Best of the ISP-Lists

Fixed Wireless Technology

The Art of War Driving

Members of the ISP-Wireless list share wit, wisdom, and stories about fighting the latest iteration of bandwidth thief. No hacker tool is as terrifyingly powerful as Windows XP.

[December 18, 2001]

On the ISP-Wireless list in November, JD inquired,

"I've got three CPRs up in AP mode right now, and all of them have now seen hackers connect to them. Is this just random associations, or competitors, or what?"

A number of respondents shared some possible explanations:

[KM warned] "These guys are probably your competition, trying to check out what equipment you are using, and seeing if they can find a weakness."

[MB admitted] "Being a student, war driving is something we do when we're not partying; we used to drive around and download all night long in our van."

Others noted that Windows XP can sometimes do this without even trying:

[EG observed] "Windows XP will automatically scan for you and jump on the best network it can find. It's the best hacker tool there is right now, because with XP, a novice can become a hacker without even knowing about it!"

[JN agreed] "While using my Windows XP laptop this afternoon to align an antenna at a client site, I stumbled across two other networks without even trying: one competitor, and one 802.11b corporate LAN."

ML offered a tutorial in the fine art of war driving:

"Here is what I have done to educate myself on the strengths and weaknesses of the wireless systems in my area, learn my customers' traffic patterns, and deal with the war drivers who want a free ride on our system.

"First, learn your surroundings by becoming a war driver yourself. I use NetStumbler to determine other DS access points in my area. A quick drive around one of my service areas with an omni sticking out of the sunroof produced 26 DS access points, including five of my own. Using GPS, NetStumbler can give good approximations of AP locations as well. This told us how many channels were in use and by whom, what kind of equipment was being used, approximate antenna locations, and signal strengths. Asking around in your area, and keeping an eye out for 2.4 GHz antennas, will also serve as excellent sources of clues as to what the competition is doing.

"Second, determine your customers' traffic patterns, and detect war drivers. What you need is some kind of network sniffer that can collect packet data and provide a useful format for reading that data, as well as some kind of graphing program to monitor historical trends. We have used MRTG for some time to monitor the traffic on our routers. By having SNMP-capable switches at each AP location, we can monitor the bandwidth on the port that serves the AP gateways. Ntop, a network protocol analyzer for Linux, will provide all the information you need about the traffic on the network segment it's monitoring. Ntop makes it easy to spot hackers: it provides the MAC address, manufacturer, IP addresses used, when they appeared, and where they went while they were on the network. The first time we turned Ntop on, an ex-employee was sitting right there on our network just like any other paying customer, except he was no longer paying for it.

"Third, you need some kind of bandwidth management. Fortunately, CBQ capability is in the stock RedHat 6.2 kernel; all that's needed is a way to specify the bandwidth rules with a set of commands. A script called CBQ-Init works like a champ. All open IP addresses that are not in use are set to zero Kb up and zero Kb down: everything looks normal, but no traffic passes. Presto, no more unauthorized users on the network.

"This system seems to be working very well for us. We still get the occasional nibble from a war driver, but are comfortable that they're not going to be able to do anything with the network."

—End

Related articles:
	[Dec. 11, 2001]	Wi-Fi News Briefs
	[Dec. 11, 2001]	Surround Your Wi-Fi Gear With An AirFortress
	[Nov. 26, 2001]	Improving WLAN Security