Has My Network Been Attacked?

[NegativeSpace]

This week there are several hundred thousand people potentially in range of my WiFi, with a greater portion of them likely looking for some free internet, as probably 85% or 90% are camping. Last night, all of the clients using my wifi (all belong to me) lost their connections simulatneously. I plugged into the AP with a laptop and cable, and didn't find anything unusual. The GUI didn't show any connected clients, but that is hardly conclusive that there were none, in my opinion. The AP is a netgear WNDR3400 with a 31 random upper and lower letter, number, and special character WPA2 AES PSK. I am not 100% sure if WPS is disabled because the GUI control for that is unclear. There is only an option to 'disable WPA pin for this router' or something like that. My first thought was that I might have been under a dos attack, but as I understand, dos attacks cut internet service, which didn't happen. If it was a dos attack, wouldn't someone had to have got an IP address on my netowrk from my AP?

In the end I had to reset the router to factory and change the encryption key to get my wifi clients connected again, but I don't honestly know why that worked. I did some googling and learned that other people have had the same problem with the WNDR3400 dropping its clients after owning it for 3-6 months which is about the time I've had mine. That fact suggested the possibility of hardware failure, but then the router started working normally again after I changed it's software, so that theory is sort of contrary to logic.

The questions are, is there a way to find any evidence of an attack (of any sort) by looking through a log file or some other record? Can I use the multiple radios on the router to create a honeypot that will redirect any attackers to a server that will record their MAC and other details, maybe take a picture with their webcam, or tell me about the hardware configuration so that I have a chance at finding the attackers machine among a small crowd of people?

These are the things that are so interesting and exciting to me when it comes to networking, but I have had such a late start in life at learing networking that I need help with this sort of learning experience.

Edited March 17, 2012 by NegativeSpace

[Sparda]

Probably too much interference from all the people trying to use wireless causing your network to stop working.

[Infiltrator]

I agree with Sparda, furthermore I would suggest making sure the channels on your router are not overlapping with one another. Channel overlapping can contribute to interference, especially when you have too many wireless clients communicating on the same air space. In addition, the 2.4ghz is a very congested band and I would recommend switching to 5ghz if your router supports it or switch to a different channel, as discussed in the article below.

When switching over to the 5ghz band, the client's wireless adapter will also need to support it.

Read this article to understand more about channel overlapping.

http://technet.microsoft.com/en-us/library/cc783011(v=ws.10).aspx

[digip]

Thw WPS attack has been known to DoS routers, and knock everyone off, but it could also have been someone trying to deauth machines to capture the WPA handshake, which if your password is as you say, they would need some major GPU power to brute, or massive premade tables to check against.

Things you can do, read the documentation, see if you can disable WPS(not all routers give you the option to disable it). See if there is updated firmware, might then give you the option to disable it. Limit your total IP pool with DHCP reservations(if it has them) and use a smaller subnet mask, the shrinks the available IP space as small as possible. Someone sniffing could always clone your known MAC addresses, but it still doesn't hurt to turn on MAC address filtering and even disable DHCP itself, and only Whitelist devices you want on the wireless side. Won't prevent cloning, but will keep out %90 of the average users.

Say you only have 5 machines on your home network. Using static IP addresses, with DHCP turned off can also help if you use a non standard IP range for your local lan with static IP's on each workstation, such as 66.66.66.120 and a mask of 255.255.255.248 for only 6 usable addresses (66.66.66.121-66.66.66.126 with .120 being the Network ID and .127 being the Router Broadcast, so only usable addresses are 121-126 leaving 5 IP's for workstations and 66.66.66.121 for the gateway). This would be fine, since you are behind NAT, you can pretty much use ANY IP range you want and the average user wouldn't know what to do if they did figure out the WPA password, they would have to guess your IP range and the correct subnet mask in order to get on the network. Won't protect against WPS attack though.

Nothing is full proof.

[NegativeSpace]

I agree with Sparda, furthermore I would suggest making sure the channels on your router are not overlapping with one another. Channel overlapping can contribute to interference, especially when you have too many wireless clients communicating on the same air space. In addition, the 2.4ghz is a very congested band and I would recommend switching to 5ghz if your router supports it or switch to a different channel, as discussed in the article below.

When switching over to the 5ghz band, the client's wireless adapter will also need to support it.

Read this article to understand more about channel overlapping.

http://technet.microsoft.com/en-us/library/cc783011(v=ws.10).aspx

There is only one other WiFi AP in range of 3 of my clients some of the time, and the rest of the time there are none in range for any of my clients. I've been using channel 11 for a couple years now. My router supports the 5GHz band but only 2 of my 7 clients support it so I stick with 2.4GHz

[NegativeSpace]

Thw WPS attack has been known to DoS routers, and knock everyone off, but it could also have been someone trying to deauth machines to capture the WPA handshake, which if your password is as you say, they would need some major GPU power to brute, or massive premade tables to check against.

Things you can do, read the documentation, see if you can disable WPS(not all routers give you the option to disable it). See if there is updated firmware, might then give you the option to disable it. Limit your total IP pool with DHCP reservations(if it has them) and use a smaller subnet mask, the shrinks the available IP space as small as possible. Someone sniffing could always clone your known MAC addresses, but it still doesn't hurt to turn on MAC address filtering and even disable DHCP itself, and only Whitelist devices you want on the wireless side. Won't prevent cloning, but will keep out %90 of the average users.

Say you only have 5 machines on your home network. Using static IP addresses, with DHCP turned off can also help if you use a non standard IP range for your local lan with static IP's on each workstation, such as 66.66.66.120 and a mask of 255.255.255.248 for only 6 usable addresses (66.66.66.121-66.66.66.126 with .120 being the Network ID and .127 being the Router Broadcast, so only usable addresses are 121-126 leaving 5 IP's for workstations and 66.66.66.121 for the gateway). This would be fine, since you are behind NAT, you can pretty much use ANY IP range you want and the average user wouldn't know what to do if they did figure out the WPA password, they would have to guess your IP range and the correct subnet mask in order to get on the network. Won't protect against WPS attack though.

Nothing is full proof.

I would love to disable WPS, but the documentation is terrible. See attached picture. Im considering flashing the router with another OS that will give me the option to disable WPS outright, because I don't know what the hell 'disable routers pin' actually means. I checked automatically as well as manually last night for new firmware but none exist. I allow only the maximum number of IP addresses from DHCP that I need at any one time, minus one since it's unlikely that I will have all clients connected at the same time. I did have MAC address filtering set up before I had to reset the router. It takes forever to find and input all those MAC addresses. I'm sure Ill get around to setting it up again in the near future though. Maybe I should write them down this time.

I wasn't aware that the subnet mask indicated an IP range. I have wondered what it does, and probably read about it a couple times but just didn't get it through my head well enough to stick I guess. So by changing the subnet mask from 255.255.255.0 to 255.255.255.(255 minus the number of IP addresses I want the DHCP server to lease), I can limit the number of DHCP leased IP addresses? What is the difference between doing that and just specifying an IP range in the proper 'ip range' field in the routers interface?

I didn't know that the 'Network ID' and 'Router Broadcast' had ip addresses. I guess the IP address for the 'network ID' is the router hardwares IP address that it assigns itself as a network resource like any client has. Is that correct? I have no idea what a 'Router Broadcast' IP address is for. I don't really understand what NAT is or what it does. I read the Wiki entry for NAT but that doesn't explain it to me. I guess that it's a way to hide IP addresses from unauthorized listening, but why would that be necessary with encrypted traffic?

Edited March 18, 2012 by NegativeSpace

[Infiltrator]

WPS is not a very secure encryption scheme and if your router has support for WPA2, I would recommend disabling WPS and using WPA2 instead.

WPS uses a pin code to authenticate wireless users, there are a couple of tools out there designed to brute force WPS. So anyone could be brute forcing your router and causing it to stop responding, thus kicking everyone off their connection.

I have found a proper manual for your router, give it a try and see how you go

ftp://downloads.netgear.com/files/WNDR3400/Documentation/UM/WNDR3400_UM_31AUG2010.pdf

[NegativeSpace]

WPS is not a very secure encryption scheme and if your router has support for WPA2, I would recommend disabling WPS and using WPA2 instead.

WPS uses a pin code to authenticate wireless users, there are a couple of tools out there designed to brute force WPS. So anyone could be brute forcing your router and causing it to stop responding, thus kicking everyone off their connection.

I have found a proper manual for your router, give it a try and see how you go

ftp://downloads.netgear.com/files/WNDR3400/Documentation/UM/WNDR3400_UM_31AUG2010.pdf

I thought that one could use WPA2 encryption, and then push the WPS button in order to broadcast the encryption key(and other router settings) over plain text for a short period of time so that he does not have to manually enter those details into clients? If one or the other has to be used, then I've been completely in the dark for a while now. The manual I've been getting my 'info' from is the same one from your link. It is very comprehensive in explaining the routers features, but unfortunately it's no help with telling me how to completely disable WPS. It has the part about 'click here to disable routers PIN' but I don't understand if tha tmeans it keeps clients from needing to know the PIN before they can connect once the WPS is activated, or if it disables WPS all together.

As of late I am starting to wonder if this router is compatible with a router Linux distro, because I didn't go to all the trouble of going to all the trouble just to have a 4 digit number be the only thing protecting me from a quarter million potential attackers. WPS sucks!

[Infiltrator]

If you disable the pin, you will need to configure a WPA pass-phrase manually and then use that pass-phrase to authenticate the wireless clients.

[digip]

NAT is Network Address Translation. Its kind of like a wall, where on one side, is your public IP address the world can see, and on the other side, the local LAN IP address range only you can see.

http://en.wikipedia.org/wiki/Network_address_translation

As for subnetting, its a bit more complicated than just counting the number of addresses you want and then subtracting that form the last octet of bits. It requires knowing more about the bits in relationship to the segment of the network, and you can take one IP range and break it down, into multiple networks based on the subnet mask, where you can have a range of 6 addresses, divided into 255, where every 8 bits starts a new network range. Read up on subnetting, its difficult to grasp at first, but will make a lot of sense once you understand it, and also help you with networking in general. Especially if you ever plan to take a CISCO class or get a job doing network administration, with routers, switches, bridges, etc.

In the meantime, you can use http://www.subnet-calculator.com/ to calculate your IP range and subnet, and the starting and ending range(network ID and Broadcast).

http://en.wikipedia.org/wiki/Subnetwork

Basics:

Edited March 18, 2012 by digip

[NegativeSpace]

If you disable the pin, you will need to configure a WPA pass-phrase manually and then use that pass-phrase to authenticate the wireless clients.

I'm already using WPA2, so I guess WPS is already disabled? So it couldnt have been a WPS attack that disconnected all of my clients. Hopefully by the next time all the people show up, I'll have the skills to draw the same person back into a honeypot, snapshot their hardware configuration, redirect them to the upsidedownternet, then walk the neighborhood with a netbook for some fun times!

[NegativeSpace]

NAT is Network Address Translation. Its kind of like a wall, where on one side, is your public IP address the world can see, and on the other side, the local LAN IP address range only you can see.

http://en.wikipedia.org/wiki/Network_address_translation

As for subnetting, its a bit more complicated than just counting the number of addresses you want and then subtracting that form the last octet of bits. It requires knowing more about the bits in relationship to the segment of the network, and you can take one IP range and break it down, into multiple networks based on the subnet mask, where you can have a range of 6 addresses, divided into 255, where every 8 bits starts a new network range. Read up on subnetting, its difficult to grasp at first, but will make a lot of sense once you understand it, and also help you with networking in general. Especially if you ever plan to take a CISCO class or get a job doing network administration, with routers, switches, bridges, etc.

In the meantime, you can use http://www.subnet-calculator.com/ to calculate your IP range and subnet, and the starting and ending range(network ID and Broadcast).

http://en.wikipedia.org/wiki/Subnetwork

Spectacular information!

Is NAT basically a standard that makes it possible to route traffic from outside a private network into the correct singular client on the private network? If I'm thinking of it correctly, NAT is the part of a packet header that is the information that tells the client that 'this packet belongs to you'. Is that right?

Subnetting I haven't even bugun to grasp as of yet. If I get a good understanding of it's conceptual purpose I'll have a good start but it seems pretty complicated! Seems like I should understand all of these numbers based networking standards before I try to learn other stuff so here I go!

Edited March 20, 2012 by NegativeSpace

[digip]

NAT basically handles the wall between the outside internet, and your internal network. When you send a packet, it contains certain fields that tell the receiver, who the sender was. In essence, it keeps your MAC address as the sender, but the router gives it your ISP External IP address before sending it off. When it reaches your recipient, and they reply or send data back, it sends it to your routers external IP, but then for your inner network, it sees your MAC address, which it associates with its tables to lookup your internal IP and send it off to you. This is also a bit more complicated that what I just told you, but look up the OSI model, and some networking books on the subject of TCP/IP and networking in general. Different protocols are handled differently, but at the basics, there is always a MAC address in there somewhere, that determines the sender, and an IP associated with either the sender himself, or his gateway, that would in turn replace the senders internal IP (192.168.x.x, etc) with its external IP, while keeping the MAC in tact on the ethernet frames.

Darren covered some of this in an episode last year, about packets, frames, and the OSI model.

http://en.wikipedia.org/wiki/OSI_model

http://computer.howstuffworks.com/osi.htm

http://www.youtube.com/watch?v=03Q3p3ZT-xI

edit: Wow, I didn't realize it was that long ago - http://hak5.org/episodes/episode-406-packet-sniffing-101-social-media-with-boxee-and-multiple-gordon-freemans-with-synergy

I know there was another episode in there somewhere, that darren used blocks or something to show an exmaple of how packets and frames work, but I can't seem to find it.

Edited March 20, 2012 by digip

[NegativeSpace]

So this is all good stuff but I'm still wondering how to do intrustion detection and the like. I woul dlike to have a hardware makeup snapshot and any other useful information. It seems llike a complcated thing to do, if it's even practically possible. Any ideas?

[digip]

An IDS is something that usually sits between your router and the rest of your lan, or is your internet gateway, and sits before your router or switch. You basically would build a machine that you route all traffic through to the rest of your network, and it would do the IDS stuff. You could also put something like this on one of your workstations, but its more or less only going to monitor that one machines, which realistically, a good firewall should do the trick to keep you safe if configured properly.

Usually, IDS is something you would want on a corporate network or web server, and not so much for home use, but you could have a machine sit between your modem and router and do traffic analysis for you, create reports, pcaps, email alerts, etc, for reviewing potential threats. Only problem then is, to make sure this device itself, since its sitting on the live IP before NAT(unless you make it a NAT device as well) would be open to anyone on the internet wanting to scan it, which is why you should put it behind the router or gateway and between the rest of the network. This requires multiple nics and another router or switch to feed the rest of the lan.

Think of it like a corporate lan. cloud > modem/gateway/router > ids server/firewall > inner switch/router > lan workstations. Lot of overhead for a home network and probably overkill and a pain for port forwarding services.

[Infiltrator]

If you still want to have an IDS in your home network, I would suggest to look into one of these two either Linux Firewall distros (Pfsense or Untangle).

Edited March 24, 2012 by Infiltrator

[NegativeSpace]

If you still want to have an IDS in your home network, I would suggest to look into one of these two either Linux Firewall distros (Pfsense or Untangle).

Sweet. I was wondering if something like that was floating around. I have an old machine that needs to be replaced. I'll probably use it for that purpose.

[Infiltrator]

Sweet. I was wondering if something like that was floating around. I have an old machine that needs to be replaced. I'll probably use it for that purpose.

Just a heads up, Untangle can be quite resource intensive, so for an old machine I am not sure how well it will perform.

However, you should give both a try and find out for yourself, which one suits you best.