets received as you slowly rotate the directional antenna through 360 degrees. Make a note of where you start picking up the packets and where you stop picking them up. Plot this on a map of your local area. Move to a different location and repeat the process. Once you have plotted both sets onto the map you should see the area where your attacker is most likely situated. If the area shown on the map is still too large to identify the attacker from then you can repeat the process but pick locations closer to the area you have identified. Quote
digip Posted February 6, 2013 Posted February 6, 2013 The other thing is, have you tried ANY shielding of any kind and moving the access point, changing channels, as mentioned above, changing the SSID, etc. Quote
NoahC Posted February 8, 2013 Author Posted February 8, 2013 I can not use shielding I am allowing my neighbor next door in apartment C to use my wireless AP and I did change my channel 1 to 12 and add Mac address filtering Quote
NoahC Posted February 8, 2013 Author Posted February 8, 2013 I was Thanking about useing my ALFA card and clone my wireless AP for a honeypot Quote
airman_dopey Posted February 15, 2013 Posted February 15, 2013 The other thing is, have you tried ANY shielding of any kind and moving the access point, changing channels, as mentioned above, changing the SSID, etc. Digip won't stop until the world is covered in tinfoil. =P Seriously though I would change the SSID. Other than that I would make your AP mobile and see if you can find where the deauth is coming from. Quote
GuardMoony Posted February 15, 2013 Posted February 15, 2013 Or use directional antenna on your alfa and triangulate where it comes from? ( its harder if the other persone is using a directional antenna to attack ) And make sure it isnt your neighbor who is sending all the crap :p Quote
Infiltrator Posted February 16, 2013 Posted February 16, 2013 It's a bit hard to stop DDOS on a Wireless infrastructure, however there are a few things you could do to mitigate it. 1) May not be possible on some consumer routers due to it's firmware, but if upgraded to a custom firmware such as Tomato or DD-WRT, you can change the Router MAC address. 2) Definitely change the SSID, this will confuse the attacker. However the 1) option must be attempted first, because if only the SSID is changed and not the MAC address you are back to square on, because the attacker already knows what your wireless router MAC address is. This method may not stop the attacker altogether, but it's a mitigation strategy. Quote
condor Posted February 17, 2013 Posted February 17, 2013 <- Hides tinfoil hat. Ahem. What are you guys talking about? Oh, yes. Why can't this stuff happen to me? I get all the complex roadblocks. I even thought that perhaps you were my neighbor. When I moved in last year he was "Bitch_Please". So I pleased him alright. Favorite thing to do to him: crack wpa key and use it to name a soft ap using airdrop-ng. So only he knows that this strange ssid is his wpa key. I would be thrilled to take on this challenge. Sounds fun, but what do I know, eh? He could be something to contend with. I used to have the license plate: r00tm3, lol. I make crazy ssid's all the time to hopefully instigate a local attack. Even set up an internet facing honeynet to learn from live attacks. I recommend turning this into a learning experience. Think about how much you dislike this, and remember that when you are on the other side (attacking). Perhaps use a wifi card and airdrop-ng to attempt communicating with this hidden attacker. Pretty diverse group, hackers of all hats. But in my travels; most of them would love to share their information and possibly gain partner to play with.... ...try ego stroking. This will also tell you quite a bit about the person. Quote
digip Posted February 17, 2013 Posted February 17, 2013 Just change your SSID to FBIVAN and see what happens. (kidding) Quote
Pwnd2Pwnr Posted February 17, 2013 Posted February 17, 2013 Stepping in... could it be an over zealous AP trying to connect everything in sight? Quote
digip Posted February 17, 2013 Posted February 17, 2013 (edited) Stepping in... could it be an over zealous AP trying to connect everything in sight?Or just a shitty router with foobared wifi. Your neighbors NIC could be causing all the issues for you. I still say shielding it, to test your own home network first, to try and block the deauths from outside should be tested first, move it to another room, (and yes, TINFOIL DOES WORK, to an extent). Directional antennas between you and the neighbor are also options to try, but if you can isolate the AP in your own home from any outside network(including the neighbor for now, just to test) and keep the AP up, then you know its not a faulty wifi device. Then work in the neighbor, and see what happens. If it only happens when the neighbor is on, its possible their equipment is the issue, but if you've observed beacon floods from someone and known attacking deauths, then you need to find a way to shield against that traffic. Edited February 17, 2013 by digip Quote
condor Posted February 17, 2013 Posted February 17, 2013 I am genuinely interested in the outcome of a shielding attempt. I would have to agree with digip, it sounds quite logical. If it works, and works well, my wife is gonna flip when i do up a lab in the basement. "no honey, I'm not growing weed." Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.