A rule for DOS attacks on WPA?

Discussion in 'LnS English Forum' started by dpt.larry, Oct 16, 2007.

Thread Status:
Not open for further replies.
  1. dpt.larry

    dpt.larry Registered Member

    Joined:
    Mar 6, 2007
    Posts:
    14
    Hi,

    I think I am being DOS attacked, but not too sure about it. Is there a rule in Look'n'Stop that can prevent DOS attacks on WPA(wi-fi protected access)?

    I have found that WPA is in fact vulnerable to these kind of attacks. I have researched online trying to find some information to prevent this. Someone suggested that I download and install a program called "Harden-it" which you can find here:

    http://www.sniff-em.com/hardenit.shtml

    It is said that it can protect against these kind of attacks. I don't think it's bullet proof but it's worth a try. I have read many reviews that it's very good and it can be a nice little backup defense tool next to your firewall. And so I installed it and ran through the wizard and I had everything setup correctly as far as I know, but I still get disconnected from time to time. Let me explain briefly.

    In the past I setup my computers to use a 128-bit WEP key and I didn't have any problems, well maybe a few rare disconnections but I was ok with it. During that time, I called my ISP and I told them about it and they suggested that I check if there was any "DSL Filters" installed in every house phone, and I said yes. They said the reason why those filters need to be installed is because it can really mess up my connection and I said yea they are all installed. My ISP sent a technician to my house to test my phone lines and other power lines to see if they were all ok, and they were. Then they later found out that one of my phone jacks that was connected to my broadband dsl modem was a little damaged and so they charged me 75 bucks to fix it and so I just went with it.

    Since that day and during the following weeks, everything was a little better but again there were a few minor disconnections. It would disconnect twice a week which wasn't so bad, I could live with that. But ever since I started to harden up my wireless security by adding WPA-PSK(pre-shared key) with AES as data encryption and have MAC Filtering enabled, my internet was being a pain in the ass. It started to disconnect me every 10-15 minutes or so through out the whole day. Sometimes every 5-8 minutes. If I'm lucky I get at least 30 stable minutes. I get disconnected when I'm logged into my email, random website, during game play, during downloads(sometimes), and while surfing the net. In fact, I just got disconnected again while logged into this forum. The bottom line is, it's very annoying with all that disconnection and I want to know if there is a special rule that can be created and added in Look'n'Stop to prevent these attacks?

    Keep in mind that I am not completely sure that I am being DOS attacked. I don't have the tools to diagnose these kind of problems. But I've been told to use sniffers, but not sure how to use it-I'll have to look more into it. I'm aware that since I am using WPA and not WEP for wireless security, and with all those disconnections, I'm assuming that I am being attacked by someone outside the network. I don't know much about the concept of firewall defenses, but if there is a special rule that can be added or a program that I need, please let me know. Thanks in advance.

    regards,
    larry
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    I don't know this kind of attack, so difficult to answer you.

    Do you have any information about the kind of packets that are used, and if there is something special in these packets, so they can be filtered (by editing a raw rule with the plugin) ?

    Are you sure it is not simply a configuration or radio issue, between the two WiFi equipments ? This would lead to disconnections too.

    Thanks,

    Frederic
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    It is possible you are being DOS`ed. But,...

    You state that you where advised to run " Harden-it", yes this will stop certain DOS attacks against the TCP/IP stack (the internal part of windows needed for internet connections), this would indicate certain attack types. But you then say the connection problems continue.

    At this moment in time (without further info), I would agree the possibility of equipment problems.

    Is it possible for you to make direct cable connection to your router to see if the problem continues? We can then at least rule out some possibilities.
     
  4. dpt.larry

    dpt.larry Registered Member

    Joined:
    Mar 6, 2007
    Posts:
    14
    Yes sorry I forgot to mention that. In the past my computer was directly connected to my router. During that time I had a few disconnections, but that was at least 2 times a week and I was ok with it. Then I disconnected the cable and started to run wireless, and again same thing happened. It disconnected about twice or once a week.

    The only information is maybe my look'n'stop logs. But I had forgotten to record and save them. But I assure you once I get disconnected again, I will save the log files if there is any and I will post them here for you and others to evaluate.

    One of my wireless computers that I mainly use is in my bedroom and the other one that is setup with a Netgear wireless adapter WG111 is in the living room. It's just next door, maybe 10 feet away. There are a few electronic equipments lying around like a stereo, TV, cable lines, phones, and they are all hooked up. I have heard that they can cause connections to be disconnected too, but I doubt that it's coming from that because they are far away from each of my computers.

    I have no idea whether it is a WiFi configuration between the multiple computers in my house. Every computer is setup with the same key configurations as far as I know, I have checked many times. All I know is that when I started to use WPA for all computers and with MAC Filtering enabled, I started to get disconnected a whole lot as I described in my previous post. It's been my 3rd day using WPA and I guess my internet don't like it--it's being a pain in the ass. I just thought that if there was a special rule of some sort that can be added or tweaked to prevent this, but at the moment I don't have any deep information for you about the packets, so therefore I doubt that you and possibly others could come up with a fix until I post some logs. At this time there are no logs being displayed as I am surfing the net, however packets are being sent and received and my IP Address and my PC name is displayed correctly.

    Until then I will come back with logs if there is any.

    EDIT:
    Ok, I just got disconnected again. And while I'm disconnected I am looking at my logs and they seem to be all the same. They are all rising at the moment. Sorry if the picture is a bit small, but I think you can use firefox to zoom it in.

    http://img139.imageshack.us/img139/2699/logsoy0.png

    In the "Statistics" under "Welcome" tab, all the numbers are rising. That includes:

    - Filtered packets in uplink - 50 (currently rising)

    - Filtered packets in downlink - 324 (currently rising)

    - Total of sent packets - 2865 (currently rising)

    - Total of received packets - 3091 (currently rising)

    My computer says that I'm connected, but when I open my browser(firefox) nothing is being displayed. It's just blank white and loading for about almost 3-4 minutes then it just gives me the usual error--"no connection"......
     
    Last edited: Oct 17, 2007
  5. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, it looks like you simply need to add this rule.

    Frederic
     
  7. dpt.larry

    dpt.larry Registered Member

    Joined:
    Mar 6, 2007
    Posts:
    14
    Hi,

    I'm not sure if I'm placing the rule in the right place. I have imported the rule, applied it, saved it, then I restarted my computer. When I open Look'n'Stop to view "Internet Filtering", I see "WiFi secured connection" listed to be the first on the list. The rule is currently allowed(green - with no red sign). Should the rule be placed there?

    Also, after applying the rule and surfing the net for about almost 30 minutes, I get disconnected again. Here are the logs. Oh yea I forgot to mention that I am using Enhancedruleset.

    http://img85.imageshack.us/img85/5881/logs1yh6.png

    I really appreciate all of your help, but I don't want to go any further than this and cause any trouble and I will stop here as soon as I get a reply about where the "WiFi secured connection" rule should be placed. In the meantime, I will have to talk more about this with my ISP. Thanks in advance.

    regards,
    larry
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Yes, it is correct to let the rule in the 1st position.
    This rule is supposed to accept WPA packets (ethernet type 0x888E), so it is strange you still have this kind of packet in your log.
    Did you press the Apply button after importing the rule ?

    Probably it is not a DOS attack with WPA packet, but simply your WiFi router trying to renew the authorization, and this is blocked by Look 'n' Stop, and you get disconnected.

    Frederic
     
Thread Status:
Not open for further replies.