StormWarnings

back to http://scratchpad.wikia.com/wiki/Sasecurity

{{{ QUES: My Gateway has just started to come up with Storm Warning, and then loads of data, all of the time.Anyone know what this is? iwconfig wlan0 sens 1  is part of the answer.  ANSW:

=
 You know the MeshAP may not be protected against worms and stuff. It is an operating system. And it is susceptible to worms and such. I believe there is an organization called CERT. I used them over 10 years ago to update my UNIX kernel. They would send patches and instruction on problems. I also think you should let Jon Anderson take a look into your mesh as it this might be more of a security problem. I not the best person in the world to trouble shoot mesh node problem - you know I have similar problems myself. But a quick solution is to remove the Meshnode with another meshnode and bring it back to test it out. --->  Here we start, again from the scratch... Last night I visited the problematic apartment which notebook has been causing Storm Warnings and when it is shut, there was no more warnings coming thru. Confident that the problem was casued by the notebook I have stepped in and open my notebook to show that there would be no problem. But, aha, my notebook started showing erratic behaviours, too. I am sure I have no virus or spyware (Still using old-good Pccillin 2000, no virus was able to leake into yet) and was working perfectly well in my office mesh. The problem is like this: I am associating with the node in question, getting an IP, start pinging the node, well perfect under 10 ms, surfing nicely. Then all of a sudden ping times are getting longer and longer upto 15000 ms, not even open a web page. After sometime it returns he normal again. I have switched of a suspected wireless phone in house but no effect. There was no microwave running, no DECT phone around. At least visible one. I run the suspected notebook again, it showed tha very same behaviour as mine. So it is not suspected anymore :) Repeated the test again with yet another notebook, same result. We run all three notebook at once, they showed all same behaviour at the same time. Godd and bad, good and bad.There should be some disturbing RF around I thought, but nope, not at least Netstumbler show anything a rogue AP or else. Since I do not have Spectrum Analyzer with me, I do not know any other frequency if exist.I have visited another house nearby, I could get signals from the node in question again as well as another one nearby. So if there would be a disturbing signal, I would be unable to connect that node too. But I could connect successfully to other node and surfed flawlessly. Then I left two reason open: Either there is disturbing signal inside or very close that apartment or my node has some problem. So today I will replace the node to see since it is easier than to find a spectrum analyzer... I will keep informing the list for results. ---> Don, which worm was it? How can I detect it? We know flooding machine but could not find any virus by scanning. Problem goes away when we shut it down. It is Windows 2000 notebook with on board Intel Pro wireless. -> What you want to look for is that message repeating every 15 seconds and with a 192.168.x.x address in there.Typically you'd have an unresponsive node, you'd login to see what was wrong and that message would be pumping out because it’s being flooded with ICMP from a remote client. As per the recent worm we've seen.Turn you sensitivity up or down. iwconfig wlan0 sens 1 ->  On one of my critical nodes I have started to get Strom Warning messages. This node was a repeater before but since three days it is a gateway connected to a 2Mbit ADSL. Node running dev88, clients are W2000 and XP. I have very good SNR with client adapters ranging between 8 to 15 dB. Client side utilities show excellent signal and quality. When I ping between clients and node it ranges between 2 ms to 11000 ms. It is clear line of sight. And during this times it kept maintaining good signal and SNR levels. I need quickly understand the cause and resolve it since this node serving to very critical customers. Does anyone know what exactly causes Storm Warnings? Half an hour ago I have tested again with two clients and got Storm Warnings on both MAC addresses. There is no interfering signal around, node has good links with other nodes, so no visible cause for me! Any idea what to check more? Tried reboot the node, it was normal just under a minute and started again. --->  During the tests, I got many Storm Warnings as well as big packet loss as much as 30% and loong ping times upto 11000 ms. After the guys left the apartment and left one PC open for me to test, Storm Warnings has stopped, packet loss dropped down to 7-8%, avg. ping time is 25-30 ms and max is 500 ms wgich all semmes normal. So I suspected guys' local mobile phones (not GSM) might be DECT at 2.4 GHz and now checking this. The mobile phone theory seems plausible, if someone's carrying 1900 or 1800 PCS. The tower likely has directed-beam, and when it's looking in the node's direction it could interfere, with its power. This is why I think a bulkhead quarter-wave lighting arrestor tuned to 2.45GHz is such a good idea. It would instantly shunt to ground any interference like this. They're used all over the place on PCS. But I've been unable to find any in our band for less than $106. (Radiall) The Chinese have GOT to be making these, but I can't find them. ---> }}}