Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Single device packet flood


  • Please log in to reply
23 replies to this topic

#1 Darktune

Darktune

    Very Purple


  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:07:09 AM

Posted 07 November 2013 - 11:36 AM

Hey everyone,

 

We have a Meraki MR12 AP in our public space and we can see that in the event log it states "Single device packet flood Dos count:100".

 

Now on the Meraki website it says this..

 

 

 

  • Single or multiple device packet flood - denotes that an AP has detected that single or multiple client(s) have attempted to flood the wireless environment with a type of packet. These message can indicate a malicious attack or temporary, client-based misbehavior. 

 

Is this always malicious or could there be another reason this happens?

 

Any advice would be great!

Thanks,

 

Darktune


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 07 November 2013 - 06:21 PM

It can just be a device error, it's not that unusual.... If you see this just once it is likely that's what it is.



#3 Darktune

Darktune

    Very Purple

  • Topic Starter

  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:07:09 AM

Posted 07 November 2013 - 06:39 PM

Well today it happened four times within the space of 6 minutes. All of them 100 Dos.


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 07 November 2013 - 06:52 PM

You can be pretty sure that's malicious... Here's a list of stuff they could be trying, and some other stuff too.

 

https://community.ja.net/system/files/222/known-wireless-attacks.pdf



#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 07 November 2013 - 06:53 PM

Probably trying to pwn your password and router.



#6 Darktune

Darktune

    Very Purple

  • Topic Starter

  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:07:09 AM

Posted 07 November 2013 - 07:05 PM

Them doing that is a dead end for them and is stupid for a few reasons.

 

1. The free public WiFi is in no way connected to the Private network with all our data stored.

2. Everytime they packet flood our AP automatically blocks their MAC address.

3. They're not achieving anything


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 07 November 2013 - 07:22 PM

the mac address can be spoofed and changed every flood, they want control of the router not to get your information but to hack everyone else on the network (ie: the public)



#8 Darktune

Darktune

    Very Purple

  • Topic Starter

  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:07:09 AM

Posted 07 November 2013 - 07:59 PM

This is true however the Meraki has a measures in place to protect against this.


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 07 November 2013 - 08:04 PM

Good job. Nice that you are keeping world+dog safe from the cyber-bad guys in your local area :thumbsup2:



#10 Darktune

Darktune

    Very Purple

  • Topic Starter

  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:07:09 AM

Posted 07 November 2013 - 08:07 PM

Lol, although i am aware that they'd get in if they wanted too. But there's hardly anything worth hacking into as most our uses do social networking.. haha


It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 07 November 2013 - 08:19 PM

they will RAT them if they can get in...

 

There's many many ways to monetize from these exploits. It's really very interesting stuff to learn about. I spent a long while studying this subject, just so I can protect my companies network better.

 

Even hacked FB accounts are worth serious money if exploited correctly...



#12 Darktune

Darktune

    Very Purple

  • Topic Starter

  • Members
  • 1,139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:07:09 AM

Posted 14 November 2013 - 10:22 AM

Hey,

I have somewhat of an extension on my post..

 

It seems that we are having this type of flood every day now or near enough let me show you what I mean..

 

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 14 14:15 - Nov 14 14:15 - Probe request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 13 16:47 - Nov 13 16:48  - Authentication  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 12 20:13 - Nov 12 21:22 - Probe request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 10 15:12 - Nov 10 15:12 - Association request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 9 21:56 - Nov 9 23:24 - Probe request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 9 09:10 - Nov 9 09:10 - Probe request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 8 18:41 - Nov 8 19:59 - Authentication, Association request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 8 09:30 - Nov 8 09:31 - Probe request  

Single-source packet flood - MAC ADDRESS(REMOVED) - Nov 8 09:30 - Nov 8 09:31 - Authentication, Re-association request

 

I have removed the mac addresses for safety, however they are ALL different Mac addresses.

 

Any ideas?

 

Thanks,

 

Darktune


Edited by Darktune, 14 November 2013 - 10:25 AM.

It's very hard to imagine all the crazy things that things really are like. 

Electrons act like waves.. no they don't exactly, they act like particles.. no they don't exactly.

Words and ideas can change the world.


#13 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:04:09 PM

Posted 14 November 2013 - 08:00 PM

it is at certain tiems fo the day, its almost like sonmeone is bringing a device into the WiFi reach point and might have a trojan trying to do man in the middle attacks on any AP it finds.

I would be checking the times and comparing them.

It doesnt look like a flood either, Single source packet flood is just a standard word used when a device tries to access any given AP and fails (Like the computer browser service to keep track of machine names on a windows network). Its like a broadcast, it floods but do we call a broadcast a flood packet. technically it is but also its used as a networking topology mechanism.



#14 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:04:09 PM

Posted 14 November 2013 - 09:18 PM

hmmm, just looking at the times it appears that it is a deliberate attack, judging by the fact that the probesattempts generally only occur in the same 12 hour period...

 

Could be gathering data or information. Some of these things take a few attempts to get right... search hacking wireless with Backtrack, would get this sort of response with this sort of technique. (which will fail miserably against your router)

 

Glad it's not me.



#15 Felipe2237

Felipe2237

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California,USA
  • Local time:11:09 PM

Posted 16 November 2013 - 09:45 PM

they will RAT them if they can get in....

 

Couple questions!

 

How will they transfer the RAT into the target?

Aren't RATS easily detectable by AV?

How do they detect the other users?

 

 

I'm genuinely interested, not questioning you.


Unofficial iOS Genius





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users