Re: DOS Attack Follow Up

["Times Enemy" <times () krr org>]

Greetings.

Others may have mentioned, but you may want to change any WEP/WPA keys,
assuming this is not automagically/already done.

Wireless encryption may be cracked if enough packets are captured and
analyzed.  RST packets may drop a connection.  If the target drops, it may
then automatically attempt to reconnect, generating more packets.  For the
attacker, this is a nice utilization of, what is hopefully, a single RST
packet.  Flooding RST's is rather obtuse, and/or obvious, but capable.  On
a highly populated AP, large AP node, RST's are more effective.

As a "preventative" measure, i suggest physically locating the source of
the broadcast(s) ....  ;)

ciao
.times enemy


> Hi List. Thank you all for you insightful replies. I am posting this as a
> follow up to some comments and questions.
>
> I am caputing the traffic by SPANing a port on my switch to a port where I
> have a box running ethereal. I don't think the internal network is being
> spoofed because during the outage all traffic is coming from the 'outside'
> to the 'inside'. The traffic is unicast not broadcast. During the attack
> there are RST packets only, no data. Does any know how to prevent this
> type
> of RST attack? Thanks.
>
> shawn