Guard your Wi-Fi for your own sake
I used to run my Wi-Fi Access Points in open mode. No more. It's not safe. Here's why.
Recently I ran into the Internet connection problem from hell. My 6Mbps down/512Kbps AT&T DSL connection started running at speeds I hadn't seen since my dial-up modem days. When you do what I do for a living, trying to work with an Internet connection as slow as that is like trying to run a marathon while having an asthma attack.
It turns out I'd run into a perfect storm of multiple problems, but one of those problems surprised me. My network was enduring a SYN attack... from a neighbor's malware-infected Windows PC. I was getting hit because they were, sometimes, using my open Wi-Fi AP (Access Point) to connect to the Internet.
A SYN attack takes advantage of the TCP/IP protocol handshake between two Internet applications. SYB works by starting an application session by sending a TCP SYN (synchronization) packet from one program to another . That application then replies with a TCP SYN-ACK acknowledgment packet; the first program then responds with an ACK (acknowledgment). Once the applications have made their handshake, they're ready to work with each other.
These attacks ruin network connections by flooding them with TCP SYN packets. Each SYN packet forces the targeted server to produce a SYN-ACK response and then wait for the appropriate ACK. You can see where this is going. Outstanding SYN-ACKs start piling up behind each other in a backlog queue and when that queue is full up, the clogged up system stops acknowledging incoming SYN requests.
Usually SYN attacks are used in DDoS (Distributed Denial of Service) attacks to shut down Web sites such as the ones that targeted Google and Twitter. I just happened to be a drive-by victim of a Windows malware infection.
I helped them fix their problem-their network was a mess as well-but it also made me realize that I can't just run my Wi-Fi APs without any security anymore. I have no problem sharing my bandwidth, but I do object to sharing my neighbor's problems.
I'm not the only one. As Wi-Fi has become commonplace many of us have ran into performance problems with too many Wi-Fi APs competing for too few channels. You see while 2.4Ghz 802.11g and 802.11n have up to 14-channels, in practice you can only use three of them in any given area-typically 1, 6, and 11-before running into interference that slows down everyone's performance. The only way to fix this is to set your APs so they won't conflct with each other.
But, this, this was different. For the first time, I found my computers and network being not knocked around by a neighbor's security mistake. I can't afford this. So, it is that I'm now using a version of WPA (Wi-Fi Protected Access) to make sure that any problems on my network are coming from my network.
For more on how to guard your own Wi-Fi connection, tune in for my next Sure it's Secure blog. Having fixed that problem, you'll excuse me if I move on to tracking down what appears to be some bad cabling running off my Gigabit Ethernet switch.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Hope this is enough
I hope my configuration is safe enough (and it works with Linux): WPA2 Personal with AES+TKIP encryption.Of course I can't use WPA2 Enterprise.
"You see while 2.4Ghz
"You see while 2.4Ghz 802.11g and 802.11n have up to 14-channels, in practice you can only use three of them in any given area-typically 1, 6, and 11-before running into interference that slows down everyone's performance."Actually 802.11n has something like 24 discreet channels, its 802.11b and g that have the limited number of channels.
Of course it's not safe!
Of course it's not safe! You've missed the biggest point. Not only can anyone with a computer within range of your ap bring your network to it's knees but they can poison your traffic and grab passwords -- even ssl encrypted if you're not paying attention and you're obviously not. That's your bank account, email, itworld information... probably most of your life and lively-hood.I too provide open access on my network, but it's on a screened subnet, that subnet is monitored with snort, caped at about 20% of my bandwidth, and all traffic to the Internet is piped through Tor (The Onion Router.) This configuration protects my internal networks from the wireless, helps to keep my notified of what's happening on that network and also shields me from liability if a neighbour happens to be a paedophile.
If you've got the time look into reconfiguring your network a little. You can have the best of both worlds (sorta)