Re: [WIRELESS-LAN] Wireless Disconnects - Possible Hacker?

Tue, 12 Sep 2006 09:51:53 -0700 

Frank -
I've used our Aruba infrastructure to confirm and capture the disconnects. Remote wireless packet capture is a WAY COOL tool. Unfortunately, I don't have dedicated monitors in the locations in question to capture the data leading up to the disconnect, so I've been unable to conclusively determine why the client is sending the disassociation or if it is being spoofed from a third party. 


The next steps are either placing some monitors in the areas of interest 
or heading out there with AiroPeek when we get another report of a 
problem.  If it's a hacker, it's going to be painful to track down as 
the attack is surgical - a packet every couple of minutes - hard to 
triangulate and locate...


>>-> Stan Brooks - CWNA/CWSP
     Emory University
     Network Communications Division
     404.727.0226
     [EMAIL PROTECTED]
AIM: WLANstan  Yahoo!: WLANstan  MSN: [EMAIL PROTECTED]


-------- Original Message --------
From: Frank Bulk
Date: 9/11/2006 11:08 PM


Does the WIDPS functionality of your WLAN infrastructure system catch this?


Frank 


-----Original Message-----

From: Stan Brooks [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 11, 2006 6:25 PM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Disconnects - Possible Hacker?


We are getting and have confirmed some reports of some wireless clients 
getting dropped repeatedly.  Upon further investigation, it looks like 
the client/STA (or someone impersonating them) is sending a disassociate 
frame to our AP.  This problem looks like it is localized on a couple of 
dorms and on specific floors.  It also seems to affect most(all?) 
clients in the area.  It also seems time sensitive - no problems for 
hours, then disassocs every 3-5 minutes.  I've yet to capture a packet 
trace of the problem as it stops before we get on site with a wireless 
protocol analyzer.



In light of the symptoms, I think we are experiencing a series of DOS or 
MitM attacks, probably hacker initiated.  The usual AirJack-based 
attacks I've seen use deauths, not disassocs.



Has anyone experienced similar symptoms or problems lately?  Perhaps a 
new attack script?


**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.














    











					Reply via email to