OpenBSD Journal

g2k19 Hackathon Report: Stefan Sperling on Access Points and Ghosts

Contributed by Paul 'WEiRD' de Weerd on from the spooky-packets-at-a-distance dept.

Our next hackathon report comes from Stefan Sperling (stsp@):

My goal for g2k19 was to work on Tx aggregation support in the wifi stack. But of course I didn't even get to start working on that before I was back home.

Compared to working from home in comfort, working in a window-less OpenBSD hackroom for a week has the downside of people talking to each other in real-time. Usually such discussion is focused and fueled by coffee. But hackathons attended by Bob tend to be backed by a laugh track interspersed with grunts and complaints mostly directed at OpenSSL which I am free to ignore; Unless Bob has a problem with wifi, in which case the laughter, grunts, and complaints are directed at me.

This of course catches my attention and doesn't allow me to focus on much else than Bob's immediate problems, which on this occasion turned out to be a continuous stream of de-auth frames from our hackroom's access point. Which, in plain English, means that everyone was getting kicked off our "g2k19" wifi network.

We tried and tried with several APs but since the problem kept re-occurring with various types of APs after a couple of minutes, the most likely conclusion was that we were being attacked with spoofed de-auth frames.

Philip Guenther is taller than Bob so Philip got to climb on a table and unplug the University's AP mounted on the ceiling. There was finally peace in wifi land! And Bob was a bit quieter again. For a moment.

This moment was short and after some time the problem came back, so Bob started shouting about wifi instead of OpenSSL again. Todd Mortimer and I observed that, this time, de-auth frames now had a lower received signal strength indicator than other frames sent by our AP. Apparently, APs from neighbouring rooms had decided to enter the battle to avenge our unplugging of their now powerless comrade.

OpenBSD Wifi Ghost

With people trying to get work done in a wasteland connected to the outside world only by Ethernet, and of course the official University wifi network which was located safely behind wifi land's front lines, I set up my laptop to flood-ping itself over the air and took a stroll around campus (this involved a USB athn(4) AP in a USB port and built-in iwm(4) associated to that; making frames actually pass over the air involved routing domains; please don't try this at home). But… I wasn't attacked! So either they didn't take the bait, or my APs signal was took weak. Or perhaps I didn't wait long enough at one place at a time.

Strolling around like someone using their laptop as a smartphone, I ran across Tom Smyth who had checked half of all of Ireland's famous hospitality in his luggage and promptly helped out by providing me with 2 beers and 6 APUs (or was it the other way around? Oh never mind, doesn't matter…)

Coincidentally, Carlos "Santa" Cardenas had kindly given me several minipcie wifi cards and pigtails and antennas just a day earlier; so now I had enough gear to set up an AP running OpenBSD instead of some vendor firmware, guarded by an actual OpenBSD wifi ghost (sorry, I forgot who made this one for me; but thanks again!)

This AP was promptly attacked! But with OpenBSD on both AP and client, I now had a full view of the battle field and made our hackroom's wifi immune to de-auth attacks. I don't have enough brain juice to come up with a good heuristic for this, so users need to manually cast a de-auth attack immunity spell by setting the new 'stayauth' nwflag with ifconfig(8). Note that this flag needs to be set on clients as well as the AP, because a de-auth army will target them separately.

Now there was lasting peace in wifi land. And just enough time left to pack up my gear and move on to the BSDcan conference. I gave a talk about one of my side projects, where I am trying to configure an OpenBSD laptop which a physically and mentally disabled good friend of mine can actually use.

Flances enjoyed my talk so hopefully you will enjoy it, too! BSDCan video recordings are not yet available at the time of writing, but you can already view my slides.

Thank you very much for your report, Stefan, and for the work on WiFi in OpenBSD of course!

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]