UPDATED: DoS on hostap

M. Grabert xam
Fri Apr 2 21:18:49 PST 2004 

On Fri, 2 Apr 2004 mike-hostap at tiedyenetworks.com wrote:

> Ok I've been looking at this and I think there's something really screwey
> here. The message "AP: drop packet to non-associated STA
> xx:xx:xx:xx:xx:xx" will all of a sudden begin to be emitted from my AP for
> no discernable reason, flooding the log server and the local network with
> these messages. What I've figured out is that the AP is complaining about
> a frame to a destination mac address of a machine on the lan behind it -
> specfically, a pppoe server. I have been unable to capture any frames
> exchanged between the pppoe server and the access point that would appear
> to cause the problem - it's as if, all of a sudden, something in the ap
> remembers this box and just begins shitting messages like nobody's
> business. I've spent a lot of time with tcpdump trying to capture anything
> suspecious between these two (or any others for that matter), and came up
> empty.

Same for me (albeit on a rather 'obscure' platform: Linux/PA-RISC).

The entries I see in my kernel logs (of the server) are actually in the form

   "Could not find STA '00:01:XX:XX:XX:XX' for this TX error (@yyyyyyyy)"

whereas the four 'XX' bytes are the first four bytes of the *servers* wlan
MAC address (ie. as in XX:XX:XX:XX:xx:xx).

Also interesting is that the value for 'yyyyyy' of subsequent log entries
is always increased by 12490-12510.


> My ap basiclly bridges three interfaces - eth0, wlan0, and wlan1.

I'm only bridging eth1 (normal tulip 10/100 MBit card) and wlan0.


> I have spanning three turned ON, and wlan0/wlan1 are NOT bridging frames

Spanning tree is off here, but this doesn't matter anyway I suppose ...


> nor are they talking to themselves. The software rev is 0.1.3 and both
> wlan cards are running 1.1.0/1.8.0 firmwares. But as I said the AP

My hostap is CVS from about 20 days ago. Firmware is also 1.1.0/1.8.0
on both server (Netgear MA311) and clients (Dlink DWL-650).

[...]


> There is NO WAY that the 'drop packet to
> non-associated STA' message could be referencing any packet received on
> the wireless side, this AP is not in use yet and has nothing around it I
> can hear.

I'm only getting the messages on the server, not the clients.
Obviously the problem is not related to hostap(d) running in AP mode,
but either when using ethernet bridging or using the 1.1.0/1.8.0 firmware
(but I'm pretty sure I've seen the same error messages with 1.7.4 aswell).


BTW, I'm using kernel version 2.4.25 (but seen this error with earlier
versions aswell). Apart from the kernel messages (which appear every 2
minutes and 5 seconds), the wireless network is working fine.

Another important note: the messages start to appear once a client
connects to the server. From then on it never stops (if I disconnect/power off
the client, the kernel log messages still continue to appear every 2:05 mins).


Sorry that I can't help you, but maybe my comments help some hostap
developers to isolate the problem?


Greetings,
  Max

More information about the Hostap mailing list