[Battlemesh] Extremely odd wireless network in the air causing problems

Michel de Geofroy micheldegeofroy at gmail.com
Wed Nov 27 23:00:58 CET 2013 

Maybe this is exactly what it is ... RF jamming ... I know of a ibiza WISP
that jammed the competition to prepare his entry in the market.



Michel


Proudly Accepting Bitcoins 178QhTbSins1EnBqyL62k2uUrigh1Xc56Z you too start
exchanging in bitcoins and join the revolution :)

If you want to donate money or more to a good cause check out
http://www.amigosolidarios.com/es/que_hacer.asp

+34 606 88 22 79
Skype micheldegeofroy


On Wed, Nov 27, 2013 at 8:11 PM, Musti <musti at wlan-si.net> wrote:

> Hi,
>
> thanks for the reply. Meanwhile I have figured this may be a non-targeted
> deauthentication jamming.
> http://hackaday.com/2011/10/04/wifi-jamming-via-deauthentication-packets/
>
> However what I am seeing now with tcpdump analysis is that these deauth
> packets from a single source have an incremental destination address in a
> rather peculiar form. First two sections remain constant, the others start
> incrementing from left to right, rolling over back to 49:00:00…. in a
> period of hours. Now that attack does not make sense, because it is not
> targeting any specific manufacturer of type of the network, performing
> pretty much just an RF jam and succeeding in it.
>
> 1029548 2450.247257000 28:00:de:6c:11:9e 49:00:1f:86:b5:6f 802.11 102 Deauthentication,
> SN=2145, FN=1, Flags=........C[Malformed Packet] -89 dBm 6.0
> 1029549 2450.252103000 28:00:de:6c:11:9e 49:00:2c:86:b5:6f 802.11 102 Deauthentication,
> SN=2145, FN=1, Flags=........C[Malformed Packet] -90 dBm 6.0
> 1029550 2450.260856000 28:00:de:6c:11:9e 49:00:43:86:b5:6f 802.11 102 Deauthentication,
> SN=2145, FN=1, Flags=........C[Malformed Packet] -89 dBm 6.0
>
> Ideas welcome.
>
> Regards,
> Musti
>
>
>
> On 27 Nov 2013, at 18:37, Ben West <ben at gowasabi.net> wrote:
>
> If there is any remote chance the party operating these radios is using
> atheros chipsets with the ath9k_htc driver, then it may be possible to
> spoof them into revealing their actual MAC addresses.
>
> http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html
>
>
> On Wed, Nov 27, 2013 at 3:19 AM, Musti <musti at wlan-si.net> wrote:
>
>> Hi folks,
>>
>> I am writing to you all with a description of a problem I am facing at
>> the moment here in Slovenia, where a very odd wireless network is causing
>> problems in existing networks. Any thoughts and ideas would be welcome.
>>
>> Location: Maribor, Slovenia
>>
>> A few days ago a network appeared in the air, that uses 802.11 but is not
>> a conventional AP or mesh, transmitting at a rather high power in several
>> directions, possibly omni at 5680MHz (ch 136). Triangulation of the signal
>> thus-far has been a failure, not being able to find any consistent
>> direction of the origin and perform triangulation. But looking at the
>> traffic generated by this “thing” is where it gets weird.
>>
>> All the packets transmitted have a common BSSID: DE:6C:11:9E:DE:6C and
>> originate from the following devices:
>>
>> 10:0E:DE:6C:11:9E
>> E8:00:DE:6C:11:9E
>> 28:00:DE:6C:11:9E
>> 3E:00:DE:6C:11:9E
>> 64:00:DE:6C:11:9E
>> 30:00:DE:6C:11:9E
>>
>> As well as
>> 10:0E:00:00:00:00
>> E8:00:00:00:00:00
>> 28:00:00:00:00:00
>> 3E:00:00:00:00:00
>> 64:00:00:00:00:00
>> 30:00:00:00:00:00
>>
>> The MAC addresses do not appear to be from a valid vendor, first to
>> sections changing make no sense really.
>>
>> Now things get even more strange, the traffic is of 6M bitrate,
>> consisting only of DeAutehntication packets, utilising the maximum
>> throughput of the channel, mostly originating from 28:00:DE:6C:11:9E.
>> Example from tcpdump verbose output:
>>
>> 01:54:32.120993 30290112us tsft 6.0 Mb/s 5680 MHz 11a -87dB signal
>> antenna 1 DeAuthentication (28:00:de:6c:11:9e (oui Unknown)): Reserved
>>
>> Some other packets of type ACK and RTS have been seen, but absolutely no
>> data of any form.
>>
>> The measurements and observations were made using Ubiquiti Nanostation
>> Loco M5, Nanobridge M5 25dB running openwrt AA, using Horst and tcpdump.
>> Btw, on these devices the only way how to make horst listen on a specific
>> channel appears to be by creating an ap on that channel and then adding a
>> mon0 interface. Any ideas how to use it more conveniently or use automatic
>> channel hopping. Manual setting of the channel allows only the first two
>> digits to be entered.
>>
>>
>> Any ideas on what other experiments to do and how to go about finding the
>> source of this “noise” would be appreciated.
>>
>> Kind regards,
>> Musti
>> wlan slovenija
>>
>>
>>
>> _______________________________________________
>> Battlemesh mailing list
>> Battlemesh at ml.ninux.org
>> http://ml.ninux.org/mailman/listinfo/battlemesh
>>
>
>
>
> --
> Ben West
> http://gowasabi.net
> ben at gowasabi.net
> 314-246-9434
>  _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
>
>
>
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/battlemesh/attachments/20131127/172c66fc/attachment-0001.html>

More information about the Battlemesh mailing list