DoS cracking quesiton.

Hello all,

My wireless network has recently been DOSed. With police intervention, we
were able to fix the problem but I'm wondering if anyone would be able to
enlighten me with the exact attack we endured:

First it started where no one outside of 2km of certain sectors could get
Internet. We found that the issue was only on verticle polarity so we
switched a great number of people to one of our other towers that happen
to be on horizontal, writing things off as something new deployed on
verticle. Then, on another PoP (the guy set moved his equipment to a new
tower of ours) two of our sectors went down. After much playing around it
just happened by chance we saw a house with a 24dBi antenna pointed at our
tower at only 2km away. Before they "decided" to turn the equipment off,
we made the following discoveries:

-> Netstumber could NOT find the two AP's that this 24dBi dish happened to
be pointed inbetween. Not at 100m away, and definetly not 1km to 10km
away.

-> Kismet could see that it was broadcasting a signal, that it was as
strong as usual. This is interesting, since Kismet is passive, I came to
the conclusion that the AP was NOT receiving any packets but was definetly
sending things out. Kismet reported some traffic (~10 to 20
packets/second). Interestingly, if we turned WEP off, Kismet could see
the ARP packets being broadcasted out. We concluded that the AP could
transmit packets, but there was no room for it the receive them.

-> The associations list on the AP's were empty.

-> Things went back to normal immidiately following the shut down of the
incriminating antenna.

Thanks in advance,
Kevin Brown.
www.wavedirect.net

>just happened by chance we saw a house with a 24dBi antenna pointed at our
>tower at only 2km away.

>the conclusion that the AP was NOT receiving any packets but was definetly
>sending things out.

Could be as simple as just a carrier overloading the receiver on your
APs. Wouldn't take much, and you're lucky he wasn't very subtle (or
very smart). Check your FCC license for your rights in reference to
interference...

Because the Polarization made such a difference, the problem does not seem
to
be a DOS attack.. i.e. "deauth" attack.... but more so just vertical
Polarization interference..
If you are running at 2.4 and you saw a 24dbi dish, it is not necessarily
802.11 that it is x-mitting
with at 2.4 hence you will not detect such stuff on 802.11 tools.. well
maybe you will as
noise (poor SNR etc)... I suggest running a spectrum analyzer and do a
sweep vertical and
horizontal to see if you see any interference... even frequency hop
interference...
Then by aiming a tight beamwidth antenna, locate the source and contact the
people where it
is coming from... Often stuff like this is non-intentional...


"Kevin Brown" <itismekevinb-NOSPAM-@hotmail.com> wrote in message
news(E-Mail Removed)...
> Hello all,
>
> My wireless network has recently been DOSed. With police intervention, we
> were able to fix the problem but I'm wondering if anyone would be able to
> enlighten me with the exact attack we endured:
>
> First it started where no one outside of 2km of certain sectors could get
> Internet. We found that the issue was only on verticle polarity so we
> switched a great number of people to one of our other towers that happen
> to be on horizontal, writing things off as something new deployed on
> verticle. Then, on another PoP (the guy set moved his equipment to a new
> tower of ours) two of our sectors went down. After much playing around it
> just happened by chance we saw a house with a 24dBi antenna pointed at our
> tower at only 2km away. Before they "decided" to turn the equipment off,
> we made the following discoveries:
>
> -> Netstumber could NOT find the two AP's that this 24dBi dish happened to
> be pointed inbetween. Not at 100m away, and definetly not 1km to 10km
> away.
>
> -> Kismet could see that it was broadcasting a signal, that it was as
> strong as usual. This is interesting, since Kismet is passive, I came to
> the conclusion that the AP was NOT receiving any packets but was definetly
> sending things out. Kismet reported some traffic (~10 to 20
> packets/second). Interestingly, if we turned WEP off, Kismet could see
> the ARP packets being broadcasted out. We concluded that the AP could
> transmit packets, but there was no room for it the receive them.
>
> -> The associations list on the AP's were empty.
>
> -> Things went back to normal immidiately following the shut down of the
> incriminating antenna.
>
> Thanks in advance,
> Kevin Brown.
> www.wavedirect.net

Do you know of any software that can use a standard 802.11 card as a
spectrum analyser? After this, we have decided to install a wireless
intrustion detection using a WRAP board, an omni and kismet. From my
understanding, kismet will pick up any 802.11 style attacks (deauth,
AusCERT AA.2004-02, etc.), but is there a way we can pick up interference
of 2.4ghz noise with an 802.11 card?

Thanks in advance,
Kevin Brown.

On Mon, 06 Feb 2006 19:16:36 +0000, Fresnel Fadermargini wrote:

> Because the Polarization made such a difference, the problem does not seem
> to
> be a DOS attack.. i.e. "deauth" attack.... but more so just vertical
> Polarization interference..
> If you are running at 2.4 and you saw a 24dbi dish, it is not necessarily
> 802.11 that it is x-mitting
> with at 2.4 hence you will not detect such stuff on 802.11 tools.. well
> maybe you will as
> noise (poor SNR etc)... I suggest running a spectrum analyzer and do a
> sweep vertical and
> horizontal to see if you see any interference... even frequency hop
> interference...
> Then by aiming a tight beamwidth antenna, locate the source and contact the
> people where it
> is coming from... Often stuff like this is non-intentional...
>
>

Kevin Brown <itismekevinb-NOSPAM-@hotmail.com> hath wroth:

>Do you know of any software that can use a standard 802.11 card as a
>spectrum analyser? After this, we have decided to install a wireless
>intrustion detection using a WRAP board, an omni and kismet. From my
>understanding, kismet will pick up any 802.11 style attacks (deauth,
>AusCERT AA.2004-02, etc.), but is there a way we can pick up interference
>of 2.4ghz noise with an 802.11 card?

http://www.metageek.net $99.
Sees, noise, cordless phones, microwave ovens, etc.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558