RE: Multiple Connection Attempts to Home Wireless Network

Sometimes these things are even more innocuous than you've theorized too. My
former employer used to get a *large* number of entries in the log regarding
connection attempts and what we eventually boiled it down to was that users
with wireless enabled PDAs (we were in the financial district of a major
city) were almost always around and a lot of their devices were set up to
make connection attempts to any available wireless, encrypted or otherwise.

Thanks,

Corey Watts-Jones
Systems Support Specialist
BIT Incorporated

-----Original Message-----
From: Guru4u Support [mailto:support@xxxxxxxxxxxx]
Sent: Thursday, January 05, 2006 5:33 PM
To: Joe George
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Multiple Connection Attempts to Home Wireless Network

Thanks for your reply,

The 'attempts' seem to happen during the afternoon more often than not
and now seem to have settled down to occurring around 1.00pm and 5.00pm,
although the odd individual occurrence does appear.

Each time in the logs it shows 5 sets of repeated attempts (repeated
usually 20 times) all around 5 minutes apart as below. I think you're
quite right that if it was a war-driving attempt or an attempt to
piggyback my Internet connection that they would have hit the unsecured
network nearby.

I cannot report this to an ISP as all I have is the MAC address that is
being blocked by my router (D-Link).

I dont think it is malicious but it is nice to hear others thoughts on
the matter as I havent seen this behaviour before on my network.

[INFO] Sat Dec 31 20:38:38 2005 Access denied to wireless system with MAC
address 000C76C94BC4
[INFO] Sat Dec 31 20:38:38 2005 Previous message repeated 20 times
[INFO] Sat Dec 31 20:24:31 2005 Access denied to wireless system with MAC
address 000C76C94BC4
[INFO] Sat Dec 31 20:24:31 2005 Previous message repeated 20 times
[INFO] Sat Dec 31 20:22:11 2005 Access denied to wireless system with MAC
address 000C76C94BC4
[INFO] Sat Dec 31 20:22:11 2005 Previous message repeated 20 times
[INFO] Sat Dec 31 20:20:59 2005 Access denied to wireless system with MAC
address 000C76C94BC4
[INFO] Sat Dec 31 20:20:59 2005 Previous message repeated 20 times
[INFO] Sat Dec 31 20:18:38 2005 Access denied to wireless system with MAC
address 000C76C94BC4

Many thanks,

Ed


Joe George wrote:

>If malicious, my best guess is that someone is making some attempts to
>connect while war-driving or a neighbor with the intent of giving you a
>headache. Keep an eye out, but if there were something serious going on,
>I think a hacker would enter through the easiest hole (i.e. your
>neighbor w/ the unsecured network).
>
>If it is anything benign, my best guess is that one of your neighbors
>wi-fi node is trying to make a connection, thinking it's their own only
>to later realize whats going on and ceases. In other words, a user with
>limited understanding of wireless (if the case, most likely the neighbor
>with the unsecured network).
>
>In the logs, do these attacks take place at similar times one the days
>they occur? Do you have anything in the log about the device trying to
>gain access? I couldn't find the manufacturer based on what you
>provided. Port scanning isn't really illegal (at least here in the USA),
>but if consistently happening, from the same IP, I'd report the user for
>abuse with the attached log for proof.
>
>Best,
>
>Joe
>
>-----Original Message-----
>From: Guru4u Support [mailto:support@xxxxxxxxxxxx]
>Sent: Thursday, January 05, 2006 4:19 PM
>To: security-basics@xxxxxxxxxxxxxxxxx
>Subject: Multiple Connection Attempts to Home Wireless Network
>
>
>Hi folks,
>
>I would appreciate some thoughts on this.
>
>I am running a small home network with a D-Link DGL-4300 router. I have
>MAC Address filtering enabled (both for wireless and wired clients) and
>I have two clients that connect wirelessly, one being a PSP and the
>other an XBOX 360. As a side note for more information I have changed
>the SSID name, enabled SPI and use WPA security, the network is also set
>to visible.
>
>My question is this, over the last few days i have noted in my router's
>logs that a wireless client with an unauthorized MAC address is trying
>to connect but being blocked. OK no so big a deal if it was a one off or
>maybe occasionally but it is becoming more frequent and over the past
>couple of days its been happening for the best part of each day and
>stopping in the evening.
>
>example of my log below:
>
>[INFO] Mon Jan 02 15:50:07 2006 Previous message repeated 12 times
>[INFO] Mon Jan 02 15:50:04 2006 Access denied to wireless system with
>MAC address 000C76C94*** [INFO] Mon Jan 02 15:50:04 2006 Previous
>message repeated 20 times [INFO] Mon Jan 02 15:46:34 2006 Access denied
>to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02
>15:46:34 2006 Previous message repeated 20 times [INFO] Mon Jan 02
>15:43:02 2006 Access denied to wireless system with MAC address
>000C76C94*** [INFO] Mon Jan 02 15:43:02 2006 Previous message repeated
>20 times [INFO] Mon Jan 02 15:37:11 2006 Access denied to wireless
>system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:37:11 2006
>Previous message repeated 20 times [INFO] Mon Jan 02 15:32:28 2006
>Access denied to wireless system with MAC address 000C76C94***
>
>These attempts seem to come mostly in the afternoon and recently seem to
>hit in 5 minute bursts.
>
>I can only detect two other wireless networks in range. One is
>completely unsecured (i didnt connect but my PSP showed it as having no
>security) now that network has been secured and the other is secured
>with WEP. I have no other wireless kit so it isnt something im my house.
>
>I have also seen a few access denied to my LAN with various IP MAC
>addresses, don't think this is related though.
>
>[INFO] Sun Jan 01 14:38:34 2006 Access denied to LAN system with MAC
>address EA1C1F677***
>
>Does this sound like a hacking attempt or just another network or
>wireless client been setup incorrectly or left on scanning for available
>connection points? It seems like something scanning for another network
>repeatedly?
>
>Thanks in advance,
>
>Ed
>
>------------------------------------------------------------------------
>---
>EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
>University program offers unparalleled Infosec management education and
>the case study affords you unmatched consulting experience.
>Tailor your education to your own professional goals with degree
>customizations including Emergency Management, Business Continuity
>Planning, Computer Emergency Response Teams, and Digital Investigations.
>
>
>http://www.msia.norwich.edu/secfocus
>------------------------------------------------------------------------
>----
>
>
>
>__________ NOD32 1.1354 (20060105) Information __________
>
>This message was checked by NOD32 antivirus system.
>http://www.eset.com
>
>
>
>
>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Relevant Pages

  • Re: Linksys WRT54G acts like a dumb hub, no DHCP or wireless capabilities
    ... laptop and the PC would lose connection with the router. ... Well, the results are the same: I can connect to the wireless network, ... but after about 10 minutes I will lose connection with the router. ...
    (alt.internet.wireless)
  • Re: Lan Wifi Network
    ... >knowledge of computer network... ... a wireless user has gone away. ... client software to do the job. ... connection which can be timed. ...
    (alt.internet.wireless)
  • Re: Activesync Kills Wireless
    ... Acer TravelMate 8104WLMi with Intel PRO/Wireless 2915ABG Network Adapter, ... NetGear RangeMax WMN802 Wireless Access Point ... I do have to repair the network connection as ... could install this driver. ...
    (microsoft.public.pocketpc.activesync)
  • Re: Activesync Kills Wireless
    ... Acer TravelMate 8104WLMi with Intel PRO/Wireless 2915ABG Network Adapter, ... NetGear RangeMax WMN802 Wireless Access Point ... I do have to repair the network connection as it ... could install this driver. ...
    (microsoft.public.pocketpc.activesync)
  • RE: Multiple Connection Attempts to Home Wireless Network
    ... to be aggressive about connecting to any available network. ... Multiple Connection Attempts to Home Wireless Network ... I have MAC ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)