Are these deauth & disassoc attacks going through my network or what?

asked 2021-03-06 09:33:37 +0000

Background

I haven't changed my router pw for a long time and one day my PC couldn't connect. Although it turned out to be the VPN's issue, I wanted to strengthen the security of my network. I changed my router pw, router's admin pw, added MAC address filtering to allow only my devices to connect. Now I want to setup a monitoring laptop to display any incoming wireless connection attempts against my network.

So I setup an old Acer netbook, installed Lubuntu 20.04 and wireshark on it.

Acer Netbook

  1. Connected to my router wirelessly
  2. Turned on monitoring mode of the network card

Filter Applied

wlan type mgt and (subtype deauth or subtype disassoc)

Question

When I applied the second filter to checkout anything sus with my router's MAC address, I saw nothing. But when I removed the router MAC address filter, I got tens of thousands of mainly deauth attacks and some disassoc attacks. Are they going through my network as a part of a larger attack? Should I be worried?

Wireshark file I saved after letting it ran overnight.

I am quite a noob myself regarding networking and wireshark, please help. Thanks.

edit retag flag offensive close merge delete

Comments

An unfiltered capture would be preferred for analyzing these types of issues; there are a lot of deauths but it is over 5 hours and most are retries. Are these real clients? Are there Tp-Link APs around? The same sequence number for most of these would seem to be unusual. What do the beacons look like?

More context could be helpful.

Bob Jones gravatar imageBob Jones ( 2021-03-06 21:48:29 +0000 )edit

There are no TP Link APs within my network. In fact, both the source and destination MAC address cannot be found among the devices in my network.

Could this be an attack that's just happened to be within range for the network card to detect? Cause when I turned on the monitor mode, I was disconnected from my router.

networknoob gravatar imagenetworknoob ( 2021-03-07 00:45:47 +0000 )edit

WiFi is a shared medium, so you see everything around you. Are these deauth() and disassoc() frames sent to any of your clients or APs? If not, I would guess not much to worry about.

Bob Jones gravatar imageBob Jones ( 2021-03-07 12:36:25 +0000 )edit