Revision history [back]

Detect simultaneous 5Ghz flooding attack and WPS attack

For context, this is in the aftermath of a successful attack by a neighbour on my WiFi, 4 days back. I then changed the password, and it seems this neighbour was making another attempt to get in.

I noticed when all my 5Ghz devices lost connection at once. Because of the previous hack I had setup Wireshark promiscuous monitoring on Macbook and was inspecting it when I noticed the WPS light on my router was blinking.

On the Tenda AC10 router, this indicates that WPS negotiation is occuring - even though I had disabled WPS at the time of router install itself!

Regardless, I'm trying to run a display filter in Wireshark to show only WPS packets, as well as one to identify the packets responsible for the floods - I don't know the nature of the flood attack yet. Looking for auth/deuath frames hasn't yielded a high enough number to be convincing. Additionally despite using the "WPS" tag I didn't see any WPS frames - perhaps I need to use a different tag.

Please inspect the file linked below and let me know if you can spot where and using what filters the flood and WPS attack can be detected. A WPS attack is the ONLY plausible theory, since under no other circumstances (as per the manual) will the WPS light on the Tenda AC10 blink slowly.

https://drive.google.com/file/d/17YpS-gL-JTf1EUuVjSQRb-j3CIQdbfo7/view?usp=drivesdk

The router addresses are: 1. 04:95:E6:6A:2B:95 5Ghz interface at Router 2. 04:95:E6:6A:2B:91 2.4Ghz 3. 04:95:E6:6A:2B:90 Ethernet interface which often interacts with other devices through the 2.4Ghz and 5Ghz interfaces

There are no "rogue" devices connected to the router yet. I could list the legitimate devices here but that only would make this post even longer.

Are there any patterns in the pcap file that correspond to a WPS attack against the router?

Or some kind of flooding attack against 5Ghz devices? Their MAC addresses are 8C:3B:AD:34:A2:81 and A0:3B:E3:E8:F7:81 respectively.

I'm hopping between Channel 4 and Channel 40 in order to cover both my 2.4 and 5Ghz networks. That might reduce my packet count but considering the apparent WPS attack went on for a good half hour, and so did the DoS against the 5Ghz devices, there should be enough packets overall to compensate.

Detect simultaneous 5Ghz flooding attack and WPS attack

For context, this is in the aftermath of a successful attack by a neighbour on my WiFi, 4 days back. I then changed the password, and it seems this neighbour was making another attempt to get in.

I noticed when all my 5Ghz devices lost connection at once. Because of the previous hack I had setup Wireshark promiscuous monitoring on Macbook and was inspecting it when I noticed the WPS light on my router was blinking.

On the Tenda AC10 router, this indicates that WPS negotiation is occuring - even though I had disabled WPS at the time of router install itself!

Regardless, I'm trying to run a display filter in Wireshark to show only WPS packets, as well as one to identify the packets responsible for the floods - I don't know the nature of the flood attack yet. Looking for auth/deuath frames hasn't yielded a high enough number to be convincing. Additionally despite using the "WPS" tag I didn't see any WPS frames - perhaps I need to use a different tag.

Please inspect the file linked below and let me know if you can spot where and using what filters the flood and WPS attack can be detected. A WPS attack is the ONLY plausible theory, since under no other circumstances (as per the manual) will the WPS light on the Tenda AC10 blink slowly.

https://drive.google.com/file/d/17YpS-gL-JTf1EUuVjSQRb-j3CIQdbfo7/view?usp=drivesdk

The router addresses are: 1. 04:95:E6:6A:2B:95 5Ghz interface at Router 2. 04:95:E6:6A:2B:91 2.4Ghz 3. 04:95:E6:6A:2B:90 Ethernet interface which often interacts with other devices through the 2.4Ghz and 5Ghz interfaces

There are no "rogue" devices connected to the router yet. I could list the legitimate devices here but that only would make this post even longer.

Are there any patterns in the pcap file that correspond to a WPS attack against the router?

Or some kind of flooding attack against 5Ghz devices? Their MAC addresses are 8C:3B:AD:34:A2:81 and A0:3B:E3:E8:F7:81 respectively.

I'm hopping between Channel 4 and Channel 40 in order to cover both my 2.4 and 5Ghz networks. That might reduce my packet count but considering the apparent WPS attack went on for a good half hour, and so did the DoS against the 5Ghz devices, there should be enough packets overall to compensate.