[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: DOS Attack Follow Up
From:       "Times Enemy" <times () krr ! org>
Date:       2004-11-29 22:11:24
Message-ID: 2777.66.193.202.212.1101766284.squirrel () 66 ! 193 ! 202 ! 212
[Download RAW message or body]

Greetings.

Others may have mentioned, but you may want to change any WEP/WPA keys,
assuming this is not automagically/already done.

Wireless encryption may be cracked if enough packets are captured and
analyzed.  RST packets may drop a connection.  If the target drops, it may
then automatically attempt to reconnect, generating more packets.  For the
attacker, this is a nice utilization of, what is hopefully, a single RST
packet.  Flooding RST's is rather obtuse, and/or obvious, but capable.  On
a highly populated AP, large AP node, RST's are more effective.

As a "preventative" measure, i suggest physically locating the source of
the broadcast(s) ....  ;)

ciao
.times enemy


> Hi List. Thank you all for you insightful replies. I am posting this as a
> follow up to some comments and questions.
>
> I am caputing the traffic by SPANing a port on my switch to a port where I
> have a box running ethereal. I don't think the internal network is being
> spoofed because during the outage all traffic is coming from the 'outside'
> to the 'inside'. The traffic is unicast not broadcast. During the attack
> there are RST packets only, no data. Does any know how to prevent this
> type
> of RST attack? Thanks.
>
> shawn

[prev in list] [next in list] [prev in thread] [next in thread]