[unisog] Taking down a university network with your phone!

Trevor Odonnal trevoro at byu.edu
Thu Jul 19 22:10:13 GMT 2007


This almost looks like what we see when a student hooks up their Linksys
(or other standard home router) backwards.  We start seeing 192.168.x.x
traffic and other students start getting invalid DHCP replies.  The
iPhone being involved could just be amplifying the effect by issuing
repetitive connection requests.  Knowing as little as I do about the
specifics, I just thought I'd throw this into the mix.

We see this a lot on our student residential network.  A student runs
out and buys a new router, comes home to connect it, and invariably
connects the wall jack to the LAN switch instead of the WAN port on the
router.  The router now becomes a DHCP server for all the students on
the same segment and all of the ARP traffic can be seen running around
the campus network on that segment.  We usually start getting help
center calls about 5 minutes after one of these routers get hooked up.
Typically, the whole segment looses Internet access completely.  Maybe a
student (or students) bought himself a new iPhone, wanted to have
internet access in his apartment for his new toy, so he went out and
bought a new router.  He comes home, hooks up the router incorrectly,
and VOILA we have iPhone ARP traffic flooding the campus network.  Just
a thought.

Trevor O'Donnal CISSP, CCFE
Network Security Analyst
Brigham Young University
(801) 422-1477
trevoro at byu.edu

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Kaegler
Sent: Thursday, July 19, 2007 12:39 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Taking down a university network with your phone!

At 10:26 AM -0600 7/19/07, Stephen John Smoogen wrote:
>Well from the way the article is hyped.. I figured the subject should
be
>equivalent. Do people have an idea of what the issue is exactly, and
>  what the 'security' implications might be

The educause wireless list has had some discussion since before the 
story broke on Monday. Duke admin Kevin Miller is involved in the 
thread.

He describes the traffic as follows (educause guidelines don't have a 
problem with forwarding this information):
At 6:52 AM -0400 7/17/07, Kevin Miller wrote:
>[MAC Address of iPhone] > [MAC Address B] ARP who-has [IP A] tell [IP
B]
>Where MAC Address B "looks" like the MAC address of a home router of
>some sort (OUI is assigned to such a manufacturer).
>IP A looks like a home router gateway IP (192.168.1.1, 10.0.1.1,
>192.168.2.1, etc)
>IP B looks like an IP that might be assigned on a home router
>(192.168.1.5, etc)
--http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0707&L=wireless-lan&
T=0&F=&S=&P=2592

The ARPs come in at almost 11,500 per second, which is enough to 
knock out their APs (I run the same Cisco autonomous APs, I haven't 
seen this happen). The exact source of the issue seems buried in the 
iphone somewhere (and arguably, in the APs, as external forces 
shouldn't be able to make an AP unavailable).

There's been speculation that its a side effect of iphone "special 
sauce" roaming code, but no real evidence of that. The Yahoo article 
quotes Ashok Agrawala from UoM; it appears he was just asked about 
"wireless problems" and had no other information to work with.

The security implications? I don't see many that one doesn't already 
have in other mobile 802.11 clients. The one difference I see here is 
that new code releases for the iphone could be deployed to tens of 
thousands of your customers at once. It dosn't take a heck of a lot 
of enterprise networking experience to see the risk there (although 
arguably a similar threat is posed by windows update).
-porkchop


-- 
Michael "Porkchop" Kaegler, Sr. Network Analyst
(845) 575-3061 Marist College, Poughkeepsie, NY
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list