Identifying a Deauthentication attack on a wifi network


In one of our location, we occupy the top 3 floors of a multi-tenant building, we had suffer massive user deconnection on one of our floor in this location, our wifi monitoring software was reporting he following alert  “AP AP_NAME is being contained. This is due to rogue device spoofing or targeting AP ‘AP_NAME‘ on “802.11b/g’ radio”. 

The problem was intermittent and the targeted AP were  changing. the issue was reoccurring every couple of hours and  was always targeting AP on the lowest floor.

Here are the troubleshooting step that was took to identify the source of the problem. To validate that  our infrastructure was not the problem and finally to identify the offender

Identify the problem

Capture packet using your favorite packet sniffer while the issue was occuring, in our case we used wireshark on a Macbook having the embedded wifi card on monitor mode, we did capture the traffic on same channel as the AP that was getting attacked. to see only deauthentication packer, the following display filter wire wlan.fc.type_subtree=12 was used.image2015-9-23 15-19-16




From the capture, we could see that the deauthentication packet were sent to the broadcast address from the AP BSSID.

Identify the source

To identify the source. we basically shutdown the access point that was being spoofed while the attack was ongoing to see if it would stop the flood or not. In our case. the flood continued for a couple of minute then stop. As soon as we restarted the Access-point, the deauthentication packet flood just restarted.

Since the Source mac address of the traffic was spoof to mimic our infrastructure, we could not rely on it to identify the attacker or misbehaving neighbour. But since all AP on the floor were hit randomly at various time of the day, we start to suspect that one of the other tenants was containing us.  We then start a wifi scanning tools (Ie Metageek insider)  to see what were the various SSID that could be heard from our location and using the BSSID, we could identify the manufacturer of  access point, we ruled out all non manage access point (ie linksys, Netgear) as we were targeting enterprise grade wifi system that have a rogue detection capability.

Lucky enough, only 2 were enterprise grade. using the SSID broadcasted, we could identify the owner and we contact them to validate that they were not containing our WiFi network. We were able to find the containment source and the problem was solved since then.

Fortunately, the system that was containing us was located in our building, it could have been across the street or in any close by location. In this case. the use of a directional antenna might have been used to locate the source of the deauthentication flood but since I have never attempted this kind of location, I can’t guaranty wether it is working or not.



All production mention were the one used at the time to troubleshoot the issue, I mentioned them as alternative solution, you can and should whatever tools you are the most proefficient with.







Posted in networking, WIFI | Leave a comment

Cisco Live US 2016 CAE scoop

April has begun and even if we are still getting snow up here in Montreal, the time as come to get some CLUS scoop for the 2016 event that will be held at the Mandalay bay in fabulous Las Vegas on july 10-14. Continue reading

Posted in networking | 1 Comment

Tools to validate your BGP advertisement on the internet

Following a BGP advertisement hiccup experience last week, we had to explain why it took up to 10 minutes before the situation came back to normal as some part of the internet were unable to reach our services.  Looking at the logs and traffic pattern, we were able to determine and validate that the traffic has swing to the alternate links but were unable to explain why it took so long for the whole Internet to converge. since looking at BGP looking glass is showing the actual state of the BGP table, this tool is useless when it is time to review and do a post mortem (Especially when you were not involve when the problem occurred and have to explain what went wrong)

The following are some tools that we put in place to monitor our Internet presence and hopefully get an history of the state of our advertisement.

BGPMON ( This tool allow to validate the prefix advertise by your AS and to validate the upstream AS, This is useful to validate that your prefix are not advertised by anyone else than the autorised source.

THOUSANDEYES (  Thousand eyes monitor your prefix from point of presence spread across the globe and report the path and keep historical data (YEAH).  In case of longer prefix advertisement, the historical data is kept for 24 hours  after the last advertisement. This give time to take some screen shot for post mortem but I would have like the historical data to be kept for longer. Thousand offer also the reverse option as you can bgp peer with them and you can see how you can reach the Internet we have not tried this option yet.

Both site offer a limited free edition and of course you can subscribe to a monthly fee that allow to perform more test.

For more detail about Thousand Eye, they have sponsored a Podcast with the packet pushers show 24.  Thousand eyes also offer a free trial of there products as well as a free services.

For more detail on BGPMON, go on their website where you can create free test for up to 5 prefix.


Disclaimer, I did not get any advantage from both  company, I have just set them up and find both useful and hope to save other the pain I went thorough to figure out what happened.

Posted in networking | Leave a comment

Ciscolive 2015 Recap

Another Cisco live is in the bag, and I did have a great time.


Continue reading

Posted in networking | Leave a comment

Ciscolive 2015 is on

Ciscolive day 1 recap.

After a 9 hours travel, flying from the east coast, I was finally in San Diego for Cisco live.  I was watching the tweeter feed with curiosity and was already happy to read many comments from old friends.

Continue reading

Posted in networking | Leave a comment

Going back to Ciscolive

I’m finally register to CiscoLive 2015, this mean that I will have attended 7 of the last 8th edition. I could not make it last year since my employer’s policy for conference state that you must have worked at least 1 year and I was short by a couple of month.

I look forward to go back for the following.

1. Reconnect with my Ciscolive friends.

What started as a table that @networkingnerd hijack in front of the WOS a couple year ago, kind of explode into that big thing. Cisco Social media lounge is where I hang out between session. This is the place where most of the social active (twitter) attendees hang around. At the 2013 conference, I was sitting right beside  Greg Ferro and Ethan Banks from the packet pushers. Call me a fanboy but I was impress and please to meet them in person. During this conference, I had the opportunity to meet a lot of knowledgeable engineer that I can poke when I have question.

2. Break out session

This is the reason why you must attend, you have the choice of technology, geekiness level and dept. Aside some marketing slide, the presentation are technical. If you have the chance to attend a troubleshooting session with Denise Fishburne, do not miss it, you may get lost in the technical deepness but these are the session that I always go back to when I’m troubleshooting issue.

3. World of Solution

Well, this is the place to get swag and email for the next year or so, but beside that, you will find everything that you might require to complete your network. Take the time to talk with the booth staff, they might provide you with a solution to a problem that you have or did not know you have

4. Party and Customer Appreciation Events.

Do not plan on sleeping much during the weeks, there is always something to do and do not miss the CAE, this year the feature band is Aerosmith, can be more WOW than this. CAE is always a fun party, with a lot of food, drink and good music.

Hope to see you there and I look forward to reconnect with all my Ciscolive Tweeps

Posted in networking | Leave a comment

Ciscolive know before you go (revisited)

updated to reflect 2015 Cisco live

Mes 2 cents

These are my tips for CiscoLive newbie, These have been learned from my mistake and previous experience at the conference.

Have an orientation tour of the facilities after registering

The conference center are usually huge, I recommend that you walk around after your registration to locate, where the meals will be served, the World of Solution, if you are taking a test, locate the test center etc.

There is also conference hosts that wear the same t-shirt, they are there to help you find where you need to go, don’t be afraid to ask direction, they might save you a lot of walking and being late at session.

I also like to walk and try to avoid the shuttle as much as possible, so I always try to find the shortest and easiest path to my hotel. This gives me extra minutes of sleep.

TIP: Do not be afraid to…

View original post 948 more words

Aside | Posted on by | Leave a comment