CatalystTech

DEFCON 16 and Black Hat are security centric conferences recently held in Las Vegas where Aruba Networks provided the wireless infrastructure.  In a self descriptive FAQ of the environment to be expected (quoting from the FAQ site)

Q: Is there a free network at DEFCON?
A: Yes. It would be fair to describe the network as ‘hostile’. It has been described as ‘the worlds most hostile network’, but such descriptions are just attempts at flattery. It is recommended that if you want to connect to the DEFCON network pretend that you are sharing out your entire hard drive to 5,000 hackers. You may want to bring a ‘clean’ computer that you don’t mind being infected/hacked/etc…

In light of the environment Aruba reported some statistics:

The Aruba team at the Blackhat event did an outstanding job of delivering secure network access to the event’s attendees. According to Jon Green there were fewer attacks this year, perhaps due to the use of WPA encryption. WPA rendered useless many of the popular Wi-Fi attacks.  Key statistics include:

WLAN stats:

• 1140 unique users on the network over the entire week, with 9262 individual logon sessions
• 278 users online at one time (maximum)
• 62% of users were 802.11g, 36% 802.11a, 2% 802.11b.  Aruba’s band steering was used to push clients to 802.11a whenever possible
• Total traffic transferred over the WLAN was 238,338 MB
• The average session duration was 41 minutes

Security stats:

• Each day there were between 10-15 rogue APs detected (rogue defined as an AP that was advertising the conference SSID “BlackHat”).
• 49 users attempted to connect to rogue APs and were blocked by RFprotect, which generated 709 shielding actions
• 362 attempts by a wireless user to access the Aruba mobility controller were blocked by the Aruba firewall
• 221 attempts by a wireless user to ARP poison the default gateway were blocked by the Aruba firewall
• 140 port scans (nmap or similar) from wireless users to other wireless users were detected and blocked by the Aruba firewall
• 1 attempt to run AppleTalk on the network was blocked by the Aruba firewall
• 57 non-Blackhat APs were detected
• 287 ad-hoc networks were detected
• 24 denial of service attacks were detected.  The average duration of each attack was 24 seconds – more a skirmish than an attack
• 1 user consumed enough bandwidth as to be noticed by hotel IT staff.  AirWave VisualRF physically located the user who was requested to cease and desist – the user apologized and went in search of a Cisco network
• 2 users found running Karma or a similar tool for an extended period of time (>1 hour).  RFprotect Distributed was used to physically locate the users to a general area, and RFprotect Mobile was used to pinpoint their locations.  Both users stopped the tool when requested to do so (one did not appear to understand what the tool did).
• 1 user observed connecting a WireShark sniffer between an Aruba AP and the wired network, and was observed monitoring encrypted traffic.  When confronted, user was educated (by Jon) about the value of centralized encryption and why his attack failed.  A journalist requested an exclusive on this story!