Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
April 4, 2005, 7:06 pm
rate this thread
Every so often an alien WLAN service (not our SSID) turns up, with a fake
MAC address. The MAC address changes frequently (from 5 min. down to 10 sec.
intervals). Normally they appear as "peer to peer" but also occasionally as
"infrastructure" (access point).
This has three distinct effects on our network:
- The fake network has a stronger signal than access points, so new clients
will associate to a "no service" network.
- The fake network jams other radio channels, effectively blocking ordinary
traffic for those already associated to an access point.
- For each new MAC address used, one IP address is taken from our DHCP pool.
I have done some searches, and it looks like the tools needed for this
activity can be found on a linux ("knoppix") CD named "Net auditor".
The DHCP lease time is reduced to a minimum, to reduce the lasting effect of
DHCP drain (due to policy imposed from school authorities we cannot use NAT,
so using large "private" address ranges is not an option). I use Ethereal
and Netstumbler for data collection and attempting "radio search", but I
have far from sufficient resources to fight the problem from this end. From
reactions to my search activity I have concluded that the culprit is a
student (or group af students), but that's about as far as I get. I have
informed the student body about the gist of my findings, to make use of the
"street justice", as it were...
Any suggestions for tools and alternate approaches? I find NetStumbler is a
fairly useful program, but it has its shortcomings , and so does Ethereal
(no surprise, them being free software apps developed for slightly different
purpose). All input is welcome.
Re: WLAN guerilla, various attacks with DoS effect
keme skrev i meldingen ...
The "social engineering" seems to have had an effect (or maybe the culprits
are just bored with this, and planning something else...). The problem is
much smaller than it was, but still occurs sometimes (2-3 times a week, up
to 10 min activity, affecting the network for about 40 minutes).
Any input is still welcome