[Battlemesh] Extremely odd wireless network in the air causing problems

Musti musti at wlan-si.net
Wed Nov 27 20:11:37 CET 2013


Hi,

thanks for the reply. Meanwhile I have figured this may be a non-targeted deauthentication jamming. http://hackaday.com/2011/10/04/wifi-jamming-via-deauthentication-packets/

However what I am seeing now with tcpdump analysis is that these deauth packets from a single source have an incremental destination address in a rather peculiar form. First two sections remain constant, the others start incrementing from left to right, rolling over back to 49:00:00…. in a period of hours. Now that attack does not make sense, because it is not targeting any specific manufacturer of type of the network, performing pretty much just an RF jam and succeeding in it.

1029548	2450.247257000	28:00:de:6c:11:9e	49:00:1f:86:b5:6f	802.11	102	Deauthentication, SN=2145, FN=1, Flags=........C[Malformed Packet]	-89 dBm	6.0
1029549	2450.252103000	28:00:de:6c:11:9e	49:00:2c:86:b5:6f	802.11	102	Deauthentication, SN=2145, FN=1, Flags=........C[Malformed Packet]	-90 dBm	6.0
1029550	2450.260856000	28:00:de:6c:11:9e	49:00:43:86:b5:6f	802.11	102	Deauthentication, SN=2145, FN=1, Flags=........C[Malformed Packet]	-89 dBm	6.0

Ideas welcome.

Regards,
Musti



On 27 Nov 2013, at 18:37, Ben West <ben at gowasabi.net> wrote:

> If there is any remote chance the party operating these radios is using atheros chipsets with the ath9k_htc driver, then it may be possible to spoof them into revealing their actual MAC addresses.
> 
> http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html
> 
> 
> On Wed, Nov 27, 2013 at 3:19 AM, Musti <musti at wlan-si.net> wrote:
> Hi folks,
> 
> I am writing to you all with a description of a problem I am facing at the moment here in Slovenia, where a very odd wireless network is causing problems in existing networks. Any thoughts and ideas would be welcome.
> 
> Location: Maribor, Slovenia
> 
> A few days ago a network appeared in the air, that uses 802.11 but is not a conventional AP or mesh, transmitting at a rather high power in several directions, possibly omni at 5680MHz (ch 136). Triangulation of the signal thus-far has been a failure, not being able to find any consistent direction of the origin and perform triangulation. But looking at the traffic generated by this “thing” is where it gets weird.
> 
> All the packets transmitted have a common BSSID: DE:6C:11:9E:DE:6C and originate from the following devices:
> 
> 10:0E:DE:6C:11:9E
> E8:00:DE:6C:11:9E
> 28:00:DE:6C:11:9E
> 3E:00:DE:6C:11:9E
> 64:00:DE:6C:11:9E
> 30:00:DE:6C:11:9E
> 
> As well as
> 10:0E:00:00:00:00
> E8:00:00:00:00:00
> 28:00:00:00:00:00
> 3E:00:00:00:00:00
> 64:00:00:00:00:00
> 30:00:00:00:00:00
> 
> The MAC addresses do not appear to be from a valid vendor, first to sections changing make no sense really.
> 
> Now things get even more strange, the traffic is of 6M bitrate, consisting only of DeAutehntication packets, utilising the maximum throughput of the channel, mostly originating from 28:00:DE:6C:11:9E. Example from tcpdump verbose output:
> 
> 01:54:32.120993 30290112us tsft 6.0 Mb/s 5680 MHz 11a -87dB signal antenna 1 DeAuthentication (28:00:de:6c:11:9e (oui Unknown)): Reserved
> 
> Some other packets of type ACK and RTS have been seen, but absolutely no data of any form.
> 
> The measurements and observations were made using Ubiquiti Nanostation Loco M5, Nanobridge M5 25dB running openwrt AA, using Horst and tcpdump. Btw, on these devices the only way how to make horst listen on a specific channel appears to be by creating an ap on that channel and then adding a mon0 interface. Any ideas how to use it more conveniently or use automatic channel hopping. Manual setting of the channel allows only the first two digits to be entered.
> 
> 
> Any ideas on what other experiments to do and how to go about finding the source of this “noise” would be appreciated.
> 
> Kind regards,
> Musti
> wlan slovenija
> 
> 
> 
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
> 
> 
> 
> -- 
> Ben West
> http://gowasabi.net
> ben at gowasabi.net
> 314-246-9434
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/battlemesh/attachments/20131127/75789e94/attachment-0001.html>


More information about the Battlemesh mailing list