Deauth in Logs / 4-way-handshake log entries

Hi,

I have a new Flint 2 running OpenWrt 21.02-SNAPSHOT r15812+1075-46b6ee7ffc. With Windows 10 as my OS. Im wondering if my router is getting attacked because it keeps getting a DEAUTH in the log for days every few minutes. Is that being attacked and then done again and again to keep the clients in constantly trying to reconnect? Here is part of the log info. ty

Wed Oct 30 12:49:17 2024 kern.notice kernel: [22105.579937] 7986@C08L3,ap_cmm_peer_assoc_req_action() 2241: ASSOC Send ASSOC response (Status=0)...
Wed Oct 30 12:49:17 2024 kern.notice kernel: [22105.589014] 7986@C01L3,wifi_sys_conn_act() 1115: wdev idx = 1
Wed Oct 30 12:49:17 2024 kern.notice kernel: [22105.595011] 7986@C08L3,hw_ctrl_flow_v2_connt_act() 215: wdev_idx=1
Wed Oct 30 12:49:17 2024 kern.notice kernel: [22105.722417] 7986@C15L3,WPABuildPairMsg1() 5310: <=== send Msg1 of 4-way
Wed Oct 30 12:49:17 2024 kern.notice kernel: [22105.729041] 7986@C15L3,PeerPairMsg2Action() 6303: ===>Receive msg 2
Wed Oct 30 12:49:18 2024 kern.notice kernel: [22106.734442] 7986@C15L3,WPABuildPairMsg1() 5310: <=== send Msg1 of 4-way
Wed Oct 30 12:49:18 2024 kern.notice kernel: [22106.741063] 7986@C15L3,PeerPairMsg2Action() 6303: ===>Receive msg 2
Wed Oct 30 12:49:19 2024 kern.notice kernel: [22107.758459] 7986@C15L3,WPABuildPairMsg1() 5310: <=== send Msg1 of 4-way
Wed Oct 30 12:49:19 2024 kern.notice kernel: [22107.765090] 7986@C15L3,PeerPairMsg2Action() 6303: ===>Receive msg 2
Wed Oct 30 12:49:21 2024 kern.err kernel: [22108.781955] 7986@C15L1,WpaEAPOLRetryAction() 7790: 4Way-MSG1 timeout with MACADD
Wed Oct 30 12:49:21 2024 kern.notice kernel: [22108.790326] 7986@C15L3,MlmeDeAuthAction() 1404: Send DEAUTH frame with ReasonCode(2) to MACADD

Could be. Reason 2 is "Previous authentication is no longer valid" (See)

Switching to WPA3 would solve this issue since WPA3 enforces PMF.

Or you can set PMF manually, if your devices support it:

I am using WPA3, and WPA2 on 2.4 guest.

Since the frequency does not get log here, you might just try around. Disable Guest access and check if the log still appear.

OK will do. ty

Does that DEAUTH mean a attack is happening to deauth my clients and look at the reauth because my neighbor is known to be a bad actor.

It could be used for trying to break the encryption to "hack" into the Wi-Fi. Or the neighbor could just run DEAUTH attacks the whole day to drive you crazy. We won't know, unfortunately.

We don't know either if it's a real attack or maybe just some device which flaps around.

mmmmm ok, Will keep an ey on it. ty

Is this client connected on the wpa2 network?

It looks to me to two possible things:

The client might not work very well with the krack vulnerability protection which concerns indeed the eapol frames because it sent it at a much lower rate, though i never saw such case, but you might consider reset the wifi on the client (not the router) to ensure it's not hanging on something which does not longer exist.

It can also be a deauth because there was low acknowledgement (not sure what deauth code 2 means on the mtk sdk but that would tell the kick reason).

this is weird?

Wed Oct 30 13:22:31 2024 kern.err kernel: [24098.865879] WiFi@C15L1,RTMPDeletePMKIDCache() 1311: IF(3), del PMKID CacheIdx=2
Wed Oct 30 13:23:27 2024 kern.err kernel: [24155.033493] WiFi@C15L1,RTMPDeletePMKIDCache() 1311: IF(2), del PMKID CacheIdx=3

hi 345678910

Not so weird, I would say. GL firmware logs plenty of noise into the logs.

I know im just a paranoid wierdo. Lol. Ty

Maybe. I use Flipper Zero with ESP32 dev board to perform penetration testing and deauth attacks and it works on almost all the routers I have encountered, unless you use WPA3 or explicitly set PMF to ENABLED.

yeah I read about that PMF, that is widening the channel?

The Flipper got banded in Canada, bit pricy no?

if you just want to try out deauthentication attacks, then buy a cheapo ESP8266 board and install:

Everything for under 5 $.

No, PMF stands for Protected Management Frames, and this is an option the vendor can use to protect the beacons sent between the client and the access point. As per the design of the beacon, the access point can simply send a deauth packet to disconnect the client. This is not encrypted and without PMF you can sniff and see the beacon in clear text mode, hence an attacker can masquerade himself and send beacons to deauth the client that looks as if they were coming from the legitimate AP.

By enabling PMF you are encrypting this part of the beacon and the client will learn not to accept unencrypted deauth commands, hence it won't disconnect. I would sniff the traffic in your case to see if and where the deauth beacons are coming from.

Flipper isn't that much costly and there are tons of ways you can get it to anywhere even if banned.

I would love one, not so much for the WiFi but the other "stuff"
Little pricey for me also though.
$169.00 from here https://shop.flipperzero.one/

Wi-Fi isn't even possible without the Wi-Fi breakout board.

Exactly, you have to add the dev board, which you might find at around 30 USD

Total crap. Toy for script kiddy.

If you REALLY need to sniff traffic use Alpha adapter. Or maybe Hack rf can help, but I don't sure.

If you need to protect from deauth - switch to WPA3, it's simple.

Also you can try to change SSID, BSSID, password and hide network. This will confuse that person who attacks you (if so) if he isn't real pro.

Generally you can not change password, but I will recommend to do so, if bad actor already intercepted handshake.

As for hidden network, it will prevent you from being asked for wifi or be a target of "experiments". Generally, just print QR code (it can be found in GL admin panel, if you will put your mouse pointer on 2,4 or 5 ghz) to connect to your network and use random 25+ symbol password. It will make brute force nearly impossible.