IPhones Flooding Wireless LAN At Duke 441
coondoggie sends us to a Network World story, as is his wont, about network problems at Duke University in Durham, N.C. that seem to be related to the iPhone. "The Wi-Fi connection on Apple's recently released iPhone seems to be the source of a big headache for network administrators at Duke. The built-in 802.11b/g adapters on several iPhones periodically flood sections of the school's wireless LAN with MAC address requests, temporarily knocking out anywhere from a dozen to 30 wireless access points at a time. Campus network staff are talking with Cisco, the main WLAN provider, and have opened a help-desk ticket with Apple. But so far, the precise cause of the problem remains unknown. 'Because of the time of year for us, it's not a severe problem,' says Kevin Miller, assistant director, communications infrastructure, with Duke's Office of Information Technology. 'But from late August through May, our wireless net is critical. My concern is how many students will be coming back in August with iPhones? It's a pretty big annoyance, right now, with 20-30 access points signaling they're down, and then coming back up a few minutes later. But in late August, this would be devastating.'" So far, the communication with Apple has been "one-way."
Re:Interesting problem (Score:3, Informative)
Re:Interesting problem (Score:5, Informative)
Lets focus on the real problem (Score:5, Informative)
This doesn't mean that apple released a product without a defect. But if your network crashes because of a defective device, then you should fix your network first.
Not apple's fault (Score:1, Informative)
Re:Cisco (Score:4, Informative)
I've done consulting in the wireless market for a while now. One of my key markets is the healthcare market, and I make sure I tell any hospital using wireless that there is absolutely, positively, unequivocally no way they can stop a determined DoS WLAN attack. Set up a noise source at 2.4GHz (or 5.8GHz for 802.11a), crank up the wattage well above the FCC limit for the ISM bands, and aim the antenna at the building. It *will* shut down *any* WLAN you've got unless the building is built like a Faraday cage.
There is nothing you can do about it short of rooting out the source of the noise and shutting it down. Granted, such an attack is highly illegal (violates FCC radiated power limits, which might be a felony, I'm not sure), but I doubt that's on the mind of the prankster (or terrorist) who's shutting you down.
Apple DHCP client (Score:5, Informative)
MAC filtering is not a solution (Score:2, Informative)
This is an effective solution. Can you imagine if Duke locked down APs with MAC filtering? You'd have 10,000 "authorize my MAC" requests between August 15 and 30 each year on an already-overwhelmed IT staff, and you can spoof MACs anyways. How many people actually know what a MAC is and how to find it? Sure, they could provide a tool that automatically detects your MAC, but how are you going to download it if you can't get on in th first place?
Also, please don't suggest WEP/WPA, because distributing a password/passkey amoung that number of users is as good as not having one at all. And a more complex solution, like PKI or smartcards, is going to create more headaches than it's worth when deployed to this number of users.
Re:MAC address REQUEST? (Score:1, Informative)
"The requests are for what is, at least for Duke's network, an invalid router address. Devices use the Address Resolution Protocol (ARP) to request the MAC address of the destination node, for which it already has the IP address. When it doesn't get an answer, the iPhone just keeps asking."
Most likely a Cisco bug - firmware upgrade needed. (Score:1, Informative)
Anyhow, the ARP standard is unclear enough that it's undefined what the response should be for an ARP request to an unknown destination should be (http://www.faqs.org/rfcs/std/std37.html). Theoretically, every packet that you send needs an ARP entry, which means that every packet sent to something that isn't in your machine's ARP table would generate an ARP request. In reality, it seems that your router tends to substitute its own MAC address for non-local ARP entries (since all non-local packets go through the router, you really don't have to know what the real MAC address is)
It sounds like the Duke Cisco routers are misconfigured somehow, and are generating an ARP storm. Some Cisco routers has a bug where a packet sent to an IP address for which the router doesn't have an ARP entry causes the router to broadcast all subsequent packets across all of the router's ports. It happens in the cable industry when someone swaps out a GigE card and forgets to update the ARP tables on the Ciscos. Solution: use dynamic ARP tables, which can be a security hole.
FWIW.
Re:Interesting problem (Score:5, Informative)
My guess is that either there is no DHCP and the iPhones just try like crazy, or some other misconfiguration of the network is causing these. Couple this with potential interference from all the other iPhone devices in the area, which could (and probably does) cause dropped packets, and one has a veritable storm of ARP requests which could easily take out subnets. 8 wireless cards is enough to DoS a high end wireless access point (Yellow Laptop anyone) so it doesn't stretch the imagination to think that some iPhone's could do it.
My $0.02 AU
Re:Critical? (Score:2, Informative)
Re:Interesting problem (Score:1, Informative)
The requests are for what is, at least for Duke's network, an invalid router address. Devices use the Address Resolution Protocol (ARP) to request the MAC address of the destination node, for which it already has the IP address. When it doesn't get an answer, the iPhone just keeps asking.
Re:Interesting problem (Score:1, Informative)
This is just a guess but it is probably looking to connect to the previous router or some router it knew about at one time in the recent past. The only thing a device needs the MAC for is its router and other devices in its subnet. I've seen Windows laptops do this on occasion when they switch to a different access point in a mesh that has a different gateway. Example, you are attached to AP1 with a 192.168.0/24 network and a gateway of
Should a Cisco AP crash because of this? No, you never trust the client for security or for stability. Put some adjustable rate limiting per client setting in there. Should the iPhone be flooding ARP requests? No as well.
What makes this even more interesting is Cisco and Apple are generally slow to publicly acknowledge "issues" with in their hardware and software.
Re:Apple DHCP client (Score:5, Informative)
Re:Interesting problem (Score:3, Informative)
I suspect what the GP meant is that it's part of the Rendezvous/zeroconf dynamic IP process, which is often built into dhcpcd/pump/dhclient or equivalent. The very first thing most modern computers do when they see a network is to pick a random address and ARP for it, then assign themselves that IP if it isn't used.
Also, it is part of the DHCP process, I think. The last step in the process is to ARP for your assigned IP to make sure it hasn't been doubly assigned. I'm not sure if that's actually part of the spec or not, but every OS I've ever studied under tcpdump did it, so I would assume that it is.
Re:Economic class and higher education (Score:5, Informative)
He mentioned scholarships, though it was in an offhand way. You're certainly free to disagree with what he's saying, but insulting him twice in six sentences while "refuting" him with a point he already made is absolutely wrong on any level.
Besides which, your own point is really no gem either. Your advice to get a scholarship is to be smart and hard working? It's half true, sure. Colleges do give scholarships to people with good grades--though often you also need extra-curricular activities to put you ahead even though that really has nothing to do with intelligence or hard work, merely interest in organized activities--but those are limited. If every student in the nation suddenly became smart and hard working, it would still help only an exceptionally small percentage of them receive a scholarship. In fact, since Duke is a good school you can be relatively sure that the vast majority of students who are accepted there are already smart and hard working, so even in your limited example
I happen to think the way the OP handled himself was flamebait, but the question he raised about free education is a debate worth having. Preferably without insults.
Congratulations to your daughter for getting in, getting money and getting through--but just because she did doesn't mean everybody else can, even those equally smart and hard working.
Re:Cisco (Score:5, Informative)
Not to seem unkind, but it sounds like you need to finish your classes before weighing in on this subject. You do not seem to understand the nature of a DoS attack enough to comment properly on it.
To clarify, it has nothing to do with altering the source address. While some hardwired DoS attacks involve the spoofing of source addresses, it is not required. Any kind of action that prevents the target from functioning as designed constitutes a DoS attack, and flooding an AP with spurious MAC requests fits that description. Since the iPhone is doing this as part of its (probably flawed) design, no hacking of the iPhone is required.
The Cisco AP's and WLAN controller have little choice but to listen to whatever traffic the iPhone spews out. Sure, they can discard or ignore the traffic, but it doesn't change the fact that a rampant iPhone "attack" will consume shared air time even if such action is taken. With enough iPhones, any single AP can be completely overwhelmed even if it's ignoring everything the iPhone is throwing at it.
As I said before, you can't switch, route, or firewall air. You're always at the mercy of the person transmitting with the least control or scruples.
Re:Interesting problem (Score:5, Informative)
DHCP is not implicit in any network topology. It may be modern and 'expected,' but, jesus christ, every time there's a network discussion on this site, DHCP is strewn all over it like shit on a truck stop toilet. Just because you were born in 1995 and have an "ADSL" connection that uses DHCP (well, it probably uses PPPoE now) doesn't mean you're qualified to say anything, and it certainly doesn't mean there aren't real networks that have never even heard of the silly little protocol.
That said, the initial DHCP request does go to a broadcast address, but it certainly has nothing to do with ARP. It goes to the global broadcast address (MAC: FF:FF:FF:FF:FF:FF). There's no such thing as an ARP address. ARP is a network layer protocol lying atop Ethernet (primarily; it isn't limited to Ethernet, of course). It is a MAC address you are thinking of.
Your use of commas is worse than your knowledge of low-level network protocols, really. I don't even know why I bother. Whoever mods this shit up, go fuck yourself. And whoever's out there that actually does know what they're talking about (surely there's someone else out of two million users), like I do, fuck you for not replying and setting these morons straight. It's a ridiculous place to read for technological discussion, anymore.
I'm sorry, but *WHAT*?!?!?! (Score:5, Informative)
How the hell did you get modded informative with that god-awful collection of misunderstandings and poor comprehension of clearly understood concepts?
There's nothing unclear about the standard, except when you apply it incorrectly.
To begin with, there is no such thing as an "unknown destination" - if the address is unknown, how the hell do you send a request for it?!?! (You ever call 411 and say "Hi, I need the phone number for someone, but I don't know who they are, where they live, what they do, or anything about them.")
Now, if you're clumsily trying to say "there's no way to answer: what is the MAC address of an IP address that is unassigned", then that's simple - there is no answer (nobody responds, so therefore there is no answer - which means that the IP address is unassigned.)
However, if you're trying to say "what is the MAC address of an IP address that resides on a different network" then the answer is the same - there (again) will only be a reply if
a machine with that IP address exists on the network. IP networks are virtual - you can have many different IP networks residing on the same wire. If a machine hears an ARP request for an address that is not on it's network, it just doesn't answer (the inherit assumption is that there is another IP network on the same wire, and the request is ignored.)
ARP doesn't know anything about IP network layout - basically, machines just respond if they hear a request for their IP address.
When you want to send to an *IP* address that is not on the local link, you look up the IP address for the router(s) to that network, ARP for it (if you don't already know it's MAC address) and send the packet to it - there is no 'substitution' involved. You never ask for the MAC address of the destination IP address, you ask for the MAC address of your router, then send it the packet for forwarding.
Re:Most likely a Cisco bug - firmware upgrade need (Score:2, Informative)
Re:Not apple's fault (Score:3, Informative)
Re:Interesting problem (Score:3, Informative)
It's probably related to Cisco's built in defense mechanisms. By default if a Cisco AP detects what it thinks is an attack it will go offline for awhile. The problem is that in the real world there are buggy chipsets and drivers that will trigger this so one usually ends up disabling them in self-defense. As a specific example there is an Intel WLAN chipset present in many older laptops that will randomly resend packets. An AP configured with default settings will shut off for exactly 60 seconds after it sees a couple of those as it thinks a replay attack is being used against it.
There are several different attack vectors detected and timers associated. But I would think a university would already know all about this and have them configured correctly but if not then yeah, a couple of rogue devices can bring the whole shootin' match down. (To be fair Cisco isn't the only AP vendor that this can happen to).
Re:Interesting problem (Score:1, Informative)
If that's what the GP meant then that's what they should have said! You're talking about this:
So no, the IP address is not "random" but yes, ARP does get involved - but not specifically as part of DHCP per se.
Technically it is not required, but many clients will double-check just in case (section 2.2, IETF RFC 2131).
Never trust various vendors as your source of how things are "supposed" to work! :-)
Re:MAC address REQUEST? (Score:3, Informative)
Re:Taking out Cisco Router with ARP Floods? (Score:3, Informative)
It's amazing the Apple fanboy-ism around here. I have seen MANY devices have flaws like this in my time. Everyone knew the iPhone, as a first gen product, was going to have it's problems. This is likely one of them.
And no matter what you seem to think you know about WiFi - one device can EASILY flood others off of an AP with a lot of ARP requests, because they will suck up all the available bandwidth for itself. It is a well known fact very easy to DOS a wireless access point in this way. You gotta remember WiFi is a shared medium every client doesn't have dedicated bandwidth by any stretch of the imagination. It is not hard at all to assume that this is a broken WiFi driver in the iPhone.
Re:Interesting problem (Score:2, Informative)
I just love that this post is, as of the moment, modded as Informative.
Re:MAC address REQUEST? (Score:4, Informative)
I would suggest that perhaps you didn't RTFA, but that is a given, since this is Slashdot.
It is, indeed, asking for a MAC address.... it's called ARP [wikipedia.org] and it is how an Ethernet device determines what MAC address to use to reach a destination IP address.
Re:Lets focus on the real problem (Score:1, Informative)
Re:Economic class and higher education (Score:3, Informative)
This fall total tuition and fees for most majors at Iowa State is $3080.66 / semester:
http://www.iastate.edu/~registrar/fees/tuition070
Minnesota: $4705 / semester
http://admissions.tc.umn.edu/costsaid/tuition.htm
Wisconsin: $3365 / semester
http://www.admissions.wisc.edu/costs.php [wisc.edu]
Those figures don't include "Room & Board" because you need "Room & Board" whether you're in school or not, so it's a little silly to pretend that it's a cost related to your education. Even if you include R&B, which is on the order of $6k/year at those schools, you could make that much working a student-wage job for an annual average of 20 hours/week (or 14 hours/week if you work full-time for 12 weeks in the summer).
Re:Not apple's fault (Score:2, Informative)
Re:Not apple's fault (Score:3, Informative)