Kismet Wireless

Kismet Forums

 

Posted by:kpbrown
Subject:What attack is this?
Date:06:12:51 04/02/2006

Hello all,

I am heavily involved in a small (220 customers) rural W-ISP. We have recently come under attack. Although, by chance we found the attacker (one of our intallers noticed a 24dBi dish pointed at our tower from a house that was not our customer) and with police intervention the problem was solved, I am interested in knowing which attack we sustained. Unfortunately, at time of testing I only had Kismet-2005-04-R1 on my laptop, but with that here is what we found:

=> First, our APs are Tranzeo TR-4500s. It uses 128-bit WEP with MAC auth control. Without MAC auth enabled we often experience random crashes which require a hard reboot. Interestingly this is only on the PoP that our "big" attack happened.

=> During our "big" attack, two of our sectors were completely down. No customers could connect. The two sectors were in line with our attackers 24dBi dish.

=> While I used Kismet, another employee used Netstumbler. Our APs did not show up in his list.

=> Kismet showed both of the APs. Their signal strength was normal. There was even reported traffic (about 10 - 20 packets/sec). What was interesting is when we turned WEP off we could see all the ARP broadcasts coming from the two APs under attack. From this we concluded that the AP was able to send data but not receive data. We tried connecting to the APs from 10 meters away, to 10km away but to no avail -- but with Kismet, signal strength seemed normal.

=> During the attacks, the associations list on the AP's were empty.

=> Immidiately after the attacks stopped, our association lists repopulated and everything resumed.

=> We drove around the attackers house with our (old) version of Kismet and it did not show any warnings of malicious packets.

So, in conclusion, I am wondering if anyone can identify what sort of attack we endured based on those clues. Also, would an updated (2005-08-R1) of Kismet have detected the malicious packets?

Thanks in advance,
Kevin Brown.
www.wavedirect.net


Reply to this message