I have a linksys WAG54gX2 SRX200 and decided lately and in addition to
WPA encryption to apply MAC address filtering which would allow only
my 1 x Wireless Desktop and 1 x Laptop.
But now and looking to my /var/log/messages, I see the following Mac
Address trying to gain access which is normal when someone is trying
to connect to my wifi.
Due to the number of consecutive error messages below and time frame
in between, I thought may be the attacker is applying some sort of
Denial of service attack that would may be disable such filtering, I
do not know but just thought to ask the experts here.
On 11 Apr 2007 09:53:33 -0700, "aljuhani" <private.mailbox@gmail.com>
wrote in <1176310413.169362.63560@n59g2000hsh.googlegroups. com>:
>I have a linksys WAG54gX2 SRX200 and decided lately and in addition to
>WPA encryption to apply MAC address filtering which would allow only
>my 1 x Wireless Desktop and 1 x Laptop.
MAC addresses are too easily spoofed for MAC address filtering to be of
any real value; i.e., it's not worth the trouble. WPA with a strong
passphrase is all you really need.
>But now and looking to my /var/log/messages, I see the following Mac
>Address trying to gain access which is normal when someone is trying
>to connect to my wifi.
>
>Due to the number of consecutive error messages below and time frame
>in between, I thought may be the attacker is applying some sort of
>Denial of service attack that would may be disable such filtering, I
>do not know but just thought to ask the experts here.
Probably not a DoS attack. Might even be a device of your own. Anyone
worth worrying about will be spoofing in any event.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>I have a linksys WAG54gX2 SRX200 and decided lately and in addition to
>WPA encryption to apply MAC address filtering which would allow only
>my 1 x Wireless Desktop and 1 x Laptop.
>
>But now and looking to my /var/log/messages, I see the following Mac
>Address trying to gain access which is normal when someone is trying
>to connect to my wifi.
00:16:6f:3c:9e:cf is an Intel client device. Does your wireless
desktop or laptop use an Intel wireless chipset? Do you own any other
wireless device that uses an Intel chipset? Any game machines with
Wi-Fi?
>Due to the number of consecutive error messages below and time frame
>in between, I thought may be the attacker is applying some sort of
>Denial of service attack that would may be disable such filtering, I
>do not know but just thought to ask the experts here.
My guess(tm) is that someone has their wireless client set to connect
to your access point by default. Note that "connect" here means the
initial wireless "association", before any negotiated encryption key,
authentication, or login. Without finishing the actual connection
ordeal and getting past your Access Control List, I can't tell whether
this is an attacker, misconfigured wireless device, or overly
aggressive wireless client. It doesn't look like Kismet or
NetStumbler probes (but I'm not sure).
It would be really tempting to allow them to connect and then sniff
the traffic to see what they try to do. If it's a computer with open
shares, snooping around their computer is usually sufficient to
identify them.
You can also determine if they're using 802.11b or 802.11g to help
identify the culprit. Just set your SRX200 to "802.11b only" or
"802.11g only" to see which one works. That might help identify the
culprit.
If you just want them to go away, you might try changing the SSID on
the SRX200. (Changing the channel will do nothing). If they are set
to connect to your specific SSID, they won't follow the change.
However, if they have their wireless client set to "connect to any
available network", they will follow the change. If it's an attacker,
it may not initially follow the change in SSID, but might follow when
they realize what happened.
Jeff Liebermann wrote:
>
> 00:16:6f:3c:9e:cf is an Intel client device. Does your wireless
> desktop or laptop use an Intel wireless chipset? Do you own any other
> wireless device that uses an Intel chipset? Any game machines with
> Wi-Fi?
no not anything I own.
> >Wed, 2007-04-11 18:48:16 - aniWsmLimRecvMsgs.c:1115 Station (0, 8)
> >00:16:6f:3c:9e:cf, MAC-ACL lookup failed, ssId HOTWANCON
>
> My guess(tm) is that someone has their wireless client set to connect
> to your access point by default. Note that "connect" here means the
> initial wireless "association", before any negotiated encryption key,
> authentication, or login. Without finishing the actual connection
> ordeal and getting past your Access Control List, I can't tell whether
> this is an attacker, misconfigured wireless device, or overly
> aggressive wireless client. It doesn't look like Kismet or
> NetStumbler probes (but I'm not sure).
>
> It would be really tempting to allow them to connect and then sniff
> the traffic to see what they try to do. If it's a computer with open
> shares, snooping around their computer is usually sufficient to
> identify them.
>
> You can also determine if they're using 802.11b or 802.11g to help
> identify the culprit. Just set your SRX200 to "802.11b only" or
> "802.11g only" to see which one works. That might help identify the
> culprit.
>
> If you just want them to go away, you might try changing the SSID on
> the SRX200. (Changing the channel will do nothing). If they are set
> to connect to your specific SSID, they won't follow the change.
> However, if they have their wireless client set to "connect to any
> available network", they will follow the change. If it's an attacker,
> it may not initially follow the change in SSID, but might follow when
> they realize what happened.
Well I have actually changed the SSID and the logs provided is after
changing so it appears to be deliberate attempts and is continuing
upto now.
Will give him the access as you have suggested to be able at least
identify him or if I am lucky enough he will check a pop3 email
account and give me the pleasure disclosing his data.
On 11 Apr 2007 11:59:21 -0700, "aljuhani" <private.mailbox@gmail.com>
wrote in <1176317961.149446.276570@b75g2000hsg.googlegroups .com>:
>Jeff Liebermann wrote:
>> If you just want them to go away, you might try changing the SSID on
>> the SRX200. (Changing the channel will do nothing). If they are set
>> to connect to your specific SSID, they won't follow the change.
>> However, if they have their wireless client set to "connect to any
>> available network", they will follow the change. If it's an attacker,
>> it may not initially follow the change in SSID, but might follow when
>> they realize what happened.
>
>Well I have actually changed the SSID and the logs provided is after
>changing so it appears to be deliberate attempts and is continuing
>upto now.
Not necessarily -- many wireless clients are configured to try to
connect to any available access point, often by accident.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
MAC address and Wifi DDoS 
Linear Mode
