K Application Chapter? 1. Protect against WiFi Kill attacks? Flight Tower (fortinet) firewall OS 5.2.8

Source: Internet
Author: User

  WiFi Kill case

A school of nearly 20,000 students, using the flight Tower Firewall and FORTIAP to form a campus wireless network, students through the campus wireless network access to the Internet.

Many students recently reflected that campus network wireless WiFi can be connected, but not on the network, after verification, the original is a lot of students using a "WiFi killer" mobile phone software.

 WiFi Kill Introduction

WiFi Kill (WiFi killer) is an evil software that can kick off other devices on the same WiFi network, and even the user who is being kicked will not feel it!

WiFi Kill is designed to retaliate against users who trespass on bandwidth. Its developer Bponury at the XDA Developer Forum: If someone abuses their computer resources to download video clips like Justin Bieber, you can cut off their network traffic and enjoy them alone.

The program used to run only on rooted Android phones and now has an iphone version, which can spoof ARP replies to trick other devices on the same WiFi network, make them think your phone is a router, and then WiFi kill loses their network packets. For the victim, the network connection appears to be normal, but the Internet is virtually inaccessible.

 WiFi Kill Demo

Now let's take a look at how WiFi kill operates.

① first installs the WiFi killer on the phone, the Android phone needs root, now has the Chinese version.

  ② Click the Start button, if the phone does not have root, will appear prompt and abort operation;

③wifi kill collects all devices that access this SSID, including mobile phones and laptops, and here we choose 192.168.88.103 to operate (and, of course, all IPs at once);

④ When we click "Crawl", you can see this IP access to the site;


⑤ When we click "Cut off", this IP device will not be able to access the Internet.

  WiFi Kill principle

We know that WiFi kill is achieved by ARP spoofing, so let me know what ARP spoofing is.

  The Address Resolution Protocol , known as ARPResolution Protocol, is a TCP/IP protocol that gets the physical address of the root IP address. When the host sends the message, the ARP request containing the destination IP address is broadcast to all hosts on the network, and the return message is received to determine the physical address of the target, the IP address and physical address are stored in the native ARP cache after the return message is received, and a time is reserved for the next request, and the ARP cache is queried to conserve resources.

The Address Resolution Protocol is based on the trust of each host in the network, the host on the network can send the ARP reply message autonomously, and the other host will not detect the authenticity of the message when it receives the reply packet, which will be credited to the native ARP cache, thus the attacker can send a pseudo-ARP reply message to a host. Causing the information to be sent cannot reach the intended host or reach the wrong host, which constitutes an ARP spoofing .

Let's see how WiFi Kill works by monitoring FORTIAP's ARP changes.


① first understand that the gateway with the Fortiap interface named Lw-fortiap-1,wifi is 192.168.88.1.


② can be monitored by the client to see how many devices are connected to the FORTIAP, as well as the IP address and MAC address of each device;

③ in the command mode of the firewall, by grasping the package command diagnose sniffer packet lw-fortiap-1 ARP 4 to view the update of the Fortiap ARP, You can see that all devices on the Internet send gateways are 192.168.88.1, each IP and MAC address is also one to.

④ start WiFi kill on the phone with IP address 192.168.88.100 and scan;


The gateways that ⑤ all IP addresses point to the phone that is running WiFi kill. The original WiFi kill principle is to modify the ARP, deceive other IP to the WiFi kill host as a gateway, and then discard the information sent. This way the other IP may appear to be connected properly, but the gateway is not up to the network because it is incorrect.

 WiFi Kill Guard

Knowing the attack principle of WiFi kill, we can find a solution.


① on the Firewall menu select "WiFi and Switch Controller"-"Wireless Network"-"SSID", select Lw-fortiap-1, click Edit;


② find the "block SSID internal traffic" option to tick, click "Confirm";


③ again turn on WiFi kill for scanning, but can no longer see other devices, of course, can not "kick people." The original shielding SSID internal traffic function is to let the equipment in the SSID can not exchange visits, of course, the largest number of connections WiFi is for the internet, or access to the server, WiFi equipment visits between the operation is very small, shielding SSID internal traffic is not much impact.



Finish


K Application Chapter? 1. Protect against WiFi Kill attacks? Flight Tower (fortinet) firewall OS 5.2.8

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.