Mac Address for Device Causing DeAuth Flood?

HappyChap
HappyChap Member, Beta Tester Posts: 22
10 Comments 5 Agrees First Anniversary 5 Likes
✭✭
Hi all, hope you are having a good Christmas.

My fingbox has been detecting Wifi attacks for the last hour or so. According to the alert, it’s detecting a deauthentication flood DoS attack. I live in a very rural area, so my assumption is it’s unlikely to be a malicious attack, particularly because its start coincided with a power outage in the area and my hunch is something legitimately on my network is playing up since power was restored.

I have a couple of questions:

- I have multiple APs, but the alert is for the main router (which also serves as one of the APs). Is the fingbox accurately identifying the flood is hitting that router AP specifically or is it just reporting it against the router AP as the “main” device on the network? (knowing this could help me “geograohically” narrow down the problem device.
- secondly, is there anything the fingbox can tell me about the device that is issuing the deauth packets (Mac address, etc) to help me pin-point what device might have gone rouge?

Any other advice to help me track down the miscreant?

Thanks.

Comments

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,885
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Hi @HappyChap

    Depending on your notification configuration, Fingbox will either send you a push notification and/or an email when an attack is detected.

    This alert will tell you what the problem is and then you can either contact ISP or check ways to deal with it.

    For the first 24 hours after the attack is first detected you will also find an alert under the Notifications tab on the Fingbox dashboard.

    After 24 hours if they are not detected again they will be automatically dismissed.

    Ensure that all access points are added to your Fingbox network.
    For de-auth attacks, they are identified when it tries to pass the minimum threshold and if it is on for at least 5 minutes.
    Our Engineers have tested with aircrak several times and the attack was detected and was reported within 5 minutes with an e-mail alert and an ‘event’ in the Fingbox log.
    In order to avoid false alarms, there are minimum thresholds to raise an alarm:
    • minimum duration of attack: 10 seconds
    • minimum deauth packets per second: 30/sec
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • HappyChap
    HappyChap Member, Beta Tester Posts: 22
    10 Comments 5 Agrees First Anniversary 5 Likes
    ✭✭
    Thanks for your reply @Robin.

    When I look in Wi-Fi Intrusion Protection to verify if all APs are added to the Fingbox network (as you asked), it reports it's protecting 5 APs but doesn't list any details about them (and no option for more information on the 5 it thinks it's protecting, see below screen shot).



    The reason I want to know details on what Fingbox thinks it's protecting, is because I only have 4 APs in the network, so it would be helpful to see which APs it thinks it's protecting to identify the rouge. Is there anyway to get this information out of Fingbox?

    Secondly, just looping back to my original question, since Fingbox has detected this Wi-Fi Deauth Flood, is there anyway for Fingbox to tell me what MAC address is sending out the Deauth packets, so I can identify if it's a known piece of equipment on my network?

    Thanks, David.

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,885
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Hi @HappyChap
    Unfortunately, de-auth attacks are done by assuming the MAC address or access point of the device so fingbox doesn't tell you from where the deauth attacks are coming.

    To check the APs, you can open Fingbox network and go to network tab and scroll down to Access points section and see all BSSID which are being protected. I hope it helps.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!