57

I am helpless against some kiddy with backtrack who repeatedly uses aireplay-ng to deauthenticate legitimate users on my Wifi work network.

I captured and analyzed the network traffic on my Wifi work network, and I noticed a remarkable amount of 802.11 deauth packets. I realize it may not be possible to catch him, or even know where the attack came from. I just want to know: Is there any way to prevent such an attack?

Iszi
  • 27,027
  • 18
  • 99
  • 163
Tawfik Khalifeh
  • 2,542
  • 6
  • 22
  • 27
  • Like @gowenfawr stated, there is no practical technical means to stop such an attack. Your best bet would be to report to local law enforcement and let the law try to deter him. –  Sep 15 '12 at 02:47
  • I cannot guarantee that this will work, but I have heard that enterprise grade routers reject deauth packets from outside of the network now. It might be worth a buy if you live in an apartment or house near some script kiddy who really bothers you. – DeepS1X Mar 31 '17 at 19:23
  • @DeepS1X You might be thinking of MFP/802.11w support which authenticates deaths. – forest Dec 16 '18 at 06:44
  • That's right- I was thinking of Management Frame Protection. Thanks! – DeepS1X Dec 26 '18 at 23:45
  • To check where it is coming from: Dump data using the Sniff-menu in the standard Wi-Fi Diagnostic tool on Mac (or airdump-ng if you have a device with monitor mode). Then you can see the signal-strength by viewing the output file in Wireshark. Located three houses sending the Deauthentication messages this way. – Punnerud Jan 25 '19 at 21:05

5 Answers5

35

Realistically, you cannot stop a bad guy from sending deauthentication packets.

Instead, you should focus on ensuring you are resilient to a deauth attack. Make sure your network is configured in a way that the deauth attack doesn't enable an attacker to compromise your network.

To do that, you need to make sure you are using WPA2. If you are using a pre-shared key (a passphrase), make sure the passphrase is very long and strong. If it is not already, change it immediately! If you are not using WPA2, fix that immediately!

The primary reason why bad guys send deauth packets is that this helps them execute a dictionary attack against your passphrase. If a bad guy captures a copy of the initial handshake, they can try out various guesses at your passphrase and test whether they are correct. Sending a deauth packet forces the targeted device to disconnect and reconnect, allowing an eavesdropper to capture a copy of the initial handshake. Therefore, standard practice of many attackers who might try to attack your wireless network is to send deauth packets. If you are seeing many deauth packets, that is a sign that someone may be trying to attack your wireless network and guess your passphrase.

Once the attacker has sent a deauth packet and intercepted the initial handshake, there are tools and online services that automate the task of trying to recover the passphrase, by guessing many possibilities. (See, e.g., CloudCracker for a representative example.)

The defense against this kind of attack is to ensure your passphrase is so long and strong that it cannot possibly be guessed. If it's not already long and strong, you need to change it right away, because someone is probably trying to guess it as we speak.

(The other reason a bad guy might send deauth packets is as an annoyance. However, as most users probably won't even notice, it's not a very effective annoyance.)

To learn more, see these resources:

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 12
    You indicated it's not a very effective annoyance, but this GitHub repo indicates it can effectively knock everyone off the Wifi network when scripted: https://github.com/DanMcInerney/wifijammer -- Call me crazy, but that sounds mighty annoying. Am I missing something? – Dan Esparza Apr 18 '14 at 13:37
  • @DanEsparza, you might be right. I had the impression clients would automatically re-connect, but I could be wrong: I haven't tested it. If you found documentation that says it kicks clients off the network and they staff off, I believe you. – D.W. Apr 18 '14 at 15:50
  • 4
    Actually -- I don't know it's that they stay off the network automatically, it's just that the attack can be scripted in such a way that clients are too busy 'constantly re-authenticating' to do anything useful. – Dan Esparza Apr 18 '14 at 18:21
  • 1
    If I do not use WPA/WEP at all but an open access point with mandatory VPN or IPSec encryption. Can I get a DeAuth-proof WiFi with no loss on security? – 比尔盖子 Oct 23 '15 at 13:56
  • 1
    @比尔盖子, no. The VPN will ensure confidentiality+integrity, but if that's the route you're considering, it'd be better to use WPA plus your VPN/IPSec. – D.W. Oct 23 '15 at 15:17
  • This is not true anymore. See 802.11w. – forest May 06 '19 at 02:48
33

Cisco spearheaded a method of detecting these attacks and even protecting this type of attack if it is enabled and the client device supports it (minimum support of CCXv5). The Cisco feature is called "Management Frame Protection" and full details can be found on the Cisco website.

In essence, the process adds a hash value to all management frames that are sent.

This process was standardized with the IEEE 802.11w amendment released in 2009, and is supported by most modern Linux/BSD distributions in the kernel. Windows 8 was introduced with 802.11w support by default (which did cause some initial problems in some environments). AFAIK, OS X still lacks 802.11w support.

For reference, 802.11w was rolled up in the 802.11-2012 maintenance release of the 802.11 standard.


Someone gave me an upvote which refreshed this answer in my mind and figured this was due an update.

The Wi-Fi Alliance (WFA) has made support of Protected Management Frames (PMF) mandatory to pass 802.11ac or Passpoint (aka HotSpot2.0) certifications. This has pushed support for 802.11w significantly and you can even find it in most consumer devices today.

Unfortunately, Apple still appears to be the holdout. Let me lead off by saying that I was surprised to find that Apple has not certified a single device with the WFA since early 2014. I know this is a voluntary process for vendors, but not taking part in the certification process seems like a bad idea to me for such a large manufacturer of wireless devices.

While Apple has added 802.11w support, there are still issues. Namely I came across this post earlier this year detailing issues with Apple connecting to a network with 802.11X authentication and 802.11w required. Networks that use a PSK (with 802.11w either optional or required) seem to work as do 802.1X networks with 802.11w optional.

So we are getting there, but still have some way to go.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • 4
    This is the *correct* answer, long term. Especially in light of recent news about hotel chains blocking Wi-Fi. Apple needs to implement, and AP makers need to enable, protected management frames in order to secure the Wi-Fi MAC. – alfwatt Jan 17 '15 at 03:29
  • I was recently introduced to this attack (2016) and the guy who showed it to me claims it is extremely effective. It has been 2 years since your post and it doesn't sound like protection has seen much ground. – Shadoninja Jul 07 '16 at 20:55
  • 4
    @Shadoninja first many 802.11 environments (especially consumer installations) do not support 802.11w today. Either they are too old or the vendors haven't added support. Second, AFAIK Apple devices still don't officially support 802.11w, but I could be wrong (it appears they haven't certified any devices with Wi-Fi Alliance since 2014 and none with any security certifications from them even then). This leads many environments that could utilize 802.11w to either not run it or allow it only as an option. Despite these issues, this is the solution to the problem of the OP. – YLearn Jul 12 '16 at 18:37
  • 2
    @YLearn, I wasn't necessarily challenging this answer. I thought it was quite interesting that a problem of this caliber is still around. – Shadoninja Jul 13 '16 at 19:43
  • 2
    @Shadoninja, unfortunately the failure of (parts of) the industry to implement advanced security features is all too common, especially when people don't understand those features and why they are needed. – YLearn Jul 14 '16 at 05:42
21

The only way to prevent such an attack is to block the attacker's ability to send wireless transmissions that will reach your legitimate users. That's not a practical solution for several reasons (but extra points if you can convince your workers to sit in a Faraday Cage).

This blog page here quotes some of the relevant WiFi standard, most pointedly:

Deauthentication is not a request; it is a notification. Deauthentication shall not be refused by either party.

So, no, there's no real way to prevent such an attack.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • Bummer - that URL is dead and not archived on any of the major sites. Your answer implies that one has to follow the relevant standard. But it's just a document. We are free to ignore it. There are consequences, but surely it's not illegal, and I'm wondering what, practically speaking, would go wrong IRL if all implementations ignored all de-auth packets. – WHO's NoToOldRx4CovidIsMurder Mar 30 '16 at 19:46
  • 1
    @MatthewElvey, about the same thing as if all car drivers ignored stop signs. The network would jam up with talkers talking and their packets crashing against cards that won't listen (the deauth sender is never going to listen to that convo again). – gowenfawr Apr 05 '16 at 22:57
  • 1
    @gowenfawr You're referring to [Collision avoidance](https://en.wikipedia.org/wiki/Collision_avoidance_%28networking%29) but deauthentication packets aren't even mentioned among the many methods (prior scheduling of timeslots, carrier-detection schemes, randomized access times, and exponential backoff after collision detection) mentioned there. So I see a jam as unlikely. From what I can tell, deauthentication packets are for stuff like an incorrect message integrity checking (MIC) value is detected, or for an access point orderly shutdown. https://goo.gl/JBVDR7 – WHO's NoToOldRx4CovidIsMurder Apr 22 '16 at 21:34
5

Current 802.11 standard defines "frame" types for use in management and control of wireless links. IEEE 802.11w is the Protected Management Frames standard for the IEEE 802.11 family of standards. TGw is working on improving the IEEE 802.11 Medium Access Control layer. The objective of this is to increase the security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection.

==> http://en.wikipedia.org/wiki/IEEE_802.11w-2009

looks like protection against deauth and replay is already in bsd/linux kernel:

The 802.11w standard is implemented in Linux and BSD's as part of the 80211mac driver code base which is used by several wireless driver interfaces i.e ath9k. The feature is easily enabled in most recent kernels and Linux OS's using these combinations. Openwrt in particular provides an easy toggle as part of the base distribution.

nandoP
  • 151
  • 1
  • 2
-4

If possible, get everyone to connect to a wired network for a week, and shut off your wifi. After a week, turn it back on and hopefully the attacker will have given up by then. I would also try to whitelist everyone on your network so only those IPs can connect. If you suspect they are going to continue attacking you regardless of the effort it will cause them, then I agree with Terry, contact the local law enforcement and let them handle it.

user36773
  • 9
  • 1
  • 6
    White listing would have no effect on the type of attack described by the OP. The attacker spoofs the L2 identity of the AP or client and would be allowed by the white list entry. Further, since it is a L2 attack, IP addresses are not used. – YLearn Aug 01 '14 at 04:13