Rory, is this a hotspot where customers connect their own devices? Or is it a conventional fixed wireless scenario where you supply the CPE which is always connected?
The reason I ask is that I see a lot of strange stuff in the wireless registration logs on managed WiFi routers for customer battery devices that go into a sleep mode to save battery life. Even some non battery operated devices seem to have a low power mode where they go to sleep, authorization times out, then they wake up and there’s a log entry for an unauthorized device but a second later they authenticate and register normally. I assume it also has something to do with whether the AP has WMM sleep mode enabled. From: That One Guy /sarcasm Sent: Tuesday, March 08, 2016 9:19 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor If it were verifiable that a competitor were the cause of this, whether maliciously or as a bybroduct of a security mechanism, is there legal recourse for something like this? I used to have rogue AP detection and mitigation turned on at my house on a router connected to an external omni on my roof.. dick move. I would add APs to the mitigation list and eventually I would see the sam or similar ESSID pop up on a different MAC indicating they got a new router. In retrospect, it really wasnt funny. On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote: Anyone with a laptop and a Linux live disc also has that feature. :-) ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ------------------------------------------------------------------------------ From: "Rory Conaway" <r...@triadwireless.net> To: af@afmug.com Sent: Tuesday, March 8, 2016 9:03:20 AM Subject: Re: [AFMUG] I might be under attack by a competitor I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ------------------------------------------------------------------------------ From: "timothy steele" <timothy.pct...@gmail.com> To: af@afmug.com Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
