[Open-Source] WiFi-SpiderWeb: Turn any OpenWrt Router into an Active Cyber Defense & Honeypot System via USB 🕷️🔥
WiFi-SpiderWeb is an open-source active cyber defense and honeypot system designed for OpenWrt routers. It detects Wi-Fi deauthentication and disassociation attacks by monitoring wireless traffic and triggers active countermeasures when an attack threshold is met. The system deploys virtual honeypots with fake SSIDs, blocks attacker MAC addresses at the kernel level, and floods attackers with junk packets to stall their scanning tools. It is intended for use on low-resource OpenWrt routers with USB storage and supports multiple wireless chipsets. The tool is designed for defensive security and requires explicit authorization for use. No known exploits in the wild or vendor patches are applicable as this is a defensive tool rather than a vulnerability.
AI Analysis
Technical Summary
WiFi-SpiderWeb is a Python-based active defense and honeypot framework for OpenWrt routers that detects Wi-Fi deauthentication and disassociation attacks using a sliding-window burst counter. Upon detection, it dynamically creates up to 10 virtual access points with randomized SSIDs and MAC addresses to trap attackers. It also implements kernel-level MAC address blocking and a tarpit engine that floods attackers with junk packets to disrupt their scanning tools. The system is designed to run on low-resource hardware, using BPF filters and zero packet buffering to minimize resource usage. It is deployed via USB ExtRoot and supports ath9k, ath10k, and other chipsets. The project is open-source and intended for authorized defensive use only.
Potential Impact
This tool enhances network defense by actively detecting and mitigating Wi-Fi deauthentication attacks through honeypots and network-level blocking. It does not represent a vulnerability or threat itself but rather a security enhancement. There are no reported exploits against this tool, and it does not introduce known security risks when used as intended. Misuse without authorization could have legal implications.
Mitigation Recommendations
No patch or remediation is applicable since this is a defensive open-source tool rather than a vulnerability. Users should ensure they have explicit authorization before deploying WiFi-SpiderWeb to avoid legal issues. Proper configuration and tuning of detection thresholds are recommended to minimize false positives and resource impact on routers. Review and audit the open-source code before deployment to ensure it meets security and operational requirements.
[Open-Source] WiFi-SpiderWeb: Turn any OpenWrt Router into an Active Cyber Defense & Honeypot System via USB 🕷️🔥
Description
WiFi-SpiderWeb is an open-source active cyber defense and honeypot system designed for OpenWrt routers. It detects Wi-Fi deauthentication and disassociation attacks by monitoring wireless traffic and triggers active countermeasures when an attack threshold is met. The system deploys virtual honeypots with fake SSIDs, blocks attacker MAC addresses at the kernel level, and floods attackers with junk packets to stall their scanning tools. It is intended for use on low-resource OpenWrt routers with USB storage and supports multiple wireless chipsets. The tool is designed for defensive security and requires explicit authorization for use. No known exploits in the wild or vendor patches are applicable as this is a defensive tool rather than a vulnerability.
Reddit Discussion
[Technical Breakdown] Building an Active Cyber Defense & Honeypot Daemon for OpenWrt via USB
Hey everyone,
I've been working on a lightweight technical concept to handle Wi-Fi Deauthentication attacks on low-resource hardware (specifically OpenWrt routers running on embedded architectures like MIPS/ARM).
I wanted to shift the defense from passive logging to active countermeasures, so I designed a dual-engine workflow:
- Handling Low Resources: Using Python with Scapy, but setting store=False and utilizing kernel-side BPF filters so packet capturing doesn't overflow the router's limited RAM.
- The Defense Loop: When a burst threshold is met, the system dynamically communicates via a thread-safe IPC UNIX socket (/tmp/spider_ipc.sock) to spin up dynamic virtual honeypots via native UCI commands, while simultaneously dropping the source at the ebtables/iptables level.
- Anti-Scanner Measures: Implemented a raw socket loop to flood the attacker with junk packets designed to specifically stall the stream-state dissecting mechanism of Wireshark/Nmap.
I'm looking for peer feedback on the architectural approach, especially regarding handling CPU spikes on older ath9k chipsets during hostapd reloads.
The full production-ready implementation, including the POSIX deployment scripts, is completely open-source for auditing and testing here: https://github.com/badrrx/WiFi-SpiderWeb
Would love to hear your thoughts on optimization or potential legal/technical oversights in this implementation!
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WiFi-SpiderWeb is a Python-based active defense and honeypot framework for OpenWrt routers that detects Wi-Fi deauthentication and disassociation attacks using a sliding-window burst counter. Upon detection, it dynamically creates up to 10 virtual access points with randomized SSIDs and MAC addresses to trap attackers. It also implements kernel-level MAC address blocking and a tarpit engine that floods attackers with junk packets to disrupt their scanning tools. The system is designed to run on low-resource hardware, using BPF filters and zero packet buffering to minimize resource usage. It is deployed via USB ExtRoot and supports ath9k, ath10k, and other chipsets. The project is open-source and intended for authorized defensive use only.
Potential Impact
This tool enhances network defense by actively detecting and mitigating Wi-Fi deauthentication attacks through honeypots and network-level blocking. It does not represent a vulnerability or threat itself but rather a security enhancement. There are no reported exploits against this tool, and it does not introduce known security risks when used as intended. Misuse without authorization could have legal implications.
Mitigation Recommendations
No patch or remediation is applicable since this is a defensive open-source tool rather than a vulnerability. Users should ensure they have explicit authorization before deploying WiFi-SpiderWeb to avoid legal issues. Proper configuration and tuning of detection thresholds are recommended to minimize false positives and resource impact on routers. Review and audit the open-source code before deployment to ensure it meets security and operational requirements.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:rce","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["rce"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a188df9e29bf47b501d650b
Added to database: 5/28/2026, 6:48:25 PM
Last enriched: 5/28/2026, 6:48:33 PM
Last updated: 5/29/2026, 5:30:05 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.