2

I would like to find a root of the WiFi issue we've got in our working environment.

Few words about WiFi infrastructure

We are using now Apple solution. Three brand-new access points from Apple connected into one roaming wireless network with one common ESSID. Two access points withing the range of main access point and around 30+ users. The reason for using three access points is low signal strength in different corners of our big office.

Issue

Few times per day we are getting an issue. This issue is

  1. Loss of internet and connection to internal servers
  2. Huge round-trip time for ping and losses
  3. Perfect WiFi strength and no losses of WiFi connectivity

Find-outs

During the issue I have tried to log the WiFi traffic using airodump-ng. Now I have some data to make conclusions, unfortunately I do not have a lot of experience for such conclusions, thus I would like to ask some help.

During the period of 25 minutes we got:

  1. 264 deauthentications
  2. A lot of retransmissions (125) out of 264 deauthentications (In total 257 000 frames been captured, 18 000 are retransmissions)
  3. Usually deauthentication happens with the reason "Reason code: Class 3 frame received from nonassociated STA (0x0007)"
  4. The reason code looks strange because I see in the log that user was communicating with STA and had no problems, the deauthentication frame appears right after spontaneously. Then it gets restransmitted up to 25 times
  5. Approx. frame rate is 167fps
  6. During normal activity even if people still have internet, I see lots of retransmissions

P.S.

Maybe it is necessary to do something else? Is it enough to say that it is an deauthentication attack? Would that make sense to switch to managed cisco wifi network with WPA2-Corporate (now WPA2-PSK)? Can 802.11n help?

Additional Info

  1. The infrastructure: two AirPort Expresses 2013 and one Airport Extreme 2013 in between as main roaming AP
  2. DHCP is from the Windows Server, no NAT and DHCP on the AirPorts (simple Bridge mode)
Dexterite
  • 170
  • 1
  • 6
  • 1
    Pretty well exposed problem :). Too soon to diagnose an attack. – dan Jul 23 '14 at 10:18
  • Have you looked into 802.11w? It should help if this is a management frame spoofing issue. http://en.wikipedia.org/wiki/IEEE_802.11w-2009 – JZeolla Jul 23 '14 at 10:48
  • Yes I did, unfortunately as I've understood it is not implemented on Windows 7 (only starting from Windows 8), also I am not sure if it is implemented on Apple devices (we have 50/50). – Dexterite Jul 24 '14 at 06:49
  • Within your OQ, could you include: - which model are your 3 AP? - how DHCP is configured? – dan Jul 24 '14 at 09:15
  • @danielAzuelos, two AirPort Expresses 2013 and one Airport Extreme 2013 in between as main roaming AP. DHCP is from the Windows Server. – Dexterite Jul 24 '14 at 10:51
  • → Dexterite: key information → OQ, not in comments, please. "DHCP is from the Windows Server": does this mean you turned off "DHCP server" within the 3 Apple AP? – dan Jul 24 '14 at 11:43
  • @danielAzuelos, would that work? Not sure how I can properly format updates in the question. – Dexterite Jul 24 '14 at 12:00

1 Answers1

1

I'd suggest you to investigate your wireless misbehaviour at 2 levels:

1. Access points

Activate the syslog function on all your AP toward a dedicated syslog server within your network. Beware, the access to this function was suppressed with the version 6 of AirPort Utility: AirPort Utility 6.0 missing a number of features

2. Environnment

Install iSTumbler or any equivalent level tool on a portable and secured Mac to make a serious environnment survey at 2 levels.

  • A first one when you don't see any misbehaviour and which you'll keep as a reference of your basic environnement. This survey will have to cover all your office and most notably all your wireless coverage. Keep in mind that this wireless coverage is a huge 3 dimensionnal potatoe. Don't hesitate to investigate the border where interferences may be a nightmare and not detected from the central point of vue of the AP.
  • A second one when you encounter a misbehavioiur of your network.

Once you will be equiped with these 2 tools, familiarize yourself with them.

Within a few hours you will be able to unravel radio interferences problems, 802.11n misbehaviour, AP misbehaviour, DHCP problem, ARP problem, IP problem, 802.11n attack, ARP attack, IP attack…

Community
  • 1
dan
  • 178
  • 9
  • Wow, awesome! Do you know if `syslog` can be activated on `AirPort Extreme` and how? – Dexterite Jul 23 '14 at 09:45
  • Yes I used this logging function on a small set of AP (~ 20). But apparently the access to this function was suppressed from the GUI. Please check if this function is still accessible through your official support or good documentation. I'd appreciate your return about this function to improve my answer. – dan Jul 23 '14 at 10:16
  • only one thing I have observed with iSTumbler. The AP power graph looks like a saw. Nothing special in Log of iSTumbler. Unfortunately with all guidelines for installing the AirPort utility from Lion I have not succeeded, mainly because of the lack of time. – Dexterite Jul 24 '14 at 06:45
  • Which AP does present this saw like graph? How many wireless network are received at the point where you experiment regular loss of network? – dan Jul 25 '14 at 18:19
  • the number of wireless networks around is about 30. I see the "saw" on all three APs. – Dexterite Jul 28 '14 at 06:34
  • I need to say you thank you, fortunately we've switched to a professional WLC solution from Cisco, which holds everything perfectly. I would love to continue, since now it is easier to do the research (syslog, online statistics and many more debugging tools are available), but everything changed. I am a bit still afraid that something similar will occur again. Would you suggest me to continue? (FYI the number of Rogue networks in the range is 99) – Dexterite Jul 28 '14 at 06:42
  • → Dexterite: 99 rogue networks looks to me too fast a diagnosis. I think you might have 99 neighbouring wireless networks (but this should be confirmed with iStumbler which is a really professionnal tool). If you have a lot of Windows in your neighborhood, you might have one or 2 real **rogue** networks. But this remains to be analysed. – dan Jul 28 '14 at 08:26
  • you are right, this is just info I've got from the new WLC. In fact, yes there are much less networks (these are founded within the power of -120dBm) plus most of the networks are duplicates on different freq-s. Can I say, that network is rogue to my network when it's RSSI is less than 80dBm? – Dexterite Jul 28 '14 at 09:40
  • → Dexterite: I'd advise you to read: http://en.wikipedia.org/wiki/Rogue_access_point and after some more reading, post here a new question if you have a real problem with a **rogue** AP. – dan Jul 28 '14 at 10:26