Wednesday, 30 January 2013

What is Duration attack in wireless (WLAN) ?

The Duration attack in short:

"The duration value in the WLAN frame indicates the time duration in milliseconds for which the channel is reserved. The Network Allocation Vector (NAV) stores this duration information. The rule is that any node can transmit only if the NAV reaches zero.

Attackers make use of the above vulnerability. They inject packets into the WLAN with huge duration values. This would force the other nodes in the WLAN to keep quite as they cannot send any packet until this value reaches zero. If the attacker sends such frames continuously it will prevent other nodes in the WLAN from operation for a long time and there by disrupting the entire wireless service."

Ref :

The Omnipeek sniffer or some wireless sniffers can identify this attack and the packets can be seen in the logs. This effectively make the wireless network down, as many devices will be waiting and the attacker will be utilizing the bandwindth." 

Some of the other examples where this type of issue is identified :

1 ) Meru Wireless AP 

Below excerpts taken from


Meru's secret [manipulation of the RF] may leave a bitter aftertaste, especially if a neighboring business is running a Meru system on the same channel as your non-Meru system. Cisco was unambiguous in claiming that Meru is violating 802.11 standards by artificially manipulating the NAV (network allocation vector) value in certain duration fields (see "Duration, Duration, Duration" below). Meru denies these allegations, claiming its products are "100 percent standards-compliant." Based on our understanding of 802.11's virtual carrier sense architecture and the role that duration field values play in managing contention, we find Cisco's charges credible, but we'll reserve final judgment until other industry experts weigh in on this controversial issue."

 In other words, by manipulating the carrier sense in an unorthodox manner, the Cisco APs never get a chance to talk on the RF.

 For some reason, Cisco products appear to be more susceptable to this Meru-induced issue.

 Your Cisco WLC should be able to see the adjacent WiFi devices - if any exist. 

Or, if you have a wireless sniffer (AirMagnet, etc.), you might be able to see adjacent "rogue" access points.  Even a laptop with WiFi might be able to see a list of foreign SSIDs that are not yours.

 If you can get the wireless MAC address of these foreign APs (assuming that they are there), you can lookup OUI (the first three bytes of the MAC address) at the following site to determine the manufacturer of the access point:

 If Meru pops up, it might be the source of your problem.  If so, you may be able to work around this problem by using a channel other than that of the neighboring Meru WLAN (since Meru uses the *same* channel for *EVERY* access point in its WLAN - yes, bizarre, but true).


2)  Apple IPhone


 The finding in question was that the Apple iPhone, iPad, and other mobile devices based on the latest Broadcom chipsets are setting really long Duration values in the range of 10-14ms within Wi-Fi control frames (e.g. RTS/CTS-to-self). This essentially reserves the medium for the device to transmit without a collision. The problem is that this is an excessively long period of time for an 802.11n capable device, and through my packet analysis I have found that no large frame transmission is subsequently occurring. This indicates that a performance problem may exist with the devices, and may be reported as an NAV DoS attack on the network by WIPS systems.


3)  Intel client

Intel clients use the technique of sending a long duration (usually 4ms) in an RTS frame, sending their data and then releasing with a CFE frame. They only do this under certain circumstances however. You can see it by associating an 11n Intel client (I used a 6205) to an 11n AP (using the 2.4GHz radio) and then associating a legacy (non-11n) client. From a wired pc, then ping the 11n client. You'll see the RTS frames that the 11n client sends (for wireless protection) have a large duration and after it transmits the ping response, it sends a CFE.

So someone at Intel believes this is a better method of sending data in a crowded environment. They don't do this behavior in 5GHz as far as I've seen. Broadcom may be trying to replicate something like this.


So if in your WLAN network if you are seeing such packets, try to identify the device, client or AP, see if its one of above. If not, post in comments.

How to take backups of Linux machine?

I have not tried it yet, but  Clonezilla is one free tool which can create 1 PC backup or can take simultaneously back up of many PCs.

Monday, 28 January 2013

Unicast DHCPREQUEST is not sent by DHCPCLIENT after T1 time expires ?

Recently i came across one issue in which unicast DHCPREQUEST was not being sent by the DHCP CLIENT after the T1 expires.

I will explain some basic things about DHCP before going to the issue.

1)  It is explained in RFC 2131.
2) The packets between server and clients are DHCPDISCOVER, DHCPOFFER,DHCPREQUEST and DHCPACK
3) After T1 time ( 50 % of lease time)  the client should send unicast DHCPREQUEST to server. If server available, renew lease, if not continue using the lease.
4) If server is not present after T1 time wait for T2 time ( 87.5 % of lease time) and send broadcast DHCPREQUEST.
5) if Server is not available  after T2, continue using the IP address till lease time expires. Stop using the IP and start sending broadcast DHCPDISCOVER.

Now the issue :

We had a server in which lease time is set as 15 min.The client gets the ip address and other parameter from server. The t1 time is 7 min, after T1 time the client should send unicast DHCPREQUEST, but it sends broadcast DHCPREQUEST. It appears as an issue because when client moves to renewing state it should send unicast DHCPREQUEST.

As per RFC 2131

   At time T1 the client moves to RENEWING state and sends (via unicast) a DHCPREQUEST message to the server to extend its lease.

These are some of the Observations :

1) Server Windows 2008 DHCP server ( lease time 15 min)

2) Linux PC as client

Setup :

Linux PC---switch--WINDOWS DHCP Server.

Once the client gets IP remove the server.

Linux showed  DHCPREQUEST as broadcast packets.


In Linux the default arp timeout value is 60 sec and is configured using this parameter




After the arp entry for DHCP server will get deleted, the device will send ARP REQUEST for the DHCP server. After T1 time, if it does not get any arp reply, it is sending the BROADCAST DHCPREQUEST message.


If the server is always connected, the ARP will get resolved and it will send the unicast DHCPREQUEST.


So it seems not an issue. If ARP entry is present in the device, the client will send the unicast DHCPREQUEST, if it gets expired before T1 it will send broadcast DHCPREQUEST.


Let me know your comments, observation on this.


Keep learning, Keep sharing !!!

Friday, 25 January 2013

What will happen in this basic networking subnet case ?

We have two PC with switch in between

PC1----------------------------------------------------------Switch-------PC2 ( netmask
( netmask

Will they ping each other ?

What I am changing here ?

I am changing the subnet mask of the PC , so that they are in different broadcast domains.

Let me know what you think ?

Thursday, 24 January 2013

ARP Timeout Value for Linux, Windows, Cisco 2960 and DELL Switch

ARP timeout

As per RFC 826


"It may be desirable to have table aging and/or timeouts.  The
implementation of these is outside the scope of this protocol."

So the ARP timeouts are vendor dependent and can very drastically from one vendor to another. Here is some information about ARP timeouts.

1) ARP timeout for Cisco 2960 switch

# show interfaces vlan 1
Vlan1 is up, line protocol is down
  Hardware is EtherSVI, address is 5897.1ec9.1040 (bia 5897.1ec9.1040)
  Internet address is
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:10:09, output 00:10:07, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     60274 packets input, 5100402 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     66629 packets output, 52011719 bytes, 0 underruns
     0 output errors, 3 interface resets
     0 output buffer failures, 0 output buffers swapped out

The default ARP timeout for cisco switch is 4 hrs.

It can be changed using following command :

Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line.  End with CNTL/Z.
cisco(config)#interface vlan 1
cisco(config-if)#arp timeout ?
  <0-2147483>  Seconds
cisco(config-if)#arp timeout 600

2) ARP time out for DLINK switch

Default value for ARP timeout is 20 sec in DLINK switch

# show arpentry
Command: show arpentry

ARP Aging Time : 20

Interface      IP Address       MAC Address        Type
-------------  ---------------  -----------------  ---------------
System      FF-FF-FF-FF-FF-FF  Local/Broadcast
System    00-1B-11-11-BD-41  Local
System    FF-FF-FF-FF-FF-FF  Local/Broadcast

Total Entries  : 3

Command to change the ARP entry time out value in DLINK switch

DES-3026:4#config arp_aging
Command: config arp_aging

Next possible completions:

DES-3026:4#config arp_aging time
Command: config arp_aging time

Next possible completions:
        <value 0-65535>

DES-3026:4# config arp_aging time 600

3) Linux Fedora core 16

Default ARP timeout value in LInux is 60 sec

can be changed at  /proc/sys/net/ipv4/neigh/eth1/gc_stale_time

gc_stale_time (since Linux 2.2)
Determines how often to check for stale neighbor entries. When a neighbor entry is considered stale, it is resolved again before sending data to it. Defaults to 60 seconds.
gc_thresh1 (since Linux 2.2)
The minimum number of entries to keep in the ARP cache. The garbage collector will not run if there are fewer than this number of entries in the cache. Defaults to 128.
gc_thresh2 (since Linux 2.2)
The soft maximum number of entries to keep in the ARP cache. The garbage collector will allow the number of entries to exceed this for 5 seconds before collection will be performed. Defaults to 512.
gc_thresh3 (since Linux 2.2)
The hard maximum number of entries to keep in the ARP cache. The garbage collector will always run if there are more than this number of entries in the cache. Defaults to 1024.
4)  Windows

It was difficult to find about XP. For windows 2000 i got following lines from the link given at reference.

Windows 2000 adjusts the size of the ARP cache automatically to meet the needs of
the system. If an entry is not used by any outgoing datagram for two minutes, the entry is
removed from the ARP cache.Entries that are being referenced are given additional time, in two minute increments,
up to a maximum lifetime of 10 minutes.After 10 minutes, the ARP cache entry is removed and must be rediscovered using
an ARP Request frame. To adjust the time an unreferenced entry can remain in the ARP cache, change the
value of the ArpCacheLife and ArpCacheMinReferencedLife registry entries.

So the default value looks like is 2 min.

5) For brocade switch the default value is 10 min.

command to enable aging time

ip arp-aging-timeout value
no ip arp-aging-timeout

The ARP ageing time is different from the MAC bridge learning time or the MAC table time . If there is mismatch between the MAC bridge learning table and ARP ageing time , it can result in unicast flood. So normally , its better if the ARP aging time is less than the bridge learning table time ( in Linux this value is 300 sec or 5 min can be seen using brctl command)


ARP table and MAC table discussions

Wednesday, 23 January 2013

How to configure LACP in DLINK switches

To configure LACP in DLink switches , these commands can be used


config link_aggregation group_id 1 master_port 20 ports 20-21 state enable

config link_aggregation algorithm mac_destination

config lacp_port 20-21 mode active







config link_aggregation group_id 1 master_port 20 ports 20-21 state enable

config link_aggregation algorithm mac_destination

config lacp_port 20-21 mode passive


How to configure VLAN in DLINK switches

These are the commands to configure VLAN in DLINK switches

config vlan default delete 1-26

config vlan default add untagged 1-14



create vlan vlan_100 tag 100

config vlan vlan_100 add untagged 18

config vlan vlan_100 add tagged 19-20


create vlan vlan_200 tag 200

config vlan vlan_200 add untagged 10

config vlan vlan_200 add tagged 11-12

Friday, 18 January 2013

IXIA Chariot version 4.3 console always terminates When Microsoft Windows remote login terminates or minimized

We use IXIA Chariot tool for performance tests. It is a licensed software product from IXIA which supports, different types of tests.

For more information on this you can refer :

Just to explain how it is used , it has one console and other act as endpoints. The traffic runs between the endpoints.

Now the issue ( We have IXIA Chariot console version 4.3)

1) Lets say console is installed in Windows XP PC, and we are remotely login in this using Microsofts "remote desktop" , in windows

Start-> Run ->mstsc -> it will open one window -> Give the IP address of the PC to connect to and login to the PC.

2) Now run the chariot remotely->  it will run fine.

3) Minimise the remote window -> open again -> No trace of Chariot console ??? ( it will get closed :-( )

4) Again start the tests

5) Terminate the remote session and go to that PC and login locally to check results.

6) No results -> issue ->  the moment , the remote desktop session is closed the chariot console stopped.


Reason -> Unknown

Is it a bug in Chariot ? Well, not sure, how it behaves in newer version. If you have ,do some analysis and let me know...

My analysis

Ran Wireshark and did following tests :

1) Local PC ran Chariot and stopped using its right hand corner "x" button

2) Local PC ran Chariot , stopped chariot.exe process using taskmanager

3) Remotely ran Chariot and closed the session

Well, the Wireshark capture for point 2 and 3 are almost same. So this implies that when we are closing the remote session, the chariot process is also getting killed.

What you can do 

If you are in IXIA QA team, raise a bug. If you have Chariot, test the same thing and let me know your observation.

Keep breaking, Keep Learning !!!!

How to create virtual IP interfaces in Linux

We have this requirement , always , to simulate large number of clients using less no of resources ( Read PC or test pcs).

So we use virtual interfaces  on Linux PC to simulate this.

These are the commands to enable virtual interface and assign IP address to them

1) #cd /etc/sysconfig/network-scripts

2) create a new range file
# vim ifcfg-eth0-range0


3) create another range file with another group of address

4) # ifdown eth0

5) # ifup eth2

6) # ifconfig

It should show all the interface created with numbers like this.

eth0, eth0:0, eth0:1

To Remove all the virtual interface issue below command

#ifdown eth2

Internally Linux uses ifup-aliases script in /etc/sysconfig/network-scripts for crating aliases.

Happy Learning, Happy Working !!!

Thursday, 10 January 2013

How to configure Cisco Switch for Radius authentication ?

Setup :

                 | Port1   Port2  Port3.......|
                    |             |
Client PC ---              ------------ FreeRadius Server

Client PC is windows XP

Free radius is on Linux Fedora core 14

 Console Commands to configure 802.1X in Cisco Switch Catalyst  2950 series:

configure terminal
aaa new-model
aaa authentication dot1x default group radius
interface fastethernet0/1
dot1x port-control auto
config t
interface vlan 1
ip address
no shutdown

Switch(config)# radius-server host auth-port 1812 key shared-secret

The client should get authenticated with free radius server, with user name and password configured in free radius server (users file) and given on PC.

Happy New Year 2013!

Happy new year to all ! Hope this year brings more joys and achievements for everyone .

Keep Learning, Keep Sharing and Keep Exploring!!!