A few years back, I had the luxury of working with a Cisco partner. In our office we had a simple array of cisco AP hanging from our ceiling. Now this partner was a big known cisco channel partner that handle numerous clients and with services for the SEastern sector of the USA. Wireless was one of their biggest services that they offered.
On this particular day, I was using a Voippong tool to play back some voip pcaps that I was evaluating.( voippong ) . Voippong allows you to run passively or the ability to playback pcaps files from a earlier recording. I was doing the later and using my eth0 nic in my linux virtualmachine. This NIC was bridge to my windowXP wireless adapter via the VMware Workstation.
Tcpreplay , this utilities allows for creating a looping of the file and setting the speed & for playing back pcaps
tcpreplay -l 2 -v myvoipcapture.pcap
So on this regular pcap where STP/bpdu packets where included in the playback, these BPDUs where sent up to our APs via my 802.11x interface , and of course the APs forward these to it's PoE switch 100meg ethernet switchport that connected the wireless APs.
Since these switches had bpdu-guard features enable, these ports went into shutdown error state upon receipt of the BPDUs.
Upon shutdown the port, AP would loose power and the port could only be recovered via a admin re-enabling the port. This created a simple means to DoS a wireless overlay, by just walking the floor and playing back my pcap.
What made this attack so bad, was the fact that we had a guest SSID & and a authentication landing pages. So a outsider could easily bring our internal wireless network down for both open and secure SSIDs
Not good & can exposes you to a simple DoS of your wireless overlay.
This blog is from Ken Felix
Security and Network Engineer
kfelix a-t hyperfeed.com