Our client informed us about a roaming issue at one access point. The problem was only in the 5 GHz frequency band.
Troubleshooting
I took a look at the log file and found out that the client device tried to connect to the AP many times, but all attempts were unsuccessful. The client was relatively close to the AP. So, the issue was not because of low signal strength.
I did a packet capture to find out what was the reason for the strange behavior.
The first thing I noticed was a high rate of management frames. The client was permanently trying to connect to the AP. It sent probe request, went through the authentication and the association, but after that sent unexpected Deauthentication and Deassociation frames and broke the connection. After a while this client stared trying again. It went on and on indefinitely.
After the deep packet analysis, I noticed that the sequence number of Deauthentication and Deassociation frames is always zero. And besides, the signal strength of this frames is about 40 dB less then other frames from this client.
Since that, it was clear that the reason for this issue was the DoS attack.
Every time any Client tries to connect to the AP the attacker sends a deauthentication frame to a wireless access point, with a spoofed address.
The next step was to find out who is the attacker. It was not so difficult. I have analyzed whose Beacon frame has approximately the same signal level and found the name of the network.
It was the neighbor Wi-Fi network where this access point was marked as a malefactor.
Conclusion
The frame sequence number is a good indicator to detect fake frames.
The signal strength level can be also used to troubleshoot this problem. But it is difficult to notice the difference in case the distance from the sniffer to a client and to the malefactor is about the same.
No comments:
Post a Comment