In one of our location, we occupy the top 3 floors of a multi-tenant building, we had suffer massive user deconnection on one of our floor in this location, our wifi monitoring software was reporting he following alert “AP AP_NAME is being contained. This is due to rogue device spoofing or targeting AP ‘AP_NAME‘ on “802.11b/g’ radio”.
The problem was intermittent and the targeted AP were changing. the issue was reoccurring every couple of hours and was always targeting AP on the lowest floor.
Here are the troubleshooting step that was took to identify the source of the problem. To validate that our infrastructure was not the problem and finally to identify the offender
Identify the problem
Capture packet using your favorite packet sniffer while the issue was occuring, in our case we used wireshark on a Macbook having the embedded wifi card on monitor mode, we did capture the traffic on same channel as the AP that was getting attacked. to see only deauthentication packer, the following display filter wire wlan.fc.type_subtree=12 was used.
From the capture, we could see that the deauthentication packet were sent to the broadcast address from the AP BSSID.
Identify the source
To identify the source. we basically shutdown the access point that was being spoofed while the attack was ongoing to see if it would stop the flood or not. In our case. the flood continued for a couple of minute then stop. As soon as we restarted the Access-point, the deauthentication packet flood just restarted.
Since the Source mac address of the traffic was spoof to mimic our infrastructure, we could not rely on it to identify the attacker or misbehaving neighbour. But since all AP on the floor were hit randomly at various time of the day, we start to suspect that one of the other tenants was containing us. We then start a wifi scanning tools (Ie Metageek insider) to see what were the various SSID that could be heard from our location and using the BSSID, we could identify the manufacturer of access point, we ruled out all non manage access point (ie linksys, Netgear) as we were targeting enterprise grade wifi system that have a rogue detection capability.
Lucky enough, only 2 were enterprise grade. using the SSID broadcasted, we could identify the owner and we contact them to validate that they were not containing our WiFi network. We were able to find the containment source and the problem was solved since then.
Fortunately, the system that was containing us was located in our building, it could have been across the street or in any close by location. In this case. the use of a directional antenna might have been used to locate the source of the deauthentication flood but since I have never attempted this kind of location, I can’t guaranty wether it is working or not.
All production mention were the one used at the time to troubleshoot the issue, I mentioned them as alternative solution, you can and should whatever tools you are the most proefficient with.