Re: [WIRELESS-LAN] Handling Wifi Deauth Attacks

[Kenny, Eric]

Thanks Jason!  That is very interesting and affirms the same we are seeing with 
consumer devices (netgear) originating containments.  
--- 
Eric Kenny
Network Architect
Harvard University IT
---

> On Apr 10, 2018, at 3:46 PM, Trinklein, Jason R <trinkle...@cofc.edu> wrote:
> 
> We have detected 78 signatures of Deauth and DIsassoc broadcast attacks on 
> our network in the past 24 hours (as reported by our Aruba Mobility Master).
>  
> I pulled the MAC addresses of the systems and performed a MAC-Vendor lookup 
> to see if there were any patterns. Here is what I found:
> 
>  
> Perhaps the most surprising is the relative high occurrence of Nintendo.
>  
> I’ll continue pulling data in the future to see if these trends continue.
>  
> -- 
> Jason Trinklein
> Wireless Engineering Manager
> College of Charleston
> 81 St. Philip Street | Office 311D | Charleston, SC 29403
> trinkle...@cofc.edu | (843) 300–8009
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Samuel Clements 
> <scleme...@gmail.com>
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Date: Tuesday, April 3, 2018 at 6:23 PM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Handling Wifi Deauth Attacks
>  
> I have filed a complaint with the FCC in the past and it was surprisingly 
> successful. I would suggest you start with this link:
> https://www.fcc.gov/document/warning-wi-fi-blocking-prohibited
>  
> Which includes the following tidbit:
> What Should You Do if You Suspect Wi-Fi Blocking? If you have reason to 
> believe your personal Wi-Fi hot spot has been blocked, you can file a 
> complaint with the FCC. To do so, you can visit www.fcc.gov/complaints or 
> call 1-888-CALL-FCC. If you contact the FCC, you are encouraged to provide as 
> much detail as possible regarding the potential Wi-Fi blocking, including the 
> date, time, location, and possible source.
>  
> Ideally you would be able to provide a packet capture in tandem with your 
> complaint. In my particular situation, I received a formal letter after my 
> case was reviewed and found to be a non-issue (mine was an illegal jammer). 
> After calling to re-open the case, the FCC field team was dispatched and 
> 'mitigated' the issue with much precision. Be forewarned that you're likely 
> to feel like your being ignored and given the run around - in my case there 
> was no followup, just an FCC field van show up and then a clean spectrum 
> shortly thereafter. If you provide the above link in your complaint and 
> inform them that you believe you're impacted by the clarification provided, 
> that should shore up your story some.
> Good luck, and happy hunting!
>   -Sam
>  
> On Tue, Apr 3, 2018 at 9:42 AM, Kenny, Eric <eric_ke...@harvard.edu> wrote:
> While investigating some “wifi is slow” and “wifi is dropping” complaints, we 
> noticed deauth/disassociation flooding attacks reported by our wireless IDS.  
> So far I’ve been able to identity a small percentage of these as local 
> businesses and other local (non-university affiliated) organizations.  What 
> strikes me as odd is that a lot of the MAC OUIs from offending devices appear 
> to be consumer grade wireless devices (Belken, Netgear, eero, etc.).  I’d 
> love to get a hold of one of these devices and look at its settings to see 
> how it’s configured.  I’m not a lawyer, but I think this falls under 
> regulation 47 U.S. Code § 333.
> 
> Besides filing a complaint with the FCC, I’m wondering if any of you have 
> experienced this on your campuses, and if so, how you’ve gone about dealing 
> with it.  I’m afraid asking the business nicely would just result in a blank 
> stare, as they would not likely understand the nature of the complaint, or 
> what their wireless is actually doing.
> 
> §333. Willful or malicious interference
> No person shall willfully or maliciously interfere with or cause interference 
> to any radio communications of any station licensed or authorized by or under 
> this chapter or operated by the United States Government.
> (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. 
> 28, 1990, 104 Stat. 850.)
> 
> Thanks,
> ---
> Eric Kenny
> Network Architect
> Harvard University IT
> ---
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found athttp://www.educause.edu/dis

RE: [WIRELESS-LAN] Rogue Containment (Was Re: Handling Wifi Deauth Attacks)

[McClintic, Thomas]

Perhaps we are near the point that registering SSIDs similar to a call sign is 
required, which then warrants the use of security options. If you have a SSID 
named HARVARD and someone is using that same SSID within your 'territory' then 
it is obviously them being malicious. How that could be against regulation is 
beyond me. Likely, if you have policies in place that prohibit non-administered 
WLANs on your wired network then you should be able to use security measures to 
stop them as well. 

Both of these scenarios increase security risks for users and protecting them 
should be paramount in my opinion. They are also much different than the 
Marriott situation. 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Healy
Sent: Tuesday, April 10, 2018 3:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Rogue Containment (Was Re: Handling Wifi Deauth Attacks)

On Apr 3, 2018, at 10:42 AM, Kenny, Eric <eric_ke...@harvard.edu> wrote:
> 
> §333. Willful or malicious interference No person shall willfully or 
> maliciously interfere with or cause interference to any radio communications 
> of any station licensed or authorized by or under this chapter or operated by 
> the United States Government.
> (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, 
> §9, Sept. 28, 1990, 104 Stat. 850.)

This quote reminded me of an issue we've discussed on this list previously: 
containing or deauthenticating rogue devices.  I've changed the thread subject 
because this is a case where the WLAN operator is "interfering with" others 
(rather than being the victim).

I've spoken informally with several people about this, and most feel that 
deauth for security reasons is OK.  However, the letter of the law does not 
appear to have any sort of exemption.  With the FCC consent decree against 
Marriott, I'm uncertain when (or if) it is OK to fight back against security 
threats.

I reached out to the FCC to ask if they could clarify their stance and let me 
know if there were any circumstances where deauths were appropriate and not 
illegal.  The FCC's response (and my initial questions) are below.  
Unfortunately, they had no firm guidance on this issue and suggested I contact 
other groups.

Before I do that, does anyone on this list have any more conclusive guidance 
that they've already found?

Thanks,

Jason


=== FCC Response ===

Hi Jason,

The majority of FCC decisions concerning “jamming” involve signal jammers that 
emit random RF noise, rather than Wi-Fi equipment that transmits 
deauthentication frames, so jammerinfo may not be the best source.  The only 
official FCC guidance comes in the form of rules, orders, or other Commission 
pronouncements, and I’m not aware of any that speak directly to your questions. 
 

Unlike signal jammers, which never receive an FCC equipment authorization, 
Wi-Fi equipment is designed to enable, not interfere with, communications.  The 
deauthentication feature is inherent to Wi-Fi operation and does not prevent 
FCC certification.  However, even an authorized device, whether transmitting on 
licensed or unlicensed spectrum, can be operated in a manner that violates FCC 
rules.  Thus, some enterprise equipment manufacturers have warned network 
administrators that improper use of deauthentication could land them in hot 
water.

One takeaway from the Marriott case was that a business may not block hotspots 
indiscriminately or for commercial gain.  Unfortunately, that case does not 
speak to whether private schools may do so under the circumstances you’ve 
presented below.  With respect to security matters, shortly after Marriott was 
fined, the American Hotel & Lodging Assoc. filed an FCC petition asking for 
clarification on the network management measures that a hotel network 
administrator may lawfully take to secure the network from spoofers, honeypot 
attacks, etc.  Though some parties assert that the group sought a rule that 
would allow extensive blocking, the petitioners asserted that it would be 
unreasonable to block hotspots that were not posing a security threat.  (The 
petition and comments from interested parties in proceeding RM-11737 can be 
accessed on the Commission’s website, 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fcc.gov_ecfs_=DwIFaQ=6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ=rYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4=ysI8MZpJSL9i59P3muTYWa4ce5JraPCgWYm-_aSjxL0=jmzzGunm7Ib9dt2vhA8PMiCd0UnXGC-9UzbVIycxW3Y=
 .)  Under that interpretation, blocking all hotspots would only be permitted 
if each hotspot was individually deemed to pose a threat to network security.  
In any event, this petition was later withdrawn, so no declaratory ruling was 
issued and no limits were set in that proceeding.

With respect to adjacent or cochannel interfere

Rogue Containment (Was Re: Handling Wifi Deauth Attacks)

[Jason Healy]

On Apr 3, 2018, at 10:42 AM, Kenny, Eric  wrote:
> 
> §333. Willful or malicious interference
> No person shall willfully or maliciously interfere with or cause interference 
> to any radio communications of any station licensed or authorized by or under 
> this chapter or operated by the United States Government.
> (June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. 
> 28, 1990, 104 Stat. 850.)

This quote reminded me of an issue we've discussed on this list previously: 
containing or deauthenticating rogue devices.  I've changed the thread subject 
because this is a case where the WLAN operator is "interfering with" others 
(rather than being the victim).

I've spoken informally with several people about this, and most feel that 
deauth for security reasons is OK.  However, the letter of the law does not 
appear to have any sort of exemption.  With the FCC consent decree against 
Marriott, I'm uncertain when (or if) it is OK to fight back against security 
threats.

I reached out to the FCC to ask if they could clarify their stance and let me 
know if there were any circumstances where deauths were appropriate and not 
illegal.  The FCC's response (and my initial questions) are below.  
Unfortunately, they had no firm guidance on this issue and suggested I contact 
other groups.

Before I do that, does anyone on this list have any more conclusive guidance 
that they've already found?

Thanks,

Jason


=== FCC Response ===

Hi Jason,

The majority of FCC decisions concerning “jamming” involve signal jammers that 
emit random RF noise, rather than Wi-Fi equipment that transmits 
deauthentication frames, so jammerinfo may not be the best source.  The only 
official FCC guidance comes in the form of rules, orders, or other Commission 
pronouncements, and I’m not aware of any that speak directly to your questions. 
 

Unlike signal jammers, which never receive an FCC equipment authorization, 
Wi-Fi equipment is designed to enable, not interfere with, communications.  The 
deauthentication feature is inherent to Wi-Fi operation and does not prevent 
FCC certification.  However, even an authorized device, whether transmitting on 
licensed or unlicensed spectrum, can be operated in a manner that violates FCC 
rules.  Thus, some enterprise equipment manufacturers have warned network 
administrators that improper use of deauthentication could land them in hot 
water.

One takeaway from the Marriott case was that a business may not block hotspots 
indiscriminately or for commercial gain.  Unfortunately, that case does not 
speak to whether private schools may do so under the circumstances you’ve 
presented below.  With respect to security matters, shortly after Marriott was 
fined, the American Hotel & Lodging Assoc. filed an FCC petition asking for 
clarification on the network management measures that a hotel network 
administrator may lawfully take to secure the network from spoofers, honeypot 
attacks, etc.  Though some parties assert that the group sought a rule that 
would allow extensive blocking, the petitioners asserted that it would be 
unreasonable to block hotspots that were not posing a security threat.  (The 
petition and comments from interested parties in proceeding RM-11737 can be 
accessed on the Commission’s website, https://www.fcc.gov/ecfs/.)  Under that 
interpretation, blocking all hotspots would only be permitted if each hotspot 
was individually deemed to pose a threat to network security.  In any event, 
this petition was later withdrawn, so no declaratory ruling was issued and no 
limits were set in that proceeding.

With respect to adjacent or cochannel interference, Wi-Fi operates on shared 
unlicensed frequencies, with no user having a greater right to use those 
frequencies.  Section 15.5(b) of the rules ([ 
https://www.gpo.gov/fdsys/pkg/CFR-2010-title47-vol1/xml/CFR-2010-title47-vol1-sec15-5.xml
 ]47 CFR § 15.5(b)) essentially provides that authorized equipment operating in 
unlicensed bands must accept interference from other authorized equipment.  
This rule appears to presume that normal co-channel interference is to be 
expected and accepted from nearby Wi-Fi networks.  

I would suggest contacting our substantive policy-making offices, such as the 
Wireless Telecommunications Bureau; they may be able to point you toward any 
specific guidance.  And since this is an issue that school administrators 
across the nation must be tackling, I would also suggest contacting the 
relevant education policy groups.  They may have already developed some 
suggested best practices that are tailored to the needs and objectives of the 
education community.

 

Regards,

Kevin

Kevin M. Pittman
Spectrum Enforcement Division
Enforcement Bureau
Federal Communications Commission
 

 
=== Original Request ===

Hello,
 
I am responsible for the operation of a Wi-Fi network at a private high school. 
 

Re: [WIRELESS-LAN] Handling Wifi Deauth Attacks

[GT Hill]

Eric,

I’ve never heard of a consumer device deauthing STAs that aren’t associated to 
themselves. If you happen to get a packet capture I know some people that would 
be interested in looking at it. 

The only case of malicious deauths I’ve seen was from an enterprise vendor IPS. 

GT 



On 4/3/18, 9:42 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Kenny, Eric"  wrote:

>While investigating some “wifi is slow” and “wifi is dropping” complaints, we 
>noticed deauth/disassociation flooding attacks reported by our wireless IDS.  
>So far I’ve been able to identity a small percentage of these as local 
>businesses and other local (non-university affiliated) organizations.  What 
>strikes me as odd is that a lot of the MAC OUIs from offending devices appear 
>to be consumer grade wireless devices (Belken, Netgear, eero, etc.).  I’d love 
>to get a hold of one of these devices and look at its settings to see how it’s 
>configured.  I’m not a lawyer, but I think this falls under regulation 47 U.S. 
>Code § 333.  
>
>Besides filing a complaint with the FCC, I’m wondering if any of you have 
>experienced this on your campuses, and if so, how you’ve gone about dealing 
>with it.  I’m afraid asking the business nicely would just result in a blank 
>stare, as they would not likely understand the nature of the complaint, or 
>what their wireless is actually doing.
>
>§333. Willful or malicious interference
>No person shall willfully or maliciously interfere with or cause interference 
>to any radio communications of any station licensed or authorized by or under 
>this chapter or operated by the United States Government.
>(June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. 
>28, 1990, 104 Stat. 850.)
>
>Thanks,
>--- 
>Eric Kenny
>Network Architect
>Harvard University IT
>---
>
>
>**
>Participation and subscription information for this EDUCAUSE Constituent Group 
>discussion list can be found at http://www.educause.edu/discuss.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Handling Wifi Deauth Attacks

[Kenny, Eric]

While investigating some “wifi is slow” and “wifi is dropping” complaints, we 
noticed deauth/disassociation flooding attacks reported by our wireless IDS.  
So far I’ve been able to identity a small percentage of these as local 
businesses and other local (non-university affiliated) organizations.  What 
strikes me as odd is that a lot of the MAC OUIs from offending devices appear 
to be consumer grade wireless devices (Belken, Netgear, eero, etc.).  I’d love 
to get a hold of one of these devices and look at its settings to see how it’s 
configured.  I’m not a lawyer, but I think this falls under regulation 47 U.S. 
Code § 333.  

Besides filing a complaint with the FCC, I’m wondering if any of you have 
experienced this on your campuses, and if so, how you’ve gone about dealing 
with it.  I’m afraid asking the business nicely would just result in a blank 
stare, as they would not likely understand the nature of the complaint, or what 
their wireless is actually doing.

§333. Willful or malicious interference
No person shall willfully or maliciously interfere with or cause interference 
to any radio communications of any station licensed or authorized by or under 
this chapter or operated by the United States Government.
(June 19, 1934, ch. 652, title III, §333, as added Pub. L. 101–396, §9, Sept. 
28, 1990, 104 Stat. 850.)

Thanks,
--- 
Eric Kenny
Network Architect
Harvard University IT
---


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.