Thread: MAC address and Wifi DDoS
View Single Post
  #4 (permalink)  
Old 04-11-2007, 07:59 PM
aljuhani
Guest
  
Posts: n/a
Default Re: MAC address and Wifi DDoS
Jeff Liebermann wrote:
>
> 00:16:6f:3c:9e:cf is an Intel client device. Does your wireless
> desktop or laptop use an Intel wireless chipset? Do you own any other
> wireless device that uses an Intel chipset? Any game machines with
> Wi-Fi?

no not anything I own.

> >Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 8)
> >00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON
>
> My guess(tm) is that someone has their wireless client set to connect
> to your access point by default. Note that "connect" here means the
> initial wireless "association", before any negotiated encryption key,
> authentication, or login. Without finishing the actual connection
> ordeal and getting past your Access Control List, I can't tell whether
> this is an attacker, misconfigured wireless device, or overly
> aggressive wireless client. It doesn't look like Kismet or
> NetStumbler probes (but I'm not sure).
>
> It would be really tempting to allow them to connect and then sniff
> the traffic to see what they try to do. If it's a computer with open
> shares, snooping around their computer is usually sufficient to
> identify them.
>
> You can also determine if they're using 802.11b or 802.11g to help
> identify the culprit. Just set your SRX200 to "802.11b only" or
> "802.11g only" to see which one works. That might help identify the
> culprit.
>
> If you just want them to go away, you might try changing the SSID on
> the SRX200. (Changing the channel will do nothing). If they are set
> to connect to your specific SSID, they won't follow the change.
> However, if they have their wireless client set to "connect to any
> available network", they will follow the change. If it's an attacker,
> it may not initially follow the change in SSID, but might follow when
> they realize what happened.

Well I have actually changed the SSID and the logs provided is after
changing so it appears to be deliberate attempts and is continuing
upto now.

Will give him the access as you have suggested to be able at least
identify him or if I am lucky enough he will check a pop3 email
account and give me the pleasure disclosing his data.

Thanks for the input Jeff.

Rgds.
-aljuhani


Reply With Quote