Denial of service against hostap

Wed Mar 31 09:36:51 PST 2004

In addition to my other woes, I have a new site comming online and it 
looks like someone doesn't want me there. One sector of my AP, hostap 
0.1.3, is receiving bunches of frames that all have an incrementing BSSID 
.. check this out:

13:11:55.562970 More Data WEP Encrypted 41480us BSSID:00:e4:66:72:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.567083 More Data WEP Encrypted 41480us BSSID:01:84:66:73:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.570037 More Data WEP Encrypted 41480us BSSID:00:e4:66:74:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.573020 More Data WEP Encrypted 41480us BSSID:00:e4:66:75:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.576193 More Data WEP Encrypted 41480us BSSID:00:e4:66:76:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.579020 More Data WEP Encrypted 41480us BSSID:00:e4:66:77:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.582038 More Data WEP Encrypted 41480us BSSID:00:e4:66:78:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.585205 More Data WEP Encrypted 41480us BSSID:00:e4:66:79:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.588238 More Data WEP Encrypted 41480us BSSID:00:e4:66:7a:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.591123 More Data WEP Encrypted 41480us BSSID:00:e4:66:7b:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.594107 More Data WEP Encrypted 41480us BSSID:00:e4:66:7c:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.597239 More Data WEP Encrypted 41480us BSSID:00:e4:66:7d:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request ()
13:11:55.598267 More Data WEP Encrypted 41480us BSSID:00:34:66:7e:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:10 Assoc Request ()

	At the sametime, hostap squirts out thousands of kernel messages 
per minute:

AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4
AP: drop packet to non-associated STA 00:60:08:a2:01:a4

	Not doing any good for peformance. Also while sniffing in monitor 
mode 2, I get the following occasionally:

13:19:33.774071 More Data WEP Encrypted 41480us BSSID:01:84:9b:bb:40:00 
DA:01:a4:00:00:24:c1 SA:e1:c0:08:00:45:12 Assoc Request () [32.0 44.0 32.5 
60.5* 37.5 40.5* 49.5* 32.0 30.0* 62.0* 38.5 46.0 2.5* 5.0* 7.0 39.0 33.0 
56.5* 49.5 63.5 21.0 63.5 9.5 30.0 13.5* 21.0* 46.0 3.0* 35.0* 6.5* 45.0* 
24.0 7.0 12.0* 9.0* 63.0 22.5* 27.5 9.5* 56.0* 41.0 47.0* 25.5* 36.0* 36.5 
22.5* 42.5* 29.5 10.5 61.5 0.5* 10.5 34.0* 1.0 58.0 38.0* 31.5 2.0* 61.5 
1.0* 51.0* 55.0 6.0* 54.5 33.0 40.0 49.0* 37.0 43.5* 32.5* 22.0* 8.0* 6.5* 
31.5 55.5 54.5 52.0* 0.0 20.0 27.5 58.5* 33.0 11.0* 4.0* 51.5* 1.0 58.0* 
13.0* 28.0 31.5* 13.5 5.0* 15.5 37.5 17.5 25.0* 17.0 39.0 33.0* 3.5* 19.0 
17.0* 34.0* 22.0 59.0* 53.0* 27.0* 21.5* 36.0 9.0 36.0 54.0* 30.5 31.0* 
4.5 23.5* 36.0* 4.5* 43.0* 6.5 45.0* 16.0* 37.0 58.5 6.0 58.5 28.0* 47.5 
25.0 3.5* 61.5* 47.0* 50.5 50.0 48.5* 39.5 57.5 28.0 2.0* 0.5 6.0 36.0 
23.0 63.0 0.5* 22.5* 54.5* 52.0 14.0* 9.0* 59.5 25.0 63.0 61.5 1.5* 28.5* 
38.5 Mbit]

	And other garbage frames. If I put it into mode 3, then I get 
basiclly every type of frame that tcpdump can throw at me. Here's a 
representive selection:

13:20:45.128419 unknown IEEE802.11 frame type (3)More Fragments Pwr Mgmt 
Retry 29727us (header) unknown IEEE802.11 frame type (3)unknown 802.11 
frame type (3)
13:20:45.131271 More Fragments Retry Strictly Ordered 52568us 
BSSID:2f:44:08:d0:c7:03 DA:e5:29:d6:4a:71:22 SA:45:82:a5:0e:65:f0 Probe 
Response ()  CH: 0, PRIVACY
13:20:45.134159 More Data More Fragments Retry Strictly Ordered WEP 
Encrypted 60240us CF Poll BSSID:44:27:22:73:8b:45 SA:93:c5:08:de:2d:12 
DA:f2:48:f9:84:24:7d Data IV:b86ac9 Pad 2b KeyID 1
13:20:45.137221 Pwr Mgmt 25190us (H) Unknown Ctrl SubtypeUnknown Ctrl 
Subtype
13:20:45.139782 More Fragments Pwr Mgmt Strictly Ordered WEP Encrypted 
40380us BSSID:f6:e2:5c:0b:2a:54 DA:b0:47:1e:f8:11:11 SA:1e:a4:5a:87:07:74 
ATIM
13:20:45.142571 More Fragments Strictly Ordered WEP Encrypted 58341us 
BSSID:2b:25:2f:a2:5c:ca SA:5b:aa:76:d6:74:79 DA:b1:ce:de:83:7f:cd Data 
IV:880f65 Pad 2f KeyID 3
13:20:45.145516 More Data More Fragments Pwr Mgmt Strictly Ordered WEP 
Encrypted BSSID:72:0d:1f:e6:6c:80 TA:ad:98:81:76:a7:90 Power Save-Poll 
AID(a943)
13:20:45.148347 unknown IEEE802.11 frame type (3)More Data More Fragments 
Pwr Mgmt Strictly Ordered 56090us (header) unknown IEEE802.11 frame type 
(3)unknown 802.11 frame type (3)
13:20:45.151055 More Data Retry Strictly Ordered 11515us (H) Unknown Ctrl 
SubtypeUnknown Ctrl Subtype
13:20:45.153685 unknown IEEE802.11 frame type (3)Retry WEP Encrypted 
47748us (header) unknown IEEE802.11 frame type (3)unknown 802.11 frame 
type (3)
13:20:45.156378 unknown IEEE802.11 frame type (3)WEP Encrypted 33424us 
(header) unknown IEEE802.11 frame type (3)unknown 802.11 frame type (3)
13:20:45.159097 More Data Pwr Mgmt WEP Encrypted 51516us 
RA:85:51:7f:16:8f:67 BSSID:0a:b1:db:bd:b8:d0 CF-End+CF-Ack
13:20:45.161925 More Data Pwr Mgmt Retry Strictly Ordered WEP Encrypted 
14921us BSSID:23:8b:4b:b9:77:32 SA:4c:e4:03:cc:da:07 DA:2b:fd:74:c7:13:33 
Data IV:fe2d3f Pad 33 KeyID 1
13:20:45.164703 More Data More Fragments Retry Strictly Ordered WEP 
Encrypted 48794us RA:d3:60:94:be:69:03 BSSID:aa:76:47:68:e3:7e CF-End
13:20:45.167527 More Data More Fragments Retry 52304us 
BSSID:58:ae:dd:7f:66:dd DA:1d:10:62:c3:77:d9 SA:cf:74:a0:f8:2c:91 ReAssoc 
Request () AP : 2f:de:fa:14:72:f9
13:20:45.170427 More Data More Fragments Strictly Ordered WEP Encrypted 
21691us CF Ack/Poll BSSID:28:79:92:9d:b2:3e SA:0e:94:0a:13:3c:39 
DA:8f:07:51:60:19:84 Data IV:29f9d8 Pad 23 KeyID 3
13:20:45.173264 More Fragments Strictly Ordered 55265us 
DA:e4:14:a8:02:65:1e BSSID:18:88:78:b0:fa:d3 SA:9d:78:81:a1:ef:08 LLC, 
dsap 0x90, ssap 0x1b, cmd 0x74, sap 1a > sap 90 I (s=58,r=55,R) len=102
13:20:45.176294 unknown IEEE802.11 frame type (3)More Fragments Retry WEP 
Encrypted 56942us (header) unknown IEEE802.11 frame type (3)unknown 802.11 
frame type (3)
13:20:45.179289 Retry 25288us BSSID:b8:e6:97:c2:db:82 DA:2f:88:09:40:85:81 
SA:99:c1:cb:da:c3:4b Unhandled Management subtype(e)
13:20:45.182042 Pwr Mgmt Retry WEP Encrypted 3630us RA:93:6f:db:a1:d2:a5 
BSSID:b0:51:30:40:c6:01 CF-End+CF-Ack
13:20:45.184756 More Fragments Pwr Mgmt Strictly Ordered WEP Encrypted 
21931us CF Ack BSSID:d5:ae:b9:47:ce:e4 SA:df:cd:54:b7:0d:af 
DA:04:a2:d3:fd:23:75 Data IV:5e2017 Pad 19 KeyID 2
13:20:45.187532 unknown IEEE802.11 frame type (3)More Data Retry Strictly 
Ordered 63704us (header) unknown IEEE802.11 frame type (3)unknown 802.11 
frame type (3)
13:20:45.190516 Pwr Mgmt WEP Encrypted 5790us RA:6a:62:ea:61:cb:26 
TA:16:af:ce:f2:e1:3c DA:0e:e0:f1:63:cd:fe SA:3c:30:cb:92:67:9a Data 
IV:2108d5 Pad 9 KeyID 3
13:20:45.193198 More Data More Fragments Strictly Ordered WEP Encrypted 
55352us (H) Unknown Ctrl SubtypeUnknown Ctrl Subtype
13:20:45.195966 unknown IEEE802.11 frame type (3)More Data More Fragments 
Retry 14480us (header) unknown IEEE802.11 frame type (3)unknown 802.11 
frame type (3)
13:20:45.198576 More Fragments 54720us RA:e6:c9:38:95:8a:7e 
TA:73:f8:0c:7c:a7:ac DA:cd:b1:27:f2:55:b2 SA:b6:16:d0:30:3e:5d LLC, dsap 
0xca, ssap 0xcd, cmd 0x67, sap cc > sap ca 67/R len=49
13:20:45.201798 More Data Pwr Mgmt Strictly Ordered WEP Encrypted 63838us 
(H) Unknown Ctrl SubtypeUnknown Ctrl Subtype
13:20:45.204569 More Data Pwr Mgmt Strictly Ordered WEP Encrypted 13758us 
BSSID:57:17:ff:d9:3c:5d DA:c2:e4:5a:ca:71:a5 SA:0e:c8:e6:b8:a0:fe 
Unhandled Management subtype(e)
13:20:45.205313 0us BSSID:00:02:6f:08:0e:16 DA:ff:ff:ff:ff:ff:ff 
SA:00:02:6f:08:0e:16 Beacon (Punk go away now) [1.0* 2.0* 5.5 11.0 Mbit] 
ESS CH: 11, PRIVACY
13:20:45.208537 More Fragments Pwr Mgmt WEP Encrypted 54226us 
RA:4f:4c:f2:0e:92:a4 Clear-To-Send
13:20:45.211787 More Data Pwr Mgmt Retry Strictly Ordered 63691us 
BSSID:c0:5f:66:54:cf:2b SA:cd:cd:32:19:b8:1e DA:56:fd:23:33:6e:cb LLC, 
dsap 0x1a, ssap 0xbc, cmd 0x34, sap bc > sap 1a I (s=26,r=31,P) len=262
13:20:45.214589 More Data More Fragments 38250us (H) Unknown Ctrl 
SubtypeUnknown Ctrl Subtype
13:20:45.217481 More Fragments Pwr Mgmt WEP Encrypted 41867us (H) Unknown 
Ctrl SubtypeUnknown Ctrl Subtype
13:20:45.219951 More Data Retry Strictly Ordered WEP Encrypted 34268us 
BSSID:0f:fb:72:2a:a8:42 DA:c8:99:ab:e9:a3:cb SA:c9:bb:c6:6e:90:9b 
Unhandled Management subtype(d)
13:20:45.222796 Pwr Mgmt Strictly Ordered BSSID:86:00:66:bd:e9:1e 
TA:14:79:06:49:66:17 Power Save-Poll AID(f78)
13:20:45.225557 More Data More Fragments 7466us BSSID:ee:99:bf:04:ca:82 
DA:4e:37:56:0b:78:0c SA:89:6b:4c:88:ea:36 SuccesfulUnhandled Management 
subtype(f)
13:20:45.228305 More Data Pwr Mgmt Strictly Ordered 10978us 
RA:cf:01:fe:e1:3c:52 Clear-To-Send
13:20:45.231445 Strictly Ordered 14387us BSSID:cb:73:3e:49:cb:ab 
DA:95:cb:c9:25:a5:cd SA:57:42:7f:0f:96:52 Probe Response ()  CH: 0, 
PRIVACY

	Any ideas?

-- 

WillitsOnline.Com - Your LOCAL provider of High Speed Internet!