Deauth

Hello all,

Could anyone tell me if exists a router that is
invulnerable to the wifi deauth attack please? Just a basic
ADSL home user here in the UK. Thanks for any info.

--Will.

On Wed, 6 Jul 2011 08:18:34 +0100, "Desireless"
<usenet@soundstate.co.uk> wrote:

>Could anyone tell me if exists a router that is
>invulnerable to the wifi deauth attack please? Just a basic
>ADSL home user here in the UK. Thanks for any info.
>--Will.

<http://www.aircrack-ng.org/doku.php?id=deauthentication>

Sorta. Deauth is not really an "attack" in that it does not directly
lead to unauthorized wireless access or DoS (denial of service). It's
a means of forcing the AP and client to re-associate, thus generating
a larger number of "interesting" packets suitable for use in
recovering the pass phrase. Note that for deauth to be useful, both
the client and AP traffic must be captured and filtered by airedump.
If they get lucky and grab both sides of a re-association, it can
usually be replayed (using aireplay) to gain access.

For defense, it makes no sense for a non-connected client to initiate
a disconnect. The MAC address of a connected client and AP have to be
spoofed. That can be detected. The AP would need to maintain a table
of connected client states, and reject multiple disconnect packets.
The attacker could still initiate a single disconnect, but all
subsequent deauth packets from that MAC address would be ignored. This
doesn't really solve the problem, but does reduce the number of
reconnections, thus limiting the usefulness of this attack in
collecting "interesting" packets suitable for replay. I don't think
anyone has done that since it's not really 100% effective.

Cisco has a wireless intrusion detection system, which is overkill for
the home user. It doesn't prevent attacks, but does detect most of
them:
<http://www.cisco.com/en/US/docs/wireless/mse/3350/7.0/wIPS/configuration/guide/msecg_appA_wIPS.html#wp1156098>
<http://www.cisco.com/en/US/docs/wireless/mse/3350/7.0/wIPS/configuration/guide/msecg_appA_wIPS.html#wp1143533>

This is a bit old, but the references at the bottom are still useful:
<http://www.sans.org/security-resources/security_plus/replay_attack_sp08.php>

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Wed, 06 Jul 2011 08:03:36 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote:

>>Could anyone tell me if exists a router that is
>>invulnerable to the wifi deauth attack please? Just a basic
>>ADSL home user here in the UK. Thanks for any info.
>>--Will.

I forgot to mention a defense that mostly works. Use WPA-RADIUS
encryption and authentication. With a shared WPA-PSK key, every
client gets the same key. Eventually, that can be recovered. With
RADIUS, the key is generated automatically by the RADIUS server, and
only used once per session. No way to recover or replay that type of
key exchange. The problem is that you need a RADIUS server, which is
usually found in the form of a PC running probably FreeRADIUS:
<http://freeradius.org>
This is probably more than what you want to deal with, but may be
practical with a sufficiently small server. There are also various
free and for pay online RADIUS server services. For example:
<http://www.nowiressecurity.com/service.htm>

Unfortunately, it will not prevent the deauth attack from initiating a
disconnect. As long as the attack continues, your client is useless.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

>Hello all,
>
>Could anyone tell me if exists a router that is
>invulnerable to the wifi deauth attack please? Just a basic
>ADSL home user here in the UK. Thanks for any info.
>
>--Will.

802.11w is the spec that addresses such a concern, but I
don't know whether there exist any actual commercially
available implementations. We support a prestandard scheme
(MFP, Management Frame Protection); it requires a Cisco
Aironet AP and a client that supports CCXv5 (of which there
are few.)

http://en.wikipedia.org/wiki/IEEE_802.11w-2009

http://www.cisco.com/en/US/docs/solu...html#wp1307443

All that said, if a radio near your AP wants to DoS it, it's pretty
trivial for it just to jam your channel; 802.11w/MFP won't be able
to save you from that.

Aaron

Very interesting, I've never heard of this, thanks.

"Jeff Liebermann" <jeffl@cruzio.com> wrote in message
news:fe3917tmi66bqlqkvbv433q3u3rj6ld4vb@4ax.com...
> On Wed, 06 Jul 2011 08:03:36 -0700, Jeff Liebermann <jeffl@cruzio.com>
> wrote:
>
>>>Could anyone tell me if exists a router that is
>>>invulnerable to the wifi deauth attack please? Just a basic
>>>ADSL home user here in the UK. Thanks for any info.
>>>--Will.
>
> I forgot to mention a defense that mostly works. Use WPA-RADIUS
> encryption and authentication. With a shared WPA-PSK key, every
> client gets the same key. Eventually, that can be recovered. With
> RADIUS, the key is generated automatically by the RADIUS server, and
> only used once per session. No way to recover or replay that type of
> key exchange. The problem is that you need a RADIUS server, which is
> usually found in the form of a PC running probably FreeRADIUS:
> <http://freeradius.org>
> This is probably more than what you want to deal with, but may be
> practical with a sufficiently small server. There are also various
> free and for pay online RADIUS server services. For example:
> <http://www.nowiressecurity.com/service.htm>
>
> Unfortunately, it will not prevent the deauth attack from initiating a
> disconnect. As long as the attack continues, your client is useless.
>
> --
> Jeff Liebermann jeffl@cruzio.com
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

"Aaron Leonard" <Aaron@Cisco.COM> wrote in message
news:5eb917tldjlhojdfquaiuodt1p3jtfbk66@4ax.com...
> >Hello all,
>>
>>Could anyone tell me if exists a router that is
>>invulnerable to the wifi deauth attack please? Just a basic
>>ADSL home user here in the UK. Thanks for any info.
>>
>>--Will.
>
> 802.11w is the spec that addresses such a concern, but I
> don't know whether there exist any actual commercially
> available implementations. We support a prestandard scheme
> (MFP, Management Frame Protection); it requires a Cisco
> Aironet AP and a client that supports CCXv5 (of which there
> are few.)
>
> http://en.wikipedia.org/wiki/IEEE_802.11w-2009
>
> http://www.cisco.com/en/US/docs/solu...html#wp1307443
>
> All that said, if a radio near your AP wants to DoS it, it's pretty
> trivial for it just to jam your channel; 802.11w/MFP won't be able
> to save you from that.
>
> Aaron

Ah yes, I should have mentioned that I'd read about 802.11w
previously. For the record, this house is running Ubuntu, XP Pro
and an Amiga 1200 BBS (!) - all cabled together with my Netgear
DGN2200 - ideally I would have a hassle-free wireless connection
to my mother who is literally over the road, but in the past
we have had issues with Aireplay-kiddies in the neighbourhood. Truly
random and annoying. At worst I'll run CAT5e across the main road heh.

On Sat, 9 Jul 2011 20:48:03 +0000 (UTC), uknowwho
<uknowwho@Use-Author-Supplied-Address.invalid> wrote:

>How difficult would it be to trace the location of these
>deauth. attacks?

Very difficult and probably impossible. If the attacker has bothered
to spoof their MAC address, nothing of value can be found by sniffing.
If the attacker is lazy, and uses their real MAC source address, it
might be possible to identify the maker and model of the device.

However, a deauth and arping attack generates quite a bit of traffic
from the client. That makes it very easy to trace with direction
finding.

>Can it be done with backtrack associated
>tools

Nope. Backtrack is a badly named Linux live CD that does many things,
but little to help trace the source of attacks.

>or would you need special hardware?

If you mean for direction finding, yes. A big dish, step attenuator,
and a really well shielded radio. For sniffing, anything that does
promiscuous or monitor modes will work. Forget about doing anything
useful with Windoze.

>I notice netstumbler
>has a provision for GPS location, is that of any help in such
>a trace?

No. The attacker would need to voluntarily broadcast their position
in order for that to be effective. I doubt anyone is dumb enough to
do that, although it might be possible by accident.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Meanwhile, at the alt.internet.wireless Job Justification Hearings,
Desireless chose the tried and tested strategy of:

> ideally I would have a hassle-free wireless connection
> to my mother who is literally over the road, but in the past
> we have had issues with Aireplay-kiddies in the neighbourhood. Truly
> random and annoying. At worst I'll run CAT5e across the main road heh.

You could consider 5GHz [11a] - that might put off some kiddies. Also, if
it's just the backhaul you're worried about, use non-wifi wireless, like
Ubiquiti Airmax, eg pair of Nanostation Loco M5s, £66 a pop:

http://www.msdist.co.uk/product_LOCOM5.php

They can also be used in Wifi mode if the non-wifi mode doesn't suit.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
19:04:19 up 19 days, 20:46, 7 users, load average: 0.23, 0.48, 0.49
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King

"alexd" <troffasky@hotmail.com> wrote in message
news:2489939.toPGYDa6EJ@ale.cx...
> Meanwhile, at the alt.internet.wireless Job Justification Hearings,
> Desireless chose the tried and tested strategy of:
>
>> ideally I would have a hassle-free wireless connection
>> to my mother who is literally over the road, but in the past
>> we have had issues with Aireplay-kiddies in the neighbourhood. Truly
>> random and annoying. At worst I'll run CAT5e across the main road heh.
>
> You could consider 5GHz [11a] - that might put off some kiddies. Also, if
> it's just the backhaul you're worried about, use non-wifi wireless, like
> Ubiquiti Airmax, eg pair of Nanostation Loco M5s, £66 a pop:
>
> http://www.msdist.co.uk/product_LOCOM5.php
>
> They can also be used in Wifi mode if the non-wifi mode doesn't suit.
>
> --
> <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
> 19:04:19 up 19 days, 20:46, 7 users, load average: 0.23, 0.48, 0.49
> "People believe any quote they read on the internet
> if it fits their preconceived notions." - Martin Luther King

Sorry for the delay in replying. To answer the original post,
we have two blocks of flats closeby and think that's where it
originates from - which really is the pain in the buttocks.

Why is 5GHz better? Or please direct me to a webpage to study :)

Meanwhile, at the alt.internet.wireless Job Justification Hearings,
Desireless chose the tried and tested strategy of:

> Why is 5GHz better? Or please direct me to a webpage to study :)

Merely on the basis of security by obscurity, as 5GHz kit is less common
than 2.4GHz - your tormentors may only have 2.4GHz adaptors. Range is worse
- they many not be able to reach you. There is more bandwidth available at
2.4GHz than 5GHz, too.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
22:41:19 up 21 days, 23 min, 7 users, load average: 0.13, 0.12, 0.13
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King

Jeff Liebermann <jeffl@cruzio.com> wrote:

<snip>

> Forget about doing anything useful with Windoze.

NDIS 6.x (Windows Vista/7) and MS Network Monitor 3.4 is quite usefull.

Supports Monitor Mode.

http://en.wikipedia.org/wiki/Promiscuous_mode

http://en.wikipedia.org/wiki/Monitor_mode