wifi for 600, alex

• Previous message (by thread): wifi for 600, alex
• Next message (by thread): Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> An observation I would make is that the number of mac addresses per
> person at the tech heavy meeting has climbed substantially over 1 (not
> to 2 yet) so it's not so much that everyone brings a laptop... it's that
> everyone brings a laptop, a pda and a phone, or two laptops. In a year
> or two we'll be engineering around 2 radio's per person in five years
> who knows.

We did the wireless network at LCA '06.  Due to abuse at LCA '05 we 
required everyone to register their mac address to their registration 
code before we let them onto the network.  This means we have a nice 
database of MAC's <-> people.

We saw:
199 people with 1 MAC address registered
102 people with 2 MAC addresses registered
9   people with 3 MAC addresses registered
5   people with 4 MAC addresses registered

1   person with 6 mac addresses registered

We did have a lot of problems with devices that didn't have a web 
browser (so had to ask us to add their macs manually, there were 11 
people who had this that aren't accounted above).  Mostly voip phones, 
but it's amazing how many people have random bits of hardware that will 
do wifi!

This is perhaps biased as there was also wired ethernet available to 
some people in their rooms (about 50 rooms IIRC), so some of those 102 
people would have a MAC for their wireless and a seperate MAC for their 
wired access.

We also ran soft AP's on soekris boxes running Linux, so we could hook 
into the AP at a fairly low level.  We firewalled all DHCP replies 
inside the AP so it wouldn't forward any DHCP replies received from the 
wireless to another client on the AP or onto the physical L2[1]

As an experiment we firewalled *all* arp inside the AP's so ARP spoofing 
was impossible.  ARP queries were snooped and an omapi query was sent to 
the DHCP server asking who owned the lease, and an ARP reply was unicast 
back to the original requester[2].  This reduced the amount of 
multicast/broadcast (which wireless sends at basic rate) on the network, 
as well as preventing people from stealing IPs and ARP spoofing.

To stop people from spoofing someone elses MAC, we also had lists of 
which AP a MAC was associated with, if a MAC was associated with more 
than one AP we could easily blacklist it and visit people in the area 
with a baseball bat.

We didn't see much abuse, (and didn't have people complain about abuse 
so I guess it's not just that they hid it from us), I think mostly 
because people knew that we had IP<->MAC<->name mappings, and abusers 
knew they could easily be tracked down.

One of the more interesting things was that during the daytime we were a 
net importer of traffic as people did their usual web surfing, but at 
about 10pm at night we suddenly became a net exporter as people started 
uploading all their photos to flikr.

----
[1]: All client to client traffic in managed mode is relayed via the AP.

[2]: Amusing story, one of the developers had written a patch to detect 
if someone else was using the same IP on the same L2 and produce a 
warning.  He tried it on our network and found that it didn't work. 
After much head scratching he discovered what we were doing :)

• Previous message (by thread): wifi for 600, alex
• Next message (by thread): Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]