[unisog] Taking down a university network with your phone!
trevoro at byu.edu
Thu Jul 19 22:10:13 GMT 2007
This almost looks like what we see when a student hooks up their Linksys
(or other standard home router) backwards. We start seeing 192.168.x.x
traffic and other students start getting invalid DHCP replies. The
iPhone being involved could just be amplifying the effect by issuing
repetitive connection requests. Knowing as little as I do about the
specifics, I just thought I'd throw this into the mix.
We see this a lot on our student residential network. A student runs
out and buys a new router, comes home to connect it, and invariably
connects the wall jack to the LAN switch instead of the WAN port on the
router. The router now becomes a DHCP server for all the students on
the same segment and all of the ARP traffic can be seen running around
the campus network on that segment. We usually start getting help
center calls about 5 minutes after one of these routers get hooked up.
Typically, the whole segment looses Internet access completely. Maybe a
student (or students) bought himself a new iPhone, wanted to have
internet access in his apartment for his new toy, so he went out and
bought a new router. He comes home, hooks up the router incorrectly,
and VOILA we have iPhone ARP traffic flooding the campus network. Just
Trevor O'Donnal CISSP, CCFE
Network Security Analyst
Brigham Young University
trevoro at byu.edu
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Kaegler
Sent: Thursday, July 19, 2007 12:39 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Taking down a university network with your phone!
At 10:26 AM -0600 7/19/07, Stephen John Smoogen wrote:
>Well from the way the article is hyped.. I figured the subject should
>equivalent. Do people have an idea of what the issue is exactly, and
> what the 'security' implications might be
The educause wireless list has had some discussion since before the
story broke on Monday. Duke admin Kevin Miller is involved in the
He describes the traffic as follows (educause guidelines don't have a
problem with forwarding this information):
At 6:52 AM -0400 7/17/07, Kevin Miller wrote:
>[MAC Address of iPhone] > [MAC Address B] ARP who-has [IP A] tell [IP
>Where MAC Address B "looks" like the MAC address of a home router of
>some sort (OUI is assigned to such a manufacturer).
>IP A looks like a home router gateway IP (192.168.1.1, 10.0.1.1,
>IP B looks like an IP that might be assigned on a home router
The ARPs come in at almost 11,500 per second, which is enough to
knock out their APs (I run the same Cisco autonomous APs, I haven't
seen this happen). The exact source of the issue seems buried in the
iphone somewhere (and arguably, in the APs, as external forces
shouldn't be able to make an AP unavailable).
There's been speculation that its a side effect of iphone "special
sauce" roaming code, but no real evidence of that. The Yahoo article
quotes Ashok Agrawala from UoM; it appears he was just asked about
"wireless problems" and had no other information to work with.
The security implications? I don't see many that one doesn't already
have in other mobile 802.11 clients. The one difference I see here is
that new code releases for the iphone could be deployed to tens of
thousands of your customers at once. It dosn't take a heck of a lot
of enterprise networking experience to see the risk there (although
arguably a similar threat is posed by windows update).
Michael "Porkchop" Kaegler, Sr. Network Analyst
(845) 575-3061 Marist College, Poughkeepsie, NY
unisog mailing list
unisog at lists.dshield.org
More information about the unisog