Please select To the mobile version | Continue to access the desktop computer version
 Forgot password?
 Register now


Wireless

View: 2672|Reply: 1

[Case Study] How to judge whether an AP is under countering?

  [Copy link]

10

Digests

994

Posts

1107

Credits

administrator

Rank: 9Rank: 9Rank: 9

Credits
1107
Post time 2018-4-9 11:49:47 | Show all posts |Read mode
Users in Building 12 in old campus cannot be associated with China UNICOM-WLAN SSID. Users associated with this SSID are often disconnected and cannot visit the Internet.

Onsite Problem Locating:
In the dormitory with poor user experience,we found that after the computer is connected to China UNICOM-WLAN SSID, the SSID signal often disappears, the ping packet loss rate is high, and the computer is often disconnected from the Internet.

Reply

Use magic Report

10

Digests

994

Posts

1107

Credits

administrator

Rank: 9Rank: 9Rank: 9

Credits
1107
 Author| Post time 2018-4-9 11:50:35 | Show all posts
We used a professional tool (Ominpeek) tocapture packets in the corridor on the second floor. A great amount ofdeauthentication (Deauth) packets were found, as shown in Figure 1.

Figure 1: Too many Deauth packets
18.png

We located the AP (MAC address: 9614 4B1B 34FA) of the broadcast Deauth packet and found that it is an AP of China Unicom. After searching on the AC, we found that the  AP was deployed here, covering the surrounding six rooms. But the log shows that the AP does not send any Deauth packet. Then it is confirmed that it is not this AP that sends the invalid Deauth packet.

After analysis, we suspected that there was a rogue AP. The rogue AP sent Deauth packets to the associated users in the name of China UNICOM AP, as shown in Figure 2.

Figure 2: The rogue AP broadcasting Deauthpackets in the name of China UNICOM MAC
17.png

According to signal strength comparison, the signal strength of normal packet was about 26%, while that of the Deauth packet sent by the rogue AP was 100%, as shown in Figure 3.

Figure 3: Signal strength of normal packets lower than that of Deauth packets
16.png

Therefore, we confirmed the existence of the rogue AP and knew that the rogueAP was close to the test place, resulting in frequent disconnection of userswithin the coverage of this rogue AP from the WLAN.

4. Locating the Rogue AP

During onsite survey, we found an AP of another carrier near the test place and the data light of this AP flashed very fast, indicating transmission of a great amount of data. This AP was suspected to be a rogue AP.

To confirm it, we powered off this AP and captured packets at the air interface on site. The result showed that the percentage of deauth packets decreased immediately from 0.239% to 0.031%, asshown in Figure 4.

Figure 4: Decreasing of deauth packets after the rogue AP is powered off
15.png

Then, the users can be associated with the AP and access the WLAN. No ping packet is lost.

After the carrier's AP is restored, the problem occurs again. Therefore, it can be confirmed that the carrier's AP is arogue AP and the AP countering function is enabled.

Reply Support Not support

Use magic Report

You have to log in before you can reply Login | Register now