Detect simultaneous 5Ghz flooding attack and WPS attack

asked 2019-11-15 05:52:24 +0000

Kanchen gravatar image

updated 2019-11-15 05:53:04 +0000

Detect simultaneous 5Ghz flooding attack and WPS attack

For context, this is in the aftermath of a successful attack by a neighbour on my WiFi, 4 days back. I then changed the password, and it seems this neighbour was making another attempt to get in.

I noticed when all my 5Ghz devices lost connection at once. Because of the previous hack I had setup Wireshark promiscuous monitoring on Macbook and was inspecting it when I noticed the WPS light on my router was blinking.

On the Tenda AC10 router, this indicates that WPS negotiation is occuring - even though I had disabled WPS at the time of router install itself!

Regardless, I'm trying to run a display filter in Wireshark to show only WPS packets, as well as one to identify the packets responsible for the floods - I don't know the nature of the flood attack yet. Looking for auth/deuath frames hasn't yielded a high enough number to be convincing. Additionally despite using the "WPS" tag I didn't see any WPS frames - perhaps I need to use a different tag.

Please inspect the file linked below and let me know if you can spot where and using what filters the flood and WPS attack can be detected. A WPS attack is the ONLY plausible theory, since under no other circumstances (as per the manual) will the WPS light on the Tenda AC10 blink slowly.

The router addresses are: 1. 04:95:E6:6A:2B:95 5Ghz interface at Router 2. 04:95:E6:6A:2B:91 2.4Ghz 3. 04:95:E6:6A:2B:90 Ethernet interface which often interacts with other devices through the 2.4Ghz and 5Ghz interfaces

There are no "rogue" devices connected to the router yet. I could list the legitimate devices here but that only would make this post even longer.

Are there any patterns in the pcap file that correspond to a WPS attack against the router?

Or some kind of flooding attack against 5Ghz devices? Their MAC addresses are 8C:3B:AD:34:A2:81 and A0:3B:E3:E8:F7:81 respectively.

I'm hopping between Channel 4 and Channel 40 in order to cover both my 2.4 and 5Ghz networks. That might reduce my packet count but considering the apparent WPS attack went on for a good half hour, and so did the DoS against the 5Ghz devices, there should be enough packets overall to compensate.

edit retag flag offensive close merge delete