Jump to content

My wifi is being attacked

Kiken

By Kiken
in Security

 Share

Recommended Posts

Kiken Newbie

Kiken

Posted
Posted

Hi guys, I hope you can help me a bit with my problem. First of all sorry for my bad english, i'm Chilean, so i'll try my best to write as it should be.

Well the problem i'm having is the following, I have a corporate Wifi running in my office with 5 Unifi UAP Access Points in different locations, all with the same SSID and channel. This is all commanded by a Mikrotik router that has a hotspot running and its delivering DHCP to the clients and the APs. The thing is that just in a specific area of the office (where I work) wifi just can't be used, it has packet loss of about 50% or more and just can't be used...

I've started making some changes, like changing channels, flashing the ap firmware, etc... Currently the AP has Openwrt and everything I do seems to remove the problem for some hours and then it happens again.

Yesterday I disconected the AP an configured another SSID and used on my laptop an cellphone all day and it worked ok! so that lead me to believe that someone is attacking the office wifi SSID speccifically.

What can I do to diagnose this?

I hope you guys can help me.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

I'd say that this is the first place to start

all with the same SSID and channel.

You shouldn't have APs on the same channel otherwise they talk over each other, see this for more information. http://en.wikipedia.org/wiki/List_of_WLAN_channels

Change them all to non-overlapping frequencies and then see if your problem is fixed.

Link to comment
Share on other sites
Kiken Newbie

Kiken

Posted
  • Author
Posted (edited)

Guys check this:

OXw4P52.png

I've just changed the channel from 11 to 6 then this appears, a warning of a possible DoS and then a @dimacofi SSID with a mac I don't recognize as any of my APs appears...

Also note that the moment i changed channel i started to test pings and web pages and streamings and all works ok... i'll just have to wait a while till it starts to be bad again.

Edited by Kiken
Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

Is the BSSID that the DoS refers to one of yours?

@dimacofi is just a probe request, a device in the area asking if an AP with the ESSID of that name is out there. An AP with that name has been seen twice by Wigle, both times near Andres Bello or Vitacura. Is that anywhere near your office?

Link to comment
Share on other sites
Kiken Newbie

Kiken

Posted
  • Author
Posted

Is the BSSID that the DoS refers to one of yours?

@dimacofi is just a probe request, a device in the area asking if an AP with the ESSID of that name is out there. An AP with that name has been seen twice by Wigle, both times near Andres Bello or Vitacura. Is that anywhere near your office?

The BSSID of the DoS doesnt refer to mine...

@Dimacofi is mine and yeah, that is near my office. Thanks for the clearing on the probe, I dont understand much about what Kismet is saying.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

The two alerts then are probably just an AP that for some reason is kicking off all its clients with a mass deauth rather than individual.

A probe is your device asking if the network is there, that is how it knows to connect to it, the MAC address is of the device performing the probe, not the AP. The OUI for the MAC is Intel, do you have any Intel based wifi cards, it is likely.

There is nothing in the kismet output that would indicate to me you are being attacked.

See what other wifi channels are in use in the area, maybe you are in an area swamped by other APs. You could also try swapping the AP that is causing problems with one of the others in the office.

A side thought, how far apart are these APs? If you have 5 APs in a small area then the problem could be with your clients roaming between them to frequently and so spending to much time swapping than actually sending data.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Can you run your wireless card in monitor mode and use Wireshark with the following display filter "wlan.fc.type_subtype eq 12"? Let that run a while and see how much it fills up. That should filter and show only deauthentication packets on the wifi side. If you see them being flooded constantly, then I'd say you may be getting attacked, but if they are random and far apart in times, then probably not getting deauthed/attacked from the wifi side and may be some other issue in that part of the building with interference to the wifi reception.

Could also try moving the AP to another part of the room and if possible, changing its range/power/antenna output to a smaller area. I know on my home router I can change the Tx power in mw's which will change its effective reach, so if its someone outside the building doing it, you may be able to reduce their reach depending on their radio/antenna's reach itself. Not guaranteed to help but just a thought.

Link to comment
Share on other sites
Kiken Newbie

Kiken

Posted
  • Author
Posted

Can you run your wireless card in monitor mode and use Wireshark with the following display filter "wlan.fc.type_subtype eq 12"? Let that run a while and see how much it fills up. That should filter and show only deauthentication packets on the wifi side. If you see them being flooded constantly, then I'd say you may be getting attacked, but if they are random and far apart in times, then probably not getting deauthed/attacked from the wifi side and may be some other issue in that part of the building with interference to the wifi reception.

Could also try moving the AP to another part of the room and if possible, changing its range/power/antenna output to a smaller area. I know on my home router I can change the Tx power in mw's which will change its effective reach, so if its someone outside the building doing it, you may be able to reduce their reach depending on their radio/antenna's reach itself. Not guaranteed to help but just a thought.

Thanks for all the fast responses!

I'm currently scanning with wireshark... in an hour or so ill show my results.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

That isn't a deauth attack then. No idea what is causing your problems. I'd look for overlapping wifi signals and frequency colisions and try swapping the affected AP with another working one to see if that fixes it.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

That isn't a huge amount of beacons, that is fine.

Have you tried the two potentially easy fixes I've already suggested rather than grasping at straws? Check what frequency is the quietest in the area and make sure the AP is on that, also make sure it doesn't overlap with others by the same name in your network. Try switching the "broken" AP for one that you know works, this might be as simple as the wifi chip overheating after a couple of hours if that is how long you say it usually lasts before it starts messing around.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...