04-20-2012 08:52 AM
So i see a couple new IDS events, labeled "Omerta Attack"....and the mac listed for the attacker is my access point....
The target is a mobile client.
Is this a bug or is my access point attacking me?
04-23-2012 08:03 AM - edited 04-23-2012 08:05 AM
It is actually neither. The Omerta attack involves an attacker injecting disassociation frames to the network. When it does it spoofs the source MAC address to match the AP of association for that client. So if a client with MAC address 00 associates to an AP with MAC address AA the victim will be 00 and the attacker will be AA.
The naming is a litlte odd. In this case the attacker is spoofing a valid AP so we don't know the true MAC address of the attacker, just the spoofed one that matches the AP of association. Displaying this info as the attacker has some benefits. It allows you to see if the attacks are localized to a certain area or AP which can be difficult to coorelate if you only have the victim MAC address.