Re: [WIRELESS-LAN] Handling Wifi Deauth Attacks
Thanks Jason! That is very interesting and affirms the same we are seeing with consumer devices (netgear) originating containments. --- Eric Kenny Network Architect Harvard University IT --- > On Apr 10, 2018, at 3:46 PM, Trinklein, Jason R <trinkle...@cofc.edu> wrote: > > We have detected 78 signatures of Deauth and DIsassoc broadcast attacks on > our network in the past 24 hours (as reported by our Aruba Mobility Master). > > I pulled the MAC addresses of the systems and performed a MAC-Vendor lookup > to see if there were any patterns. Here is what I found: > > > Perhaps the most surprising is the relative high occurrence of Nintendo. > > I’ll continue pulling data in the future to see if these trends continue. > > -- > Jason Trinklein > Wireless Engineering Manager > College of Charleston > 81 St. Philip Street | Office 311D | Charleston, SC 29403 > trinkle...@cofc.edu | (843) 300–8009 > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Samuel Clements > <scleme...@gmail.com> > Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Date: Tuesday, April 3, 2018 at 6:23 PM > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Handling Wifi Deauth Attacks > > I have filed a complaint with the FCC in the past and it was surprisingly > successful. I would suggest you start with this link: > https://www.fcc.gov/document/warning-wi-fi-blocking-prohibited > > Which includes the following tidbit: > What Should You Do if You Suspect Wi-Fi Blocking? If you have reason to > believe your personal Wi-Fi hot spot has been blocked, you can file a > complaint with the FCC. To do so, you can visit www.fcc.gov/complaints or > call 1-888-CALL-FCC. If you contact the FCC, you are encouraged to provide as > much detail as possible regarding the potential Wi-Fi blocking, including the > date, time, location, and possible source. > > Ideally you would be able to provide a packet capture in tandem with your > complaint. In my particular situation, I received a formal letter after my > case was reviewed and found to be a non-issue (mine was an illegal jammer). > After calling to re-open the case, the FCC field team was dispatched and > 'mitigated' the issue with much precision. Be forewarned that you're likely > to feel like your being ignored and given the run around - in my case there > was no followup, just an FCC field van show up and then a clean spectrum > shortly thereafter. If you provide the above link in your complaint and > inform them that you believe you're impacted by the clarification provided, > that should shore up your story some. > Good luck, and happy hunting! > -Sam > > On Tue, Apr 3, 2018 at 9:42 AM, Kenny, Eric <eric_ke...@harvard.edu> wrote: > While investigating some “wifi is slow” and “wifi is dropping” complaints, we > noticed deauth/disassociation flooding attacks reported by our wireless IDS. > So far I’ve been able to identity a small percentage of these as local > businesses and other local (non-university affiliated) organizations. What > strikes me as odd is that a lot of the MAC OUIs from offending devices appear > to be consumer grade wireless devices (Belken, Netgear, eero, etc.). I’d > love to get a hold of one of these devices and look at its settings to see > how it’s configured. I’m not a lawyer, but I think this falls under > regulation 47 U.S. Code § 333. > > Besides filing a complaint with the FCC, I’m wondering if any of you have > experienced this on your campuses, and if so, how you’ve gone about dealing > with it. I’m afraid asking the business nicely would just result in a blank > stare, as they would not likely understand the nature of the complaint, or > what their wireless is actually doing. > > §333. Willful or malicious interference > No person shall willfully or maliciously interfere with or cause interference > to any radio communications of any station licensed or authorized by or under > this chapter or operated by the United States Government. > (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. > 28, 1990, 104 Stat. 850.) > > Thanks, > --- > Eric Kenny > Network Architect > Harvard University IT > --- > > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found athttp://www.educause.edu/dis
RE: [WIRELESS-LAN] Rogue Containment (Was Re: Handling Wifi Deauth Attacks)
Perhaps we are near the point that registering SSIDs similar to a call sign is required, which then warrants the use of security options. If you have a SSID named HARVARD and someone is using that same SSID within your 'territory' then it is obviously them being malicious. How that could be against regulation is beyond me. Likely, if you have policies in place that prohibit non-administered WLANs on your wired network then you should be able to use security measures to stop them as well. Both of these scenarios increase security risks for users and protecting them should be paramount in my opinion. They are also much different than the Marriott situation. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Healy Sent: Tuesday, April 10, 2018 3:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Rogue Containment (Was Re: Handling Wifi Deauth Attacks) On Apr 3, 2018, at 10:42 AM, Kenny, Eric <eric_ke...@harvard.edu> wrote: > > §333. Willful or malicious interference No person shall willfully or > maliciously interfere with or cause interference to any radio communications > of any station licensed or authorized by or under this chapter or operated by > the United States Government. > (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, > §9, Sept. 28, 1990, 104 Stat. 850.) This quote reminded me of an issue we've discussed on this list previously: containing or deauthenticating rogue devices. I've changed the thread subject because this is a case where the WLAN operator is "interfering with" others (rather than being the victim). I've spoken informally with several people about this, and most feel that deauth for security reasons is OK. However, the letter of the law does not appear to have any sort of exemption. With the FCC consent decree against Marriott, I'm uncertain when (or if) it is OK to fight back against security threats. I reached out to the FCC to ask if they could clarify their stance and let me know if there were any circumstances where deauths were appropriate and not illegal. The FCC's response (and my initial questions) are below. Unfortunately, they had no firm guidance on this issue and suggested I contact other groups. Before I do that, does anyone on this list have any more conclusive guidance that they've already found? Thanks, Jason === FCC Response === Hi Jason, The majority of FCC decisions concerning “jamming” involve signal jammers that emit random RF noise, rather than Wi-Fi equipment that transmits deauthentication frames, so jammerinfo may not be the best source. The only official FCC guidance comes in the form of rules, orders, or other Commission pronouncements, and I’m not aware of any that speak directly to your questions. Unlike signal jammers, which never receive an FCC equipment authorization, Wi-Fi equipment is designed to enable, not interfere with, communications. The deauthentication feature is inherent to Wi-Fi operation and does not prevent FCC certification. However, even an authorized device, whether transmitting on licensed or unlicensed spectrum, can be operated in a manner that violates FCC rules. Thus, some enterprise equipment manufacturers have warned network administrators that improper use of deauthentication could land them in hot water. One takeaway from the Marriott case was that a business may not block hotspots indiscriminately or for commercial gain. Unfortunately, that case does not speak to whether private schools may do so under the circumstances you’ve presented below. With respect to security matters, shortly after Marriott was fined, the American Hotel & Lodging Assoc. filed an FCC petition asking for clarification on the network management measures that a hotel network administrator may lawfully take to secure the network from spoofers, honeypot attacks, etc. Though some parties assert that the group sought a rule that would allow extensive blocking, the petitioners asserted that it would be unreasonable to block hotspots that were not posing a security threat. (The petition and comments from interested parties in proceeding RM-11737 can be accessed on the Commission’s website, https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fcc.gov_ecfs_=DwIFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=ysI8MZpJSL9i59P3muTYWa4ce5JraPCgWYm-_aSjxL0=jmzzGunm7Ib9dt2vhA8PMiCd0UnXGC-9UzbVIycxW3Y= .) Under that interpretation, blocking all hotspots would only be permitted if each hotspot was individually deemed to pose a threat to network security. In any event, this petition was later withdrawn, so no declaratory ruling was issued and no limits were set in that proceeding. With respect to adjacent or cochannel interfere
Rogue Containment (Was Re: Handling Wifi Deauth Attacks)
On Apr 3, 2018, at 10:42 AM, Kenny, Ericwrote: > > §333. Willful or malicious interference > No person shall willfully or maliciously interfere with or cause interference > to any radio communications of any station licensed or authorized by or under > this chapter or operated by the United States Government. > (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. > 28, 1990, 104 Stat. 850.) This quote reminded me of an issue we've discussed on this list previously: containing or deauthenticating rogue devices. I've changed the thread subject because this is a case where the WLAN operator is "interfering with" others (rather than being the victim). I've spoken informally with several people about this, and most feel that deauth for security reasons is OK. However, the letter of the law does not appear to have any sort of exemption. With the FCC consent decree against Marriott, I'm uncertain when (or if) it is OK to fight back against security threats. I reached out to the FCC to ask if they could clarify their stance and let me know if there were any circumstances where deauths were appropriate and not illegal. The FCC's response (and my initial questions) are below. Unfortunately, they had no firm guidance on this issue and suggested I contact other groups. Before I do that, does anyone on this list have any more conclusive guidance that they've already found? Thanks, Jason === FCC Response === Hi Jason, The majority of FCC decisions concerning “jamming” involve signal jammers that emit random RF noise, rather than Wi-Fi equipment that transmits deauthentication frames, so jammerinfo may not be the best source. The only official FCC guidance comes in the form of rules, orders, or other Commission pronouncements, and I’m not aware of any that speak directly to your questions. Unlike signal jammers, which never receive an FCC equipment authorization, Wi-Fi equipment is designed to enable, not interfere with, communications. The deauthentication feature is inherent to Wi-Fi operation and does not prevent FCC certification. However, even an authorized device, whether transmitting on licensed or unlicensed spectrum, can be operated in a manner that violates FCC rules. Thus, some enterprise equipment manufacturers have warned network administrators that improper use of deauthentication could land them in hot water. One takeaway from the Marriott case was that a business may not block hotspots indiscriminately or for commercial gain. Unfortunately, that case does not speak to whether private schools may do so under the circumstances you’ve presented below. With respect to security matters, shortly after Marriott was fined, the American Hotel & Lodging Assoc. filed an FCC petition asking for clarification on the network management measures that a hotel network administrator may lawfully take to secure the network from spoofers, honeypot attacks, etc. Though some parties assert that the group sought a rule that would allow extensive blocking, the petitioners asserted that it would be unreasonable to block hotspots that were not posing a security threat. (The petition and comments from interested parties in proceeding RM-11737 can be accessed on the Commission’s website, https://www.fcc.gov/ecfs/.) Under that interpretation, blocking all hotspots would only be permitted if each hotspot was individually deemed to pose a threat to network security. In any event, this petition was later withdrawn, so no declaratory ruling was issued and no limits were set in that proceeding. With respect to adjacent or cochannel interference, Wi-Fi operates on shared unlicensed frequencies, with no user having a greater right to use those frequencies. Section 15.5(b) of the rules ([ https://www.gpo.gov/fdsys/pkg/CFR-2010-title47-vol1/xml/CFR-2010-title47-vol1-sec15-5.xml ]47 CFR § 15.5(b)) essentially provides that authorized equipment operating in unlicensed bands must accept interference from other authorized equipment. This rule appears to presume that normal co-channel interference is to be expected and accepted from nearby Wi-Fi networks. I would suggest contacting our substantive policy-making offices, such as the Wireless Telecommunications Bureau; they may be able to point you toward any specific guidance. And since this is an issue that school administrators across the nation must be tackling, I would also suggest contacting the relevant education policy groups. They may have already developed some suggested best practices that are tailored to the needs and objectives of the education community. Regards, Kevin Kevin M. Pittman Spectrum Enforcement Division Enforcement Bureau Federal Communications Commission === Original Request === Hello, I am responsible for the operation of a Wi-Fi network at a private high school.
Re: [WIRELESS-LAN] Handling Wifi Deauth Attacks
Eric, I’ve never heard of a consumer device deauthing STAs that aren’t associated to themselves. If you happen to get a packet capture I know some people that would be interested in looking at it. The only case of malicious deauths I’ve seen was from an enterprise vendor IPS. GT On 4/3/18, 9:42 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Kenny, Eric"wrote: >While investigating some “wifi is slow” and “wifi is dropping” complaints, we >noticed deauth/disassociation flooding attacks reported by our wireless IDS. >So far I’ve been able to identity a small percentage of these as local >businesses and other local (non-university affiliated) organizations. What >strikes me as odd is that a lot of the MAC OUIs from offending devices appear >to be consumer grade wireless devices (Belken, Netgear, eero, etc.). I’d love >to get a hold of one of these devices and look at its settings to see how it’s >configured. I’m not a lawyer, but I think this falls under regulation 47 U.S. >Code § 333. > >Besides filing a complaint with the FCC, I’m wondering if any of you have >experienced this on your campuses, and if so, how you’ve gone about dealing >with it. I’m afraid asking the business nicely would just result in a blank >stare, as they would not likely understand the nature of the complaint, or >what their wireless is actually doing. > >§333. Willful or malicious interference >No person shall willfully or maliciously interfere with or cause interference >to any radio communications of any station licensed or authorized by or under >this chapter or operated by the United States Government. >(June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. >28, 1990, 104 Stat. 850.) > >Thanks, >--- >Eric Kenny >Network Architect >Harvard University IT >--- > > >** >Participation and subscription information for this EDUCAUSE Constituent Group >discussion list can be found at http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Handling Wifi Deauth Attacks
While investigating some “wifi is slow” and “wifi is dropping” complaints, we noticed deauth/disassociation flooding attacks reported by our wireless IDS. So far I’ve been able to identity a small percentage of these as local businesses and other local (non-university affiliated) organizations. What strikes me as odd is that a lot of the MAC OUIs from offending devices appear to be consumer grade wireless devices (Belken, Netgear, eero, etc.). I’d love to get a hold of one of these devices and look at its settings to see how it’s configured. I’m not a lawyer, but I think this falls under regulation 47 U.S. Code § 333. Besides filing a complaint with the FCC, I’m wondering if any of you have experienced this on your campuses, and if so, how you’ve gone about dealing with it. I’m afraid asking the business nicely would just result in a blank stare, as they would not likely understand the nature of the complaint, or what their wireless is actually doing. §333. Willful or malicious interference No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government. (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. 28, 1990, 104 Stat. 850.) Thanks, --- Eric Kenny Network Architect Harvard University IT --- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.