Kiken Posted March 14, 2014 Share Posted March 14, 2014 Hi guys, I hope you can help me a bit with my problem. First of all sorry for my bad english, i'm Chilean, so i'll try my best to write as it should be. Well the problem i'm having is the following, I have a corporate Wifi running in my office with 5 Unifi UAP Access Points in different locations, all with the same SSID and channel. This is all commanded by a Mikrotik router that has a hotspot running and its delivering DHCP to the clients and the APs. The thing is that just in a specific area of the office (where I work) wifi just can't be used, it has packet loss of about 50% or more and just can't be used... I've started making some changes, like changing channels, flashing the ap firmware, etc... Currently the AP has Openwrt and everything I do seems to remove the problem for some hours and then it happens again. Yesterday I disconected the AP an configured another SSID and used on my laptop an cellphone all day and it worked ok! so that lead me to believe that someone is attacking the office wifi SSID speccifically. What can I do to diagnose this? I hope you guys can help me. Quote Link to comment Share on other sites More sharing options...
digininja Posted March 14, 2014 Share Posted March 14, 2014 I'd say that this is the first place to start all with the same SSID and channel. You shouldn't have APs on the same channel otherwise they talk over each other, see this for more information. http://en.wikipedia.org/wiki/List_of_WLAN_channels Change them all to non-overlapping frequencies and then see if your problem is fixed. Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 14, 2014 Author Share Posted March 14, 2014 Well, the one that is causing troubles now is in channel 11 an the rest are all in channel 3... The on that is causing the problem the ap that is on channel 11. Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 14, 2014 Author Share Posted March 14, 2014 (edited) Guys check this: I've just changed the channel from 11 to 6 then this appears, a warning of a possible DoS and then a @dimacofi SSID with a mac I don't recognize as any of my APs appears... Also note that the moment i changed channel i started to test pings and web pages and streamings and all works ok... i'll just have to wait a while till it starts to be bad again. Edited March 14, 2014 by Kiken Quote Link to comment Share on other sites More sharing options...
digininja Posted March 14, 2014 Share Posted March 14, 2014 Is the BSSID that the DoS refers to one of yours? @dimacofi is just a probe request, a device in the area asking if an AP with the ESSID of that name is out there. An AP with that name has been seen twice by Wigle, both times near Andres Bello or Vitacura. Is that anywhere near your office? Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 14, 2014 Author Share Posted March 14, 2014 Is the BSSID that the DoS refers to one of yours? @dimacofi is just a probe request, a device in the area asking if an AP with the ESSID of that name is out there. An AP with that name has been seen twice by Wigle, both times near Andres Bello or Vitacura. Is that anywhere near your office? The BSSID of the DoS doesnt refer to mine... @Dimacofi is mine and yeah, that is near my office. Thanks for the clearing on the probe, I dont understand much about what Kismet is saying. Quote Link to comment Share on other sites More sharing options...
digininja Posted March 14, 2014 Share Posted March 14, 2014 The two alerts then are probably just an AP that for some reason is kicking off all its clients with a mass deauth rather than individual. A probe is your device asking if the network is there, that is how it knows to connect to it, the MAC address is of the device performing the probe, not the AP. The OUI for the MAC is Intel, do you have any Intel based wifi cards, it is likely. There is nothing in the kismet output that would indicate to me you are being attacked. See what other wifi channels are in use in the area, maybe you are in an area swamped by other APs. You could also try swapping the AP that is causing problems with one of the others in the office. A side thought, how far apart are these APs? If you have 5 APs in a small area then the problem could be with your clients roaming between them to frequently and so spending to much time swapping than actually sending data. Quote Link to comment Share on other sites More sharing options...
digip Posted March 14, 2014 Share Posted March 14, 2014 Can you run your wireless card in monitor mode and use Wireshark with the following display filter "wlan.fc.type_subtype eq 12"? Let that run a while and see how much it fills up. That should filter and show only deauthentication packets on the wifi side. If you see them being flooded constantly, then I'd say you may be getting attacked, but if they are random and far apart in times, then probably not getting deauthed/attacked from the wifi side and may be some other issue in that part of the building with interference to the wifi reception. Could also try moving the AP to another part of the room and if possible, changing its range/power/antenna output to a smaller area. I know on my home router I can change the Tx power in mw's which will change its effective reach, so if its someone outside the building doing it, you may be able to reduce their reach depending on their radio/antenna's reach itself. Not guaranteed to help but just a thought. Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 14, 2014 Author Share Posted March 14, 2014 Can you run your wireless card in monitor mode and use Wireshark with the following display filter "wlan.fc.type_subtype eq 12"? Let that run a while and see how much it fills up. That should filter and show only deauthentication packets on the wifi side. If you see them being flooded constantly, then I'd say you may be getting attacked, but if they are random and far apart in times, then probably not getting deauthed/attacked from the wifi side and may be some other issue in that part of the building with interference to the wifi reception. Could also try moving the AP to another part of the room and if possible, changing its range/power/antenna output to a smaller area. I know on my home router I can change the Tx power in mw's which will change its effective reach, so if its someone outside the building doing it, you may be able to reduce their reach depending on their radio/antenna's reach itself. Not guaranteed to help but just a thought. Thanks for all the fast responses! I'm currently scanning with wireshark... in an hour or so ill show my results. Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 17, 2014 Author Share Posted March 17, 2014 (edited) Ok so I scanned the network for about 2 or 3 hours and this is what I got: Today i'm having network issues aggain, the packet loss appeared... What else can I test? Edited March 17, 2014 by Kiken Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 20, 2014 Author Share Posted March 20, 2014 Anyone? pls... :( Quote Link to comment Share on other sites More sharing options...
digininja Posted March 20, 2014 Share Posted March 20, 2014 I'm no good at converting timestamps to times, what are the gaps between those deauths? Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 20, 2014 Author Share Posted March 20, 2014 Every 5 minutes or so... Quote Link to comment Share on other sites More sharing options...
digininja Posted March 20, 2014 Share Posted March 20, 2014 That isn't a deauth attack then. No idea what is causing your problems. I'd look for overlapping wifi signals and frequency colisions and try swapping the affected AP with another working one to see if that fixes it. Quote Link to comment Share on other sites More sharing options...
Kiken Posted March 20, 2014 Author Share Posted March 20, 2014 Ok so, what can you tell me about this "azalo" SSID huge ammounts of beacons and 100 RXQ, could that be a problem? Quote Link to comment Share on other sites More sharing options...
digininja Posted March 20, 2014 Share Posted March 20, 2014 That isn't a huge amount of beacons, that is fine. Have you tried the two potentially easy fixes I've already suggested rather than grasping at straws? Check what frequency is the quietest in the area and make sure the AP is on that, also make sure it doesn't overlap with others by the same name in your network. Try switching the "broken" AP for one that you know works, this might be as simple as the wifi chip overheating after a couple of hours if that is how long you say it usually lasts before it starts messing around. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.