More DoS information
Jouni Malinen
jkmaline at cc.hut.fi
Sun Apr 4 21:10:22 EDT 2004
On Wed, Mar 31, 2004 at 01:47:30PM -0800, mike-hostap at tiedyenetworks.com wrote:
> We recorded 573 syslog messages _per second_ at one point.
> Presumably this means that the AP is picking up frames at that rate - for
> example:
>
> Mar 31 13:26:01 12.149.131.195 klogd: AP: drop packet to non-associated
> STA 00:60:08:a2:01:a4
Do you recognize that MAC address? It would be useful to know if it one
of the known devices in the wired or wireless networks. That seems to be
3Com device.
This message is printed out when something is trying to send a unicast
frame through the Host AP interface to a destination address that is not
currently associated. This can happen, e.g., when bridge code does not
know the address and is forced to send the packet to all bridge ports.
In this case, the packet would have either be received from another
bridge port (one of the wired interfaces) or locally generated in the
AP.
Since this may be a valid packet, Host AP driver should probably just
drop it silently. I have used that message to debug some error cases,
but maybe it is time to just get rid of it..
> How is crimini's name could we get 573 packets per second???
This is clearly unwanted behavior from the driver, so I changed the
current CVS snapshots to at least limit the rate of those messages.
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list