After some research and field testing, it's become pretty obvious that WPS is the most dangerous threat to Wi-Fi security, for APs with WPS enabled.

The most obvious solution is to simply disable WPS. But some routers, most notably Linksys models, don't allow someone to fully disable it.

Another obvious solution is for vendors to lock down WPS in the firmware. For example, locking WPS for 30 minutes after 10 incorrect PIN attempts, then 60 minutes after another 10, then locking it permanently after another 10. Even just locking WPS for 30 minute intervals after 10 attempts would render most bruteforces impractical. The Netgear WNDR3800 I just pentested does lock WPS ... for five minutes, after about 25 incorrect attempts. With tweaked Reaver settings, I cracked it in under 24 hours at about 16 seconds per PIN.

I just read that Kismet can now detect a flood of WPS traffic, indicating a WPS attack. That's great! But, what can someone do once they've detected an attack? Other than heatmapping the signal from the offending MAC address and attempting to locate the device, is there anything anyone can do to stop an attack in progress, other than take the vulnerable AP offline?

Any other thoughts on defending against this? Cheers!

-ternarybit