JDErickson
join:2008-01-26
West Jordan, UT
 ·Comcast
| Is this an attack
Hello all,
I have a Dlink DIR-655 with WPA2, DHCP off, Mac address filtering and SSID off.
Today I see this in my log:
Sat Jan 26 14:45:44 2008 Access denied to LAN system with MAC address 000D3AE88806
[INFO] Sat Jan 26 14:45:40 2008 Above message repeated 23 times
[INFO] Sat Jan 26 14:45:40 2008 Access denied to LAN system with MAC address 000D3AE88803
[INFO] Sat Jan 26 14:45:40 2008 Access denied to LAN system with MAC address 000D3AE88801
[INFO] Sat Jan 26 14:45:40 2008 Above message repeated 2 times
[INFO] Sat Jan 26 14:45:40 2008 Access denied to LAN system with MAC address 000D3AE88800
[INFO] Sat Jan 26 14:45:03 2008 Access denied to LAN system with MAC address 000D3AE88706
[INFO] Sat Jan 26 14:45:00 2008 Above message repeated 23 times
[INFO] Sat Jan 26 14:45:00 2008 Access denied to LAN system with MAC address 000D3AE88703
[INFO] Sat Jan 26 14:45:00 2008 Access denied to LAN system with MAC address 000D3AE88701
[INFO] Sat Jan 26 14:45:00 2008 Above message repeated 2 times
[INFO] Sat Jan 26 14:45:00 2008 Access denied to LAN system with MAC address 000D3AE88700
[INFO] Sat Jan 26 14:44:15 2008 Access denied to LAN system with MAC address 000D3AE88606
[INFO] Sat Jan 26 14:44:14 2008 Above message repeated 5 times
[INFO] Sat Jan 26 14:44:14 2008 Access denied to LAN system with MAC address 000D3AE88603
[INFO] Sat Jan 26 14:44:14 2008 Access denied to LAN system with MAC address 000D3AE88601
[INFO] Sat Jan 26 14:44:14 2008 Above message repeated 2 times
[INFO] Sat Jan 26 14:44:14 2008 Access denied to LAN system with MAC address 000D3AE88600
None of these MACs are mine.
Is this an attack? If so can I do anything? |
|
nwrickert
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T Midwest
| You are using WPA2. So nothing to worry about, unless you are using a weak key.
It could be an attack. Or it could be a neighbor mistakenly connecting to the wrong network.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.10 |
|
JDErickson
join:2008-01-26
West Jordan, UT
·Comcast
| said by nwrickert  :You are using WPA2. So nothing to worry about, unless you are using a weak key. It could be an attack. Or it could be a neighbor mistakenly connecting to the wrong network. What concerned me was I have SSID off and the sequence of the MAC addresses. |
|
nwrickert
Premium,MVM
join:2004-09-04
Geneva, IL | It might well have been an attack. But still no reason for concern, as long as you have a strong WPA2 key. |
|
darthboy
join:2007-12-31
Canada | reply to JDErickson
are you running VMware/VPC or any virtualization software? |
|
WLiley
Woodman
Premium
join:2000-12-01
Grand Blanc, MI
clubs:  
| reply to JDErickson
as has been said, with WPA2 you are ok.
the MAC filtering & disabled SSID broadcast does little/nothing (as you may have discovered).
seeing things hit your log is not cause for alarm.
as long as you see "access denied" like you have.
you should see the hits my router takes!
(WallWatcher & NetWatchman used here) 
--
"The Edge... there is no honest way to explain it because the only people who really know where it is are the ones who have gone over." HST
|
|
darthboy
join:2007-12-31
Canada
| reply to darthboy
»standards.ieee.org/cgi-bin/ouise···00-0D-3A
I did a search for that MAC address. The MAC address is registered to Microsoft. You sure you not running Virtual PC/Server? |
|
JDErickson
join:2008-01-26
West Jordan, UT
·Comcast
| No.
I checked my Logs today and nothing out of the ordinary. |
|
JDErickson
join:2008-01-26
West Jordan, UT
·Comcast
| reply to WLiley
said by WLiley :as has been said, with WPA2 you are ok. the MAC filtering & disabled SSID broadcast does little/nothing (as you may have discovered). seeing things hit your log is not cause for alarm. as long as you see "access denied" like you have. you should see the hits my router takes! (WallWatcher & NetWatchman used here) Do these "attacks" slow down your router while it handles them? |
|
nwrickert
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| Do these "attacks" slow down your router while it handles them? Not significantly. They are only a tiny fraction of the traffic, so you would not notice the effect.
Additionally, since they are local, they don't impact your bandwidth to your ISP and to the internet.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.10 |
|
gregandrene
join:2005-01-23
Marion, VA
| reply to darthboy
N00b question: how do you register MAC addresses? Aren't they hardwired in the NIC? |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
edit:
February 20th, @10:38AM
| No good reason to turn essid off and it may cause you reconnecting issues. Best to leave it off. Mac filtering has no possible negative effects, thus can be left in place although security wise its not very effective. (curious if you remove mac filtering what happens ref the logging), |
|
circle
Premium
join:2005-08-01
Appleton, WI
| reply to JDErickson
What you are seeing is most likely normal behavior from a neighbor or other nearby user.
One of my systems is near a road that is traveled by service vehicles that use Wi-Fi. Their systems attempt to associate with mine as they go by. They can’t due to encryption so the logs show denied.
--
There's no place like 127.0.0.1 |
|
Thane_Bitter
join:2005-01-20
London, ON
| reply to gregandrene
said by gregandrene :N00b question: how do you register MAC addresses? Aren't they hardwired in the NIC? The IEEE assigns MAC addresses to hardware makers (actually large blocks of addresses), you can use a tool on their site to see who made the device.
»standards.ieee.org/regauth/oui/index.shtml
Use the "Search the public OUI listing" box and enter the fist 6 hex digits of the MAC address.
--
...A bitter ray of sunshine |
|
Da_Penguin
join:2008-04-20
| It's also quite trivial to spoof a MAC (windows will actually check the registry for a MAC address of the network card, before using the card's built in one so its just a registry key change)
but as it has been said earlier it this thread, since it is only Deny's showing, i wouldn't be concerned. |
|
