Ask Slashdot: Dealing With an Advanced Wi-Fi Leech? 884
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
Figure out where he is located (Score:5, Funny)
And punch him in the nose.
Re:Figure out where he is located (Score:5, Insightful)
In places like Florida, Stand Your Ground lets them legally shoot you dead for that.
Re:Figure out where he is located (Score:4, Funny)
In places like Florida, Stand Your Ground lets them legally shoot you dead for that.
Shoot them for leeching your WiFi? I prefer the punching bit.
Re:Figure out where he is located (Score:5, Informative)
This should be modded Funny, not Insightful.
Re-read the law. Stand Your Ground "lets you shoot" only if fearing for your life or at risk of being badly wounded. Not if you're afraid of being punched.
Re:"Unauthorized Access" is a Felony. (Score:5, Insightful)
Leaving aside the fact questionable legality of your little nerd-vigilante justice fantasies and granting for a moment that the fact that what the guy is doing is technically a felony...
Ignoring the possibility that the poor sap that opens the door might have nothing to do with the attempt - could be his 15 year old kid... worse yet, it could be a zombie machine trying to connect...
Leaving all that aside and assuming that everything is as it appears on it's face. You go over and knock, assault the guy and get the right person...
This all falls under a category I like to call "things I don't want to have to explain to a judge".
TL;DR: You're being criminally stupid.
Re:"Unauthorized Access" is a Felony. (Score:4, Interesting)
Under State law, I am required to stop the progress of a Felony by law, or be an accessory.
Cite? I'm quite familiar with this area of the law in several states, and I'm skeptical that Florida requires you to intervene.
Re:Figure out where he is located (Score:5, Informative)
This is news for nerds, jock solutions like that aren't welcome here!
Correct solution:
Pinpoint the attacker using a highly directional 2.4 GHz waveguide antenna. Once you're sure only the attacker is visible, attach a microwave magnetron to the antenna and watch him burn.
Re:Figure out where he is located (Score:4, Interesting)
Microwaves are particularly troublesome for WiFi [wikipedia.org]
So, you could effectively jam the leech with a Microwave transmitter.
Re:Figure out where he is located (Score:5, Interesting)
Yes, the nerdy solution is to pull the cavity magnetron out of your microwave oven, add a highly directional antenna to the waveguide output, fire that baby up, and blow out the RF stage of his router. Extra nerdy points for plating/honing the cavities to re-tune the cavity magnetron tube to the correct wi-fi frequency (the diameter of the cavity is determined by c=f/lambda where c is the speed of light, f is the wi-fi center frequency, and lambda is the wavelength. Remember, electrons circulate (because of spin=1/2) around the hot cathode, and the basic operation is like that of a whistle or pop bottle (small amount of air moving across opening resonates according to the size of the bottle / small amount of electrons moving across the opening resonate according to the size of the cavity, remember that air is a pressure wave and travels slow, electrons and em radiation travel at the speed of light). Its been too long since I studied radar/electronics engineering.
Change your WPA keys (Score:5, Informative)
Re:Change your WPA keys (Score:5, Informative)
Make that WPA2 and use a random-key. AFAIK WPA2 is still unbroken.
Re:Change your WPA keys (Score:5, Informative)
There are two operating modes for WPA2, PSK and enterprise. The vast majority of wifi networks run in PSK mode.
In PSK mode all nodes (both end user and access point) use a shared secret key. Anyone with thatkey can decrypt any packet, spoof any user etc. So you had better make sure only truested devices have the key.
In enterprise mode each end user has their own login and the system is supposed to protect the users from each other as well as from outsiders. The article you linked was about a flaw in enterprise mode that effectively degraded security to equivilent to PSK mode. It's a fairly serious issue for large enterprise deployments but not something that should be a concern for end users.
Re:Change your WPA keys (Score:5, Insightful)
simple (Score:5, Funny)
UTP
Re:simple (Score:4, Informative)
Won't work if the hackers are on the same transformer leg as you. In an apartment building, that is almost guaranteed to be the case.
Use squid (Score:5, Funny)
Setup squid and redirect all web traffic through it. Replace all images on machines that are not yours with goatse.
Re:Use squid (Score:5, Funny)
Set SSID to UnauthorizedTrafficRoutedThroughPolice (Score:4, Funny)
Set your SSID to "UnauthorizedTrafficRoutedThroughPolice"
and/or
Set up a server between your ISP and wireless access point with a VPN. If you get caught by his evil twin access point, you will know because your VPN connection will fail. Even if it doesn't fail at least your traffic should be secure.
or
Set your SSID to "ConnectingHereConstitutesConsentToEnterAndSearchYourHouse" Maybe the opportunity for an easy search would get the cops interested.
You should probably file a complaint with the police in case his illegal activity comes back to your IP address.
You may want to find out what kind of person you are dealing with before getting the police involved. Your strategy should probably be different if you are dealing with a local gang leader or homicide parollee rather than a high school nerd.
If the offender happens to be on probation it could give you extra leverage.
Keep in mind that if he lives next door he can listen in on your conversations with a sensitive directional microphone. He could also probably easily tap your phone, especially if it is cordless or cellular. So be carefull about speaking your passwords or other sensitive information out loud. Mail theft, burglary, vandalism, and other nasty attacks could become an issue.
Re:Use squid (Score:5, Insightful)
If you're going to go so far as to let them on to your network, instead of pranking them you could passively watch who they log into websites as in order to determine their identity, gather evidence, and file charges. Of course, disconnect your other systems - since if he's hacking your wifi he'll probably also try to probe your other devices.
Of course, IANAL, and perhaps monitoring such things is illegal even though it's going over your private network.
Local police won't be much help (Score:4, Funny)
You can give them satellite images of the house of the person that stole your identity, and they won't drive over for that.
So for something involving log files and such? Not a chance.
You should redirect all network traffic to goatse for a week, and just use a 3G hotspot while your normal one kills the thief's eyes.
Re:Local police won't be much help (Score:4, Insightful)
That is very, very far from being "of course." Police wants convictions, and there is nothing else to convict than an asocial nerd in a basement, with a stash of CP in his browser's cache. Those files do not carry an indication through which router they were obtained, since the browser keeps no logs. If you have them, you have them.
The nerd, naturally, may confess to a lighter crime - such as stealing your keys and connecting to your router. You should be ready for a raid yourself, and better you keep your own nose clean - the pr0n that most people collect rarely comes with notarially certified age of all participants. This is a good example of "sow the wind, reap the whirlwind."
Framing the thief for CP would be a massive overreaction. But the thief can compromise your own IP address by *really* downloading politically incorrect materials. So I wouldn't accept any honeypot scheme where the thief is actually allowed to go outside of your LAN. Doing a good job on a honeypot for just one guy is too expensive. In essence, if you cannot guarantee that your Wi-Fi is secure then what are you doing with it? Just hoping that no hacker shows up? Either make sure it is secure, or turn it off. There is no middle ground because it can lead to trouble.
If he joins your network... (Score:5, Funny)
...I think that means he's consenting to letting you administrate his system. I suggest you do so.
Re:If he joins your network... (Score:5, Insightful)
Not necessarily effective if his intention isn't web browsing. Internet is cheap. It sounds like an elaborate attempt to conceal illicit activity to me.
Re:If he joins your network... (Score:4, Insightful)
alternately, leave the old one turned on but not physically connected to anything... waste more time!
You could troll them in return. (Score:5, Funny)
Re: (Score:3)
The Evil Twin network likely doesn't have Internet access. Even if it does, it is probably using one of the other nearby wifi networks for connectivity.
Comment removed (Score:4, Funny)
Re:You could troll them in return. (Score:5, Interesting)
If it has internet access and you don't feel like waiting for the MPAA to be their usual selves, sign up for a new gmail account and send a threat letter to a high ranking government official. You'll get a far faster and more dramatic response. You can be pretty much guaranteed that the issue will be investigated.
Some quick basics (Score:4, Insightful)
Tinfoil hat cure (Score:5, Interesting)
Make a little shield with a bit of foil and a coathanger. While tracking the incoming attempts, shield your WAP from various directions until it stops. Gives you a direction, and you can bend the coathanger into a little stand to hold the shield in place next to your WAP. It's likely to be in the direction of a near wall, isn't it?
Amazing stuff, tinfoil.
Re:Tinfoil hat cure (Score:5, Funny)
Amazing stuff, tinfoil.
it makes a great hat
Re:Tinfoil hat cure (Score:4, Funny)
More elegantly, once you've got a location on an external wall that consistently blocks the intruder, mount a decorative mirror. The silvering on the mirror should do the same job as the tinfoil while hiding its purpose behind teh pretty.
(Not many people realise that this is where Feng Shui came from. Back before ancient China lost its knowledge of RF tech.)
Why lose your time? (Score:3, Insightful)
Re:Why lose your time? (Score:5, Insightful)
Freeloading? If that was his only intention, he wouldn't have troubled to set up the evil twin. This guy is serious trouble, and you don't want him on your LAN.
Hidden SSID = Bad Juju (Score:5, Informative)
Re:Why lose your time? (Score:5, Insightful)
Anyway, in case it is genuine: Somebody has been freeloading, so what?
Ask yourself, why would someone go to such great lengths to use someone else's bandwidth?
Re:Why lose your time? (Score:4, Interesting)
I run an unsecured WiFi network (no WEP, WPA or WPA2).
On the other hand, the only traffic accepted by my access concentrator is OpenVPN traffic. So yes, anyone can get an IP address from my DHCP server, but they can't do much with it unless they somehow break SSL public-key auth or obtain a copy of my key and certificate.
Power & antenna placement (Score:5, Interesting)
-Move or buy a directional antenna
Have time on your hands?
http://www.ex-parrot.com/~pete/upside-down-ternet.html
Re:Power & antenna placement (Score:5, Interesting)
That link [ex-parrot.com] is exactly what I came to post. It's clearly overkill, but overkill is the perfect tool to show someone that they are hopelessly outclassed and they should seriously reconsider their actions.
Shut off your radio. (Score:5, Insightful)
If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.
Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.
The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.
Re:Shut off your radio. (Score:4, Insightful)
Phones, tablets, etc lack Ethernet ports. It's pretty close to deprecated for consumer electronics and understandably so.
Re:Shut off your radio. (Score:4, Insightful)
They'll just laugh at your little WiFi problem.
You must have exceptionally smart cops where you live if you think they'd understand what OP was talking about. If I called cops with this problem any place I've lived, I suspect I'd be transferred about three times before someone would ask "Son, are you talking about the child porn?" and would just hang up when I said no.
Re:Shut off your radio. (Score:5, Interesting)
If you can find out who's stealing your bandwidth, you don't need the police -- you need a lawyer. In civil matters they are a *lot* more scary.
wired (Score:3)
You could try leaving the access point open and partitioning it with an ipsec segment. Deny any other connection attempts to the interface. Otherwise just hardwire it and be done with it. Wireless will never be secure. You'll just end up fighting a war of attrition, and that 16yo hax0r has much more free time than you do.
fair trade (Score:3, Funny)
You're giving him cancer, he's using some of your wifi. Just segregate your personal network from the wifi network and see if you have QoS options to limit how much you share. Can't we all just get along? ;)
I've used Wifi Analizer (Score:4, Insightful)
On my Android phone, it will detect the closest Wifi signals and you may be able to pinpoint where exactly this evil twin is. A directional antenna may help, but without knowing exactly where to direct it to, you may be aiding the leech. You can try disabling SSID broadcast and reducing transmit power.
No one will trouble themselves this much just to avoid paying a monthly fee and just by the fact they're knowledgable in these means they've spent a lot of time online already. My guess is that this individual is conducting illegal activities through yours and your neighbor's connections, so you or your neighbors may get a visit from law enforcement pretty soon.
Re:I've used Wifi Analizer (Score:5, Informative)
This is highly likely. The guy has invested much time and effort in this so they clearly have motives other than saving a few bucks. OP should make attempts to locate this guy and to shut him down. Use laptops or cell phones with wireless monitoring applications to locate the guy's AP. Nothing too fancy, just do a bit of sneaker-netting while watching the signal strength. You don't need to triangulate the location to within a foot, you just need to get a general idea of where this thing is. Once you get close you should be able to tell which building/car it is in. If this yields inconclusive results then contact the local HAM club. They may be able to assist you in locating a rogue AP or wifi leech in exchange for beer and pizza.
Also, OP needs to file a police report. Will the police do anything? No, of course not. However, it will help to shield OP from liability when the FBI comes knocking in regard to whatever illegal activities are being conducted through his internet connection. He'll be able to point to the police reports as evidence that someone else was on the network long before the authorities showed up.
Walk to the farmers' market! (Score:4, Insightful)
.
Bonus for you is that you got three hours of aerobic cardiovascular workout time! You'll be healthier, and (two or so dollars) wealthier, and wise! The strange this is that there are people who actually pay other people and companies money for the opportunity to exercise on a treadmill or a stationary bike. These people tend to gas up their SUV and drive the two miles over to their "gym" to do pretend walking and pay for that privilege. You, sir or madam, on the other hand have gamed the system and not fallen for the idiocracy. You get the benefits without the costs.
Also, you're not a leech, so you're also a good person. Plus you also eat vegetables: double-plus good person! (My mom has me convinced that stealing the carrot sticks from the fridge is bad, so I'm tempted more and do it more! It was just a year ago that I figured out that carrots were healthy! I've been conned into liking veggies!)
;>)
Bonus point of spelling pickiness: your response was to Re:I've used Wifi Analizer . Surely, the GP poster meant "Analyzer", unless the word "analizer" tells us more about the GP and his probings by alien species than we wanted to know....
Buy a directional antenna (Score:3)
...but only if it comes with a cool pings-like-the-motion-detectors-in-Aliens handset, as where's the fun in not having that?
Oh come on... (Score:5, Insightful)
Re:brute force 63 characters? (Score:4, Informative)
Sounds worse than a leech (Score:4, Insightful)
Wouldn't a leech just look for an open access point? One with a fast connection would be a bonus.
Your interloper would seem to be doing something more nefarious. Why does a simple leech need an evil twin?
Is your local constabulary at all competent in this sort of matters, or are they the kind that go around wardriving for open access points? Because it's gonna suck to try to explain the problem if they don't have a clue, but something's up, and to me it sounds like something leaning toward the criminal.
I think I'd get the directional antenna. Maybe you're dealing with the neighbor's 12 year old, so just alerting the parents could do the trick. If it's your local psycho, that's another story.
Re:Sounds worse than a leech (Score:4, Insightful)
Do you seriously need to ask this?
Have you seen any evidence anywhere that the local police are knowledgeable or interested in such things? If so, where?
Change the SSID (Score:4, Funny)
To FBI surveillance van.
If you find him... (Score:5, Insightful)
If you find him, give him props and buy him a beer and ask him to share how he's doing what he's doing with you. Sounds like some pretty cool shit.
Re:If you find him... (Score:5, Funny)
And THEN break his legs.
Right?
start knocking on doors (Score:5, Funny)
start knocking on doors and asking your neighbors if they would mind terribly if you spoke with their 15 year old son for a few minutes, because you've determined he's been hacking your wifi. Eventually, you'll hit the right house. For the wrong houses, act confused and say you must have miscalculated by a house or two, and that you're sorry. Bring cookies to show you're not an ass, though.
Re:start knocking on doors (Score:5, Funny)
Ah yeah ... bring cookies to the neighbours and ask if they've got a 15-year old.
Well, that solves the problem of getting the cops interested.
Comment removed (Score:4, Funny)
Some ideas (Score:4, Informative)
Lock incoming connections down by MAC address and disable your SSID. This will probably make them go away. Also, run WPA2+AES and pick a longish WIFI key.
If you have an ASUS Dark Knight router you can setup multiple SSIDs (guest networks) that disconnect every 60 seconds and name them "StopStealingMyWifi". This way you real SSID is hidden and your multiple guest networks are visible, but are unusable. You can also set hours of operations for your radios on the ASUS and turn off your radios at night and when you are not home. Lastly, if you are running dual band, turn off the 2.4 Ghz and run on the 5Ghz band. The 5Ghz signal travels poorly outside your home. WIFI is tough to secure with all of the WIFI hacking tools, but get a good router and rotate shield frequencies and should go away.
Lastly, here is an article on the subject.... this article disagrees with me on disabling your SSID and I am sure others will have an opinion....
http://www.wikihow.com/Secure-Your-Wireless-Home-Network [wikihow.com]
Re:Some ideas (Score:5, Interesting)
Knock up a cron job to change your WPA2 key every 24 hours. Use a QR code generator to print out the code on paper for your new key every morning, so you can just snap it with your phone and you're on. He'll get bored of trying to break something that changes faster than he can break it, and he'll move onto someone else.
Agree also with disabling wireless at the times he uses it, and when you're not, if this is feasible for your lifestyle.
And 5GHz also sounds sensible.
If you do find out who he is, change your SSID to *his* name and address. That should freak him a bit.
Re:Some ideas (Score:4, Interesting)
The techniques you describe will be effective against someone who just wants free Internet access, but if they're attacking for any other reason, it's like going into a bar in the bad part of town and proclaiming how tough you are: it does nothing to improve your safety, but makes you a much more attractive target.
Re:Some ideas (Score:5, Insightful)
No. In this case it is irrelevant. The attacker has already demonstrated relatively sophisticated attacks. We are well past SSID broadcast as being remotely relevant.
He is using tools that will find your network regardless of whether SSID is on or off. There is no point in inconveniencing yourself.
Its the equivalent of trying to hide by putting on dark clothes and a hat when you already know your pursuer is using infrared, passive sonar, and motion sensors to find you.
Stealing Electricity (Score:5, Insightful)
If you have the means to determine where they are it's worth asking them to stop. That alone might change their attitude toward poking at networks.
WPA2-Enterprise (Score:4, Informative)
* Use enterprise auth to a RADIUS server with an LDAP backend?
* Lower the transmit power to something that just works within your place?
* Use just A or just B or just N? Maybe they're on older tech?
* Configure your router not to well, route. Use it as just an AP and you have to manually set the IP info on your machines, and the router is not *.*.*.1 on the network.
* Do the above, but use an external VPN for all of your traffic. A static route in the router gets you onto the VPN.
* Change your SSID to something threatening to indicate that you're onto them and that you asked Slashdot how to make them stop?
Be enlightened (Score:4, Insightful)
Change your SSID to "Do_not_steal_my_WiFi". It's the enlightened approach -- the same approach that the "Gun Free Zone" and "Drug Free Zone" people use. Only backward, ignorant people would disagree.
Change Password (Score:5, Interesting)
I don't get it (Score:5, Insightful)
Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.
a few options, but annoying (Score:5, Informative)
Your options depend on your hardware (Score:4, Informative)
Basically, there's nothing you can do if you keep using WPA.
One option is to lower your wi-fi antenna power to exclude the area where the attacks are coming from. This can be hard to do if you need good coverage for a whole house or some such.
Your best bet would be to use either 802.1x or EAP-PEAP. That's highly dependent on what router you're using, usually only high-end routers support these options, although some home routers certainly do (I remember the good old WAP54G supporting it). If you're going 802.1x, just setup a radius server, configure your devices and you're pretty much set. If you go the PEAP route, you'll need some certificates, and possibly a radius server unless you use client certificates for authentication.
Both options will foil your wannabe hacker. Plus, you'll likely have the only advanced Wi-Fi setup around, gaining you geek creds ;)
Letterbox drop: 'how to secure your wireless' (Score:5, Interesting)
There are two ways of dealing with this: getting this person off [i]your[/i] network, and getting this person off [i]everyone's[/i] network.
Personally, I think if you can get everyone to squeeze him off their networks then that will probably be the nicest kind of vengeance.
Consider writing up a simple letter (starting with: Just a note from a neighbor), detail that someone in the area has been breaking into wireless networks and may be pirating stuff/doing illegal things which could lead to difficulties for the actual owner of the OP. Then, provide a basic summary of what to do to avoid it (e.g. disable WPS, etc etc) and maybe even provide URLs for the major router manufacturers.
With [i]some[/i] luck, [i]some[/i] people will pay attention and lock down their network.
If you know who it is doing it (using handy phone apps to detect signal strength, or a directional antenna) then you could do a 'special' letterbox drop for that one person with a 'how to buy an internet connection'.
Mind you, if this person is using an 'evil twin' they may be doing more than just stealing Wifi. If their MAC address is stable (i.e. they are not modifying it) you may want to capture some sample traffic with that included. If things do go awry you can use that to provide evidence it was that person's computer, possibly.
Pwn him with a zero day (Score:4, Interesting)
Insert a Javascript zero day into his HTTP traffic and take care of his computer. He'll never know what took him out.
This is an attack, not a leech (Score:5, Informative)
First of all, just to be clear: this isn't leaching, this is someone doing something nefarious. If they just wanted free bandwidth, they would never set up an evil twin network. Most of the replies on this thread are bad advice assuming it's a leech. The person responsible might be nearby, but probably not; if you track down the computer that's responsible, you're likely to find that its owner doesn't know what's going on and it's been taken over by an anonymous attacker over the Internet. Or you'll find a PwnPlug.
The first thing you need to do is notify the police that you're being targeted by hacking. This is important; if your computer/network is taken over and used for something illegal, which is likely to happen, this will protect you. Second: you need to notify your employer, as well as anyone whose confidential data you're in possession of. And third: you need to harden your computer security, and figure out why you might have been targeted.
Re:i like to limit my DHCP scope (Score:5, Informative)
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
Re:i like to limit my DHCP scope (Score:5, Insightful)
So then he sets his MAC address to one on the allowed list. Not exactly a tough thing to do.
Re: (Score:3)
At least it slows him down. He has to find and grab an accepted MAC, and you'll know he's trying to connect as soon as you have a collision on the DHCP.
Re: (Score:3, Insightful)
Doubt it would even slow him down. Some of the semi-automated leecher tools do this automatically already.
CO-OP (Score:4, Interesting)
Here's a solution - organize a neighborhood open wireless mesh network co-op.
It would be much more satisfying to make stone soup, than reinforce a stone wall.
Nah, teach the little hacker about malice. (Score:5, Interesting)
Then, setup a transparent linux proxy server that replaces any executable file downloaded with your malware, and put it between your internet connection and an open wireless network.
Let the little turd use your free wifi internet to his heart's content, and wait for him to install the malware when he's trying to install something legitimate. Then, wait for your malware to send you the details of who he is, what his credit card numbers are etc.
Finally, go to the local coffee shop that gives out free wifi with every coffee purchased, and drop all those details you collected on pastebin.
Problem solved.
Re:Nah, teach the little hacker about malice. (Score:5, Insightful)
Re:CO-OP (Score:4, Funny)
Re:i like to limit my DHCP scope (Score:5, Insightful)
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
Re:i like to limit my DHCP scope (Score:5, Informative)
On a modern network, it is.... at least at the consumer level where nobody knows how to configure a subnet manually, but if you're managing any kind of large scale network it becomes very difficult to work with static configurations on every workstation even when you know how.
My point is that it is *incredibly* trivial to connect to a wireless router that has DHCP enabled and just use an IP address of your choosing. It's a perfectly normal thing to do if you want to be able to predictably SSH a machine or something, and even MS Windows has a GUI way of doing it. Somebody who is sniffing network traffic and cracking encryption keys can easily determine which addresses are already in use, and in practice, if you take an address at the high end of the range (e.g. 192.168.1.250), you won't run in to any trouble with other clients.
Re:i like to limit my DHCP scope (Score:5, Informative)
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
I use reserved MAC addresses and a non-trivial WPA2 password. The router won't connect any unknown MAC addresses.
That seems to work for me.
If they crack that, they aren't leeches. They are crooks. Call the FBI.
Re:i like to limit my DHCP scope (Score:5, Funny)
They probably are the FBI...
Re:i like to limit my DHCP scope (Score:5, Insightful)
Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.
WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.
In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).
Re:i like to limit my DHCP scope (Score:4, Informative)
This is why I am flabbergasted that with all the problems people have with security with WEP and WPA that it never occurred to anyone to do a DHE key exchange before swapping anything that requires the preshared key and adding an artificial minimum to the time between authentication attempts of any kind, such as 15 seconds. That would instantly fix the current weakness with WPA2 and slow down all unknown attacks in the future.
Re:i like to limit my DHCP scope (Score:4, Informative)
Don't you have to crack the WPA2 before you can find one of the valid mac addresses?
Don't think so.
Stations brodcasts its mac address to the access point in clear text.
http://www.maxi-pedia.com/how+to+break+MAC+filtering [maxi-pedia.com]
The stations may also send beacons, depending on how they are configured.
http://www.wi-fiplanet.com/tutorials/article.php/1492071 [wi-fiplanet.com]
Re:i like to limit my DHCP scope (Score:5, Informative)
Let's see...
As per OP set up MAC address filtering, if this guy is trying to set up evil twins & trying to do handshake captures on your network, MAC addresses are spoofable.
I also like to hide the SSID just to make things harder, but if he's passive listening, that may not help either... though at this point, a hidden SSID with WPA2 encryption does not make for an attractive target, esp. when the MAC needs to be spoofed (I wouldn't know this till i broke through the 1st 2).
However, the single most effective thing you can do is limit your antenna's radius... if your router's stock firmware can't do it, dd-wrt and friends can. Stand outside your house till you can't connect to your wifi at your fence anymore, adjusting the radius in increments.
Last, but not least, go buy a steel fish line and drywall saw at home depot and wire up your house w ethernet ports and disable your wifi. Tough luck on the phones though, unless you can find an adapter for them.
Re:i like to limit my DHCP scope (Score:4, Insightful)
Re:i like to limit my DHCP scope (Score:5, Interesting)
And somebody like me would completely own you for it:
1. I have the technical know how to set my SSID to hidden: red flag #1
2. What else do I have running if my SSID is hidden?
In my case, I log all my traffic, and honestly it might take me a second to notice, all it would take is a few hiccups of my bandwidth for me to take a quick look at the settings and at that point, I'd log your traffic for a while, see what I can gather, and go find a zero-day, break through, escalate privilege, send your pr0n to your mom via the facebook login I logged, and delete your registry before I'm done.
So in short, you never quite know what you're logging into when you go rogue on wifi :)
evil twin (Score:5, Informative)
The evil twin makes finding the culprit a cakewalk. Download inSSIDer and walk around. When the evil twin's signal is strongest, you're outside his door.
Re:i like to limit my DHCP scope (Score:5, Informative)
Re:i like to limit my DHCP scope (Score:4, Interesting)
Lots of problems as others point out.Another solution: QOS. Do MAC filtering. Those in the trusted list get full speed. Those not get a much slower speed. Play with it a bit you want it fast enough that the hacker things they own you and doesn't try to figure out your MAC address but slow enough you don't mind losing that much bandwidth and it is painful to the hacker so they go on to other networks. Say 2Mbps with a 64kbps upload. Fast enough to be reasonable for a bottom tier internet package slow enough that no sane leech would choose you as the preferred target. Then enable logging, reduce signal strength, etc other games.
Re:i like to limit my DHCP scope (Score:5, Informative)
Doubt that would work. The leecher has already demonstrated a knowledge of layer-2 attacks against 802.11, I doubt limiting your DHCP scope is going to stop them. They'll just null handshake one of your devices off the WLAN.
Re:Backtrace him (Score:4, Funny)
NO NO NO
Create a GUI in Visual Basic and track his IP.
Re:Isn't there an OS box that'll solve this? (Score:4, Interesting)
Isn't there FreeBSD or Linux disk image that'll solve this?
<WIFI> <=> [Router] < routes only to > [IP address of solution]
Where the solution does something like the standard coffeeshop login +
* Special account gets unlimited time & bandwidth
* Non-special account needs to sign up every hour & gets diminishing bandwidth (if you want to allow visitors)
Something like http://dev.wifidog.org/ [wifidog.org], but under active development?
This, [myshopify.com] perhaps?
Re:Does your router support captive portal? (Score:5, Interesting)
The most memorable story I've ever heard along those lines was that a couple of hams had access to a fairly large dish antenna and were setting up some sort of satellite communications (for work, not play). A guy nearby was running a horribly unshielded CB amplifier that was crapping all over their signal. They told him to knock it off. He refused. They pointed out that he was blowing way past FCC limits on transmission power. He ignored them. They pointed the dish straight at his shack and transmitted maximum power at it. Within a few minutes smoke was pouring out of it... bet you could fry a router pretty easily.
Re:Does your router support captive portal? (Score:5, Informative)
Re:Whitelist!? (Score:4, Insightful)