Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Rory Conaway 
We are with AC2.  Unfortunately I’m on vacation so I’m briefly checking on it.  
I changed everything to 10MHz until I can deal with it this weekend.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Reynolds
Sent: Tuesday, March 08, 2016 12:54 PM
To: af@afmug.com
Subject: Re: [AFMUG] I might be under attack by a competitor

Are you graphing the stations / APs in AirControl2 or similar? This can help 
diagnose the problem.

On Tue, Mar 8, 2016 at 1:50 PM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
CCQ% is 95-98%.But it doesn’t mean it’s not an interference issue.  I’ve 
seen Mikrotik do serious damage to Ubiquiti.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Josh Reynolds
Sent: Tuesday, March 08, 2016 12:10 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

Yes, substantial interference will cause this, even on 5GHz. It could be noise 
at the AP, but only if all stations having high CCQs. If not, the CPEs are 
seeing another signal that either has very high signal or is on a near or 
overlapping frequency.

On Tue, Mar 8, 2016 at 12:53 PM, George Skorup 
<geo...@cbcast.com<mailto:geo...@cbcast.com>> wrote:
Rory, I think you're seeing somewhat normal operation from the UBNT radios. The 
AP heard nothing from that CPE in a while so it tore down the session. CPE 
still thinks it's registered. AP says nope. Could be interference. We saw this 
all the time in the 2.4 band w/ UBNT radios.

On 3/8/2016 9:03 AM, Rory Conaway wrote:
I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in 
town next week, I’m going to set it up so I can see how it works.  Our Xirrus 
radios have that feature.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
Sent: Tuesday, March 08, 2016 6:02 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack.


-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "timothy steele" 
<timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Tuesday, March 8, 2016 6:28:42 AM
Subject: Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini 
<ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote:
are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Jaime Solorza
Sent: Monday, March 07, 2016 9:55 PM
To: Animal Farm <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] I might be under attack by a competitor


Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway" 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Josh Reynolds 
Are you graphing the stations / APs in AirControl2 or similar? This can
help diagnose the problem.

On Tue, Mar 8, 2016 at 1:50 PM, Rory Conaway <r...@triadwireless.net> wrote:

> CCQ% is 95-98%.But it doesn’t mean it’s not an interference issue.
> I’ve seen Mikrotik do serious damage to Ubiquiti.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Josh Reynolds
> *Sent:* Tuesday, March 08, 2016 12:10 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> Yes, substantial interference will cause this, even on 5GHz. It could be
> noise at the AP, but only if all stations having high CCQs. If not, the
> CPEs are seeing another signal that either has very high signal or is on a
> near or overlapping frequency.
>
>
>
> On Tue, Mar 8, 2016 at 12:53 PM, George Skorup <geo...@cbcast.com> wrote:
>
> Rory, I think you're seeing somewhat normal operation from the UBNT
> radios. The AP heard nothing from that CPE in a while so it tore down the
> session. CPE still thinks it's registered. AP says nope. Could be
> interference. We saw this all the time in the 2.4 band w/ UBNT radios.
>
>
>
> On 3/8/2016 9:03 AM, Rory Conaway wrote:
>
> I haven’t seen one on a Ubiquiti AP which is why I asked but when I get
> back in town next week, I’m going to set it up so I can see how it works.
> Our Xirrus radios have that feature.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Mike Hammett
> *Sent:* Tuesday, March 08, 2016 6:02 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> When a deauth is happening, the laptop doing the deauth impersonates the
> AP, telling the client to disconnect. What I see below doesn't look like a
> deauth attack.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/ICSIL>[image:
> http://www.ics-il.com/images/googleicon.png]
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
> http://www.ics-il.com/images/linkedinicon.png]
> <https://www.linkedin.com/company/intelligent-computing-solutions>[image:
> http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/mdwestix>[image:
> http://www.ics-il.com/images/linkedinicon.png]
> <https://www.linkedin.com/company/midwest-internet-exchange>[image:
> http://www.ics-il.com/images/twittericon.png]
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/thebrotherswisp>[image:
> http://www.ics-il.com/images/youtubeicon.png]
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"timothy steele" <timothy.pct...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Tuesday, March 8, 2016 6:28:42 AM
> *Subject: *Re: [AFMUG] I might be under attack by a competitor
>
> 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client
> list you should see it pop up now and then maybe pop up a fake ap with same
> said with passphrase ubnt should connect then you can get into the network
> of who ever is doing it
>
>
>
> On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote:
>
> are you running 802.11n or airmax?
>
>
>
> On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net>
> wrote:
>
> I’m almost done doing that.  This should be interesting.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza
> *Sent:* Monday, March 07, 2016 9:55 PM
> *To:* Animal Farm <af@afmug.com>
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> Change your ssid and hide it...
>
> On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote:
>
> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because
> sending STA is leaving (or has left) BSS (8).
>
> Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15
> rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
>
> Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
>
> Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Rory Conaway 
CCQ% is 95-98%.But it doesn’t mean it’s not an interference issue.  I’ve 
seen Mikrotik do serious damage to Ubiquiti.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Reynolds
Sent: Tuesday, March 08, 2016 12:10 PM
To: af@afmug.com
Subject: Re: [AFMUG] I might be under attack by a competitor

Yes, substantial interference will cause this, even on 5GHz. It could be noise 
at the AP, but only if all stations having high CCQs. If not, the CPEs are 
seeing another signal that either has very high signal or is on a near or 
overlapping frequency.

On Tue, Mar 8, 2016 at 12:53 PM, George Skorup 
<geo...@cbcast.com<mailto:geo...@cbcast.com>> wrote:
Rory, I think you're seeing somewhat normal operation from the UBNT radios. The 
AP heard nothing from that CPE in a while so it tore down the session. CPE 
still thinks it's registered. AP says nope. Could be interference. We saw this 
all the time in the 2.4 band w/ UBNT radios.

On 3/8/2016 9:03 AM, Rory Conaway wrote:
I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in 
town next week, I’m going to set it up so I can see how it works.  Our Xirrus 
radios have that feature.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
Sent: Tuesday, March 08, 2016 6:02 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack.


-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "timothy steele" 
<timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Tuesday, March 8, 2016 6:28:42 AM
Subject: Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini 
<ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote:
are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Jaime Solorza
Sent: Monday, March 07, 2016 9:55 PM
To: Animal Farm <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] I might be under attack by a competitor


Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway" 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA (

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online.  I pull the logs on the AP and see a 
bunch of handshaking and seve

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Josh Reynolds 
Yes, substantial interference will cause this, even on 5GHz. It could be
noise at the AP, but only if all stations having high CCQs. If not, the
CPEs are seeing another signal that either has very high signal or is on a
near or overlapping frequency.

On Tue, Mar 8, 2016 at 12:53 PM, George Skorup <geo...@cbcast.com> wrote:

> Rory, I think you're seeing somewhat normal operation from the UBNT
> radios. The AP heard nothing from that CPE in a while so it tore down the
> session. CPE still thinks it's registered. AP says nope. Could be
> interference. We saw this all the time in the 2.4 band w/ UBNT radios.
>
>
> On 3/8/2016 9:03 AM, Rory Conaway wrote:
>
> I haven’t seen one on a Ubiquiti AP which is why I asked but when I get
> back in town next week, I’m going to set it up so I can see how it works.
> Our Xirrus radios have that feature.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Mike Hammett
> *Sent:* Tuesday, March 08, 2016 6:02 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> When a deauth is happening, the laptop doing the deauth impersonates the
> AP, telling the client to disconnect. What I see below doesn't look like a
> deauth attack.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/ICSIL>[image:
> http://www.ics-il.com/images/googleicon.png]
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
> http://www.ics-il.com/images/linkedinicon.png]
> <https://www.linkedin.com/company/intelligent-computing-solutions>[image:
> http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/mdwestix>[image:
> http://www.ics-il.com/images/linkedinicon.png]
> <https://www.linkedin.com/company/midwest-internet-exchange>[image:
> http://www.ics-il.com/images/twittericon.png]
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/thebrotherswisp>[image:
> http://www.ics-il.com/images/youtubeicon.png]
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"timothy steele" <timothy.pct...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Tuesday, March 8, 2016 6:28:42 AM
> *Subject: *Re: [AFMUG] I might be under attack by a competitor
>
> 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client
> list you should see it pop up now and then maybe pop up a fake ap with same
> said with passphrase ubnt should connect then you can get into the network
> of who ever is doing it
>
>
>
> On Tue, Mar 8, 2016, 7:14 AM Gino Villarini < <ginovi...@gmail.com>
> ginovi...@gmail.com> wrote:
>
> are you running 802.11n or airmax?
>
>
>
> On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway < <r...@triadwireless.net>
> r...@triadwireless.net> wrote:
>
> I’m almost done doing that.  This should be interesting.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto: <af-boun...@afmug.com>af-boun...@afmug.com] *On
> Behalf Of *Jaime Solorza
> *Sent:* Monday, March 07, 2016 9:55 PM
> *To:* Animal Farm < <af@afmug.com>af@afmug.com>
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> Change your ssid and hide it...
>
> On Mar 7, 2016 9:05 PM, "Rory Conaway" < <r...@triadwireless.net>
> r...@triadwireless.net> wrote:
>
> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because
> sending STA is leaving (or has left) BSS (8).
>
> Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15
> rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
>
> Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
>
> Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11:
> disassociated
>
> Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15.
> Reason: Class 2 frame received from nonauthenticated STA (
>
>
>
> *From:* Af [mailto: <af-boun...@afmug.com>af-boun...@afmug.com] *On
> Behalf Of *Rory Conaway
> *Sent:* Monday, March 07, 2016 9:03 PM
> *To:* <af@afmug.com>af@afmug.com
> *Subject:* [AFMUG] I might be under attack by a competitor
>
>
>
> I have a couple of customers off the same Ubiquiti Rocket 5 AP that have
> been having an issue the last couple days with going offline for a short
> time and then reconnecting and coming back online.  I pull the logs on the
> AP and see a bunch of handshaking and several of these.  I’m pretty sure
> this is what happens when an enterprise radio does Rogue Access Point
> Suppression.  Am I reading this right or is there something I’m not aware
> of like a bad CPE that can cause this?
>
>
>
> Rory
>
>
>
>
>
>
>
>
>
>
>

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread George Skorup 
Rory, I think you're seeing somewhat normal operation from the UBNT 
radios. The AP heard nothing from that CPE in a while so it tore down 
the session. CPE still thinks it's registered. AP says nope. Could be 
interference. We saw this all the time in the 2.4 band w/ UBNT radios.


On 3/8/2016 9:03 AM, Rory Conaway wrote:


I haven’t seen one on a Ubiquiti AP which is why I asked but when I 
get back in town next week, I’m going to set it up so I can see how it 
works.  Our Xirrus radios have that feature.


Rory

*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
*Sent:* Tuesday, March 08, 2016 6:02 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates 
the AP, telling the client to disconnect. What I see below doesn't 
look like a deauth attack.




-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
http://www.ics-il.com/images/fbicon.png 
<https://www.facebook.com/ICSIL>http://www.ics-il.com/images/googleicon.png 
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>http://www.ics-il.com/images/linkedinicon.png 
<https://www.linkedin.com/company/intelligent-computing-solutions>http://www.ics-il.com/images/twittericon.png 
<https://twitter.com/ICSIL>

Midwest Internet Exchange <http://www.midwest-ix.com/>
http://www.ics-il.com/images/fbicon.png 
<https://www.facebook.com/mdwestix>http://www.ics-il.com/images/linkedinicon.png 
<https://www.linkedin.com/company/midwest-internet-exchange>http://www.ics-il.com/images/twittericon.png 
<https://twitter.com/mdwestix>

The Brothers WISP <http://www.thebrotherswisp.com/>
http://www.ics-il.com/images/fbicon.png 
<https://www.facebook.com/thebrotherswisp>http://www.ics-il.com/images/youtubeicon.png



<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>



*From: *"timothy steele" <timothy.pct...@gmail.com 
<mailto:timothy.pct...@gmail.com>>

*To: *af@afmug.com <mailto:af@afmug.com>
*Sent: *Tuesday, March 8, 2016 6:28:42 AM
*Subject: *Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the 
client list you should see it pop up now and then maybe pop up a fake 
ap with same said with passphrase ubnt should connect then you can get 
into the network of who ever is doing it


On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com 
<mailto:ginovi...@gmail.com>> wrote:


are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway
<r...@triadwireless.net <mailto:r...@triadwireless.net>> wrote:

I’m almost done doing that.  This should be interesting.

Rory

*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Jaime Solorza
    *Sent:* Monday, March 07, 2016 9:55 PM
    *To:* Animal Farm <af@afmug.com <mailto:af@afmug.com>>
*Subject:* Re: [AFMUG] I might be under attack by a competitor

Change your ssid and hide it...

On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net
<mailto:r...@triadwireless.net>> wrote:

Received disassoc from 04:18:d6:e4:c0:15. Reason:
Disassociated because sending STA is leaving (or has left)
BSS (8).

Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT
mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546
tx_packets=2225222 tx_bytes=3041234063

Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15

Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE
802.11: disassociated

Feb 13 07:17:43 wireless: ath0 Sending deauth to
04:18:d6:e4:c0:15. Reason: Class 2 frame received from
nonauthenticated STA (

*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Rory Conaway
*Sent:* Monday, March 07, 2016 9:03 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket
5 AP that have been having an issue the last couple days
with going offline for a short time and then reconnecting
and coming back online.  I pull the logs on the AP and see
a bunch of handshaking and several of these.  I’m pretty
sure this is what happens when an enterprise radio does
Rogue Access Point Suppression.  Am I reading this right
or is there something I’m not aware of like a bad CPE that
can cause this?

Rory

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Chris Wright 
You truly are… that one guy.

Chris Wright
Network Administrator
Velociter Wireless
209-838-1221 x115

From: Af [mailto:af-boun...@afmug.com] On Behalf Of That One Guy /sarcasm
Sent: Tuesday, March 08, 2016 7:19 AM
To: af@afmug.com
Subject: Re: [AFMUG] I might be under attack by a competitor

If it were verifiable that a competitor were the cause of this, whether 
maliciously or as a bybroduct of a security mechanism, is there legal recourse 
for something like this?

I used to have rogue AP detection and mitigation turned on at my house on a 
router connected to an external omni on my roof.. dick move. I would add APs to 
the mitigation list and eventually I would see the sam or similar ESSID pop up 
on a different MAC indicating they got a new router. In retrospect, it really 
wasnt funny.

On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett 
<af...@ics-il.net<mailto:af...@ics-il.net>> wrote:
Anyone with a laptop and a Linux live disc also has that feature.  :-)


-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Tuesday, March 8, 2016 9:03:20 AM

Subject: Re: [AFMUG] I might be under attack by a competitor
I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in 
town next week, I’m going to set it up so I can see how it works.  Our Xirrus 
radios have that feature.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Mike Hammett
Sent: Tuesday, March 08, 2016 6:02 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack.


-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
____________
From: "timothy steele" 
<timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Tuesday, March 8, 2016 6:28:42 AM
Subject: Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini 
<ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote:
are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Jaime Solorza
Se

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Ken Hohhof 
Rory, is this a hotspot where customers connect their own devices?  Or is it a 
conventional fixed wireless scenario where you supply the CPE which is always 
connected?

The reason I ask is that I see a lot of strange stuff in the wireless 
registration logs on managed WiFi routers for customer battery devices that go 
into a sleep mode to save battery life.  Even some non battery operated devices 
seem to have a low power mode where they go to sleep, authorization times out, 
then they wake up and there’s a log entry for an unauthorized device but a 
second later they authenticate and register normally.  I assume it also has 
something to do with whether the AP has WMM sleep mode enabled.


From: That One Guy /sarcasm 
Sent: Tuesday, March 08, 2016 9:19 AM
To: af@afmug.com 
Subject: Re: [AFMUG] I might be under attack by a competitor

If it were verifiable that a competitor were the cause of this, whether 
maliciously or as a bybroduct of a security mechanism, is there legal recourse 
for something like this?  

I used to have rogue AP detection and mitigation turned on at my house on a 
router connected to an external omni on my roof.. dick move. I would add APs to 
the mitigation list and eventually I would see the sam or similar ESSID pop up 
on a different MAC indicating they got a new router. In retrospect, it really 
wasnt funny.

On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote:

  Anyone with a laptop and a Linux live disc also has that feature.  :-)




  -
  Mike Hammett
  Intelligent Computing Solutions

  Midwest Internet Exchange

  The Brothers WISP






--

  From: "Rory Conaway" <r...@triadwireless.net>
  To: af@afmug.com
  Sent: Tuesday, March 8, 2016 9:03:20 AM 

  Subject: Re: [AFMUG] I might be under attack by a competitor


  I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back 
in town next week, I’m going to set it up so I can see how it works.  Our 
Xirrus radios have that feature.



  Rory



  From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
  Sent: Tuesday, March 08, 2016 6:02 AM
  To: af@afmug.com
  Subject: Re: [AFMUG] I might be under attack by a competitor



  When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack.



  -
  Mike Hammett
  Intelligent Computing Solutions

  Midwest Internet Exchange

  The Brothers WISP






--

  From: "timothy steele" <timothy.pct...@gmail.com>
  To: af@afmug.com
  Sent: Tuesday, March 8, 2016 6:28:42 AM
  Subject: Re: [AFMUG] I might be under attack by a competitor

  04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client 
list you should see it pop up now and then maybe pop up a fake ap with same 
said with passphrase ubnt should connect then you can get into the network of 
who ever is doing it



  On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote:

are you running 802.11n or airmax?



On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> wrote:

  I’m almost done doing that.  This should be interesting.



  Rory



  From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza
  Sent: Monday, March 07, 2016 9:55 PM
      To: Animal Farm <af@afmug.com>
  Subject: Re: [AFMUG] I might be under attack by a competitor



  Change your ssid and hide it...

  On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote:

Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because 
sending STA is leaving (or has left) BSS (8).

Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT 
mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 
tx_bytes=3041234063

Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15

Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: 
disassociated

Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. 
Reason: Class 2 frame received from nonauthenticated STA (



From: Af [mailto:af-boun...@afmug.com] On Behalf Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com
Subject: [AFMUG] I might be under attack by a competitor



I have a couple of customers off the same Ubiquiti Rocket 5 AP that 
have been having an issue the last couple days with going offline for a short 
time and then reconnecting and coming back online.  I pull the logs on the AP 
and see a bunch of handshaking and several of these.  I’m pretty sure this is 
what happens when an enterprise radio does Rogue Access Point Suppression.  Am 
I reading this rig

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Ty Featherling 
Dick-move, Steve. ;)

-Ty



-Ty

On Tue, Mar 8, 2016 at 9:19 AM, That One Guy /sarcasm <
thatoneguyst...@gmail.com> wrote:

> If it were verifiable that a competitor were the cause of this, whether
> maliciously or as a bybroduct of a security mechanism, is there legal
> recourse for something like this?
>
> I used to have rogue AP detection and mitigation turned on at my house on
> a router connected to an external omni on my roof.. dick move. I would add
> APs to the mitigation list and eventually I would see the sam or similar
> ESSID pop up on a different MAC indicating they got a new router. In
> retrospect, it really wasnt funny.
>
> On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote:
>
>> Anyone with a laptop and a Linux live disc also has that feature.  :-)
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Rory Conaway" <r...@triadwireless.net>
>> *To: *af@afmug.com
>> *Sent: *Tuesday, March 8, 2016 9:03:20 AM
>>
>> *Subject: *Re: [AFMUG] I might be under attack by a competitor
>>
>> I haven’t seen one on a Ubiquiti AP which is why I asked but when I get
>> back in town next week, I’m going to set it up so I can see how it works.
>> Our Xirrus radios have that feature.
>>
>>
>>
>> Rory
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
>> *Sent:* Tuesday, March 08, 2016 6:02 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>>
>>
>>
>> When a deauth is happening, the laptop doing the deauth impersonates the
>> AP, telling the client to disconnect. What I see below doesn't look like a
>> deauth attack.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> [image: http://www.ics-il.com/images/fbicon.png]
>> <https://www.facebook.com/ICSIL>[image:
>> http://www.ics-il.com/images/googleicon.png]
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
>> http://www.ics-il.com/images/linkedinicon.png]
>> <https://www.linkedin.com/company/intelligent-computing-solutions>[image:
>> http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> [image: http://www.ics-il.com/images/fbicon.png]
>> <https://www.facebook.com/mdwestix>[image:
>> http://www.ics-il.com/images/linkedinicon.png]
>> <https://www.linkedin.com/company/midwest-internet-exchange>[image:
>> http://www.ics-il.com/images/twittericon.png]
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> [image: http://www.ics-il.com/images/fbicon.png]
>> <https://www.facebook.com/thebrotherswisp>[image:
>> http://www.ics-il.com/images/youtubeicon.png]
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>>
>> *From: *"timothy steele" <timothy.pct...@gmail.com>
>> *To: *af@afmug.com
>> *Sent: *Tuesday, March 8, 2016 6:28:42 AM
>> *Subject: *Re: [AFMUG] I might be under attack by a competitor
>>
>> 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the
>> client list you should see it pop up now and then maybe pop up a fake ap
>> with same said with passphrase ubnt should connect then you can get into
>> the network of who ever is doing it
>>
>>
>>
>> On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote:
>>
>> are you running 802.11n or airmax?
>>
>>
>>
>> On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net>
>> wrote:
>>
>> I’m almost done doing tha

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread That One Guy /sarcasm 
If it were verifiable that a competitor were the cause of this, whether
maliciously or as a bybroduct of a security mechanism, is there legal
recourse for something like this?

I used to have rogue AP detection and mitigation turned on at my house on a
router connected to an external omni on my roof.. dick move. I would add
APs to the mitigation list and eventually I would see the sam or similar
ESSID pop up on a different MAC indicating they got a new router. In
retrospect, it really wasnt funny.

On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote:

> Anyone with a laptop and a Linux live disc also has that feature.  :-)
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------
> *From: *"Rory Conaway" <r...@triadwireless.net>
> *To: *af@afmug.com
> *Sent: *Tuesday, March 8, 2016 9:03:20 AM
>
> *Subject: *Re: [AFMUG] I might be under attack by a competitor
>
> I haven’t seen one on a Ubiquiti AP which is why I asked but when I get
> back in town next week, I’m going to set it up so I can see how it works.
> Our Xirrus radios have that feature.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
> *Sent:* Tuesday, March 08, 2016 6:02 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> When a deauth is happening, the laptop doing the deauth impersonates the
> AP, telling the client to disconnect. What I see below doesn't look like a
> deauth attack.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/ICSIL>[image:
> http://www.ics-il.com/images/googleicon.png]
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
> http://www.ics-il.com/images/linkedinicon.png]
> <https://www.linkedin.com/company/intelligent-computing-solutions>[image:
> http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/mdwestix>[image:
> http://www.ics-il.com/images/linkedinicon.png]
> <https://www.linkedin.com/company/midwest-internet-exchange>[image:
> http://www.ics-il.com/images/twittericon.png]
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> [image: http://www.ics-il.com/images/fbicon.png]
> <https://www.facebook.com/thebrotherswisp>[image:
> http://www.ics-il.com/images/youtubeicon.png]
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"timothy steele" <timothy.pct...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Tuesday, March 8, 2016 6:28:42 AM
> *Subject: *Re: [AFMUG] I might be under attack by a competitor
>
> 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client
> list you should see it pop up now and then maybe pop up a fake ap with same
> said with passphrase ubnt should connect then you can get into the network
> of who ever is doing it
>
>
>
> On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote:
>
> are you running 802.11n or airmax?
>
>
>
> On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net>
> wrote:
>
> I’m almost done doing that.  This should be interesting.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza
> *Sent:* Monday, March 07, 2016 9:55 PM
> *To:* Animal Farm <af@afmug.com>
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> Change your ssid and hide it...
>
> On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote:
>
> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because
> sending STA is leaving (or has left) BSS (

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Mike Hammett 
Anyone with a laptop and a Linux live disc also has that feature. :-) 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Rory Conaway" <r...@triadwireless.net> 
To: af@afmug.com 
Sent: Tuesday, March 8, 2016 9:03:20 AM 
Subject: Re: [AFMUG] I might be under attack by a competitor 



I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in 
town next week, I’m going to set it up so I can see how it works. Our Xirrus 
radios have that feature. 

Rory 



From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett 
Sent: Tuesday, March 08, 2016 6:02 AM 
To: af@afmug.com 
Subject: Re: [AFMUG] I might be under attack by a competitor 


When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack. 



- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com/images/fbicon.pnghttp://www.ics-il.com/images/googleicon.pnghttp://www.ics-il.com/images/linkedinicon.pnghttp://www.ics-il.com/images/twittericon.png
Midwest Internet Exchange 
http://www.ics-il.com/images/fbicon.pnghttp://www.ics-il.com/images/linkedinicon.pnghttp://www.ics-il.com/images/twittericon.png
The Brothers WISP 
http://www.ics-il.com/images/fbicon.pnghttp://www.ics-il.com/images/youtubeicon.png






From: "timothy steele" < timothy.pct...@gmail.com > 
To: af@afmug.com 
Sent: Tuesday, March 8, 2016 6:28:42 AM 
Subject: Re: [AFMUG] I might be under attack by a competitor 
04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it 



On Tue, Mar 8, 2016, 7:14 AM Gino Villarini < ginovi...@gmail.com > wrote: 



are you running 802.11n or airmax? 



On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway < r...@triadwireless.net > wrote: 




I’m almost done doing that. This should be interesting. 

Rory 

From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Jaime Solorza 
Sent: Monday, March 07, 2016 9:55 PM 
To: Animal Farm < af@afmug.com > 
Subject: Re: [AFMUG] I might be under attack by a competitor 



Change your ssid and hide it... 

On Mar 7, 2016 9:05 PM, "Rory Conaway" < r...@triadwireless.net > wrote: 




Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8). 
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated 
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA ( 



From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Rory Conaway 
Sent: Monday, March 07, 2016 9:03 PM 
To: af@afmug.com 
Subject: [AFMUG] I might be under attack by a competitor 

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online. I pull the logs on the AP and see a 
bunch of handshaking and several of these. I’m pretty sure this is what happens 
when an enterprise radio does Rogue Access Point Suppression. Am I reading this 
right or is there something I’m not aware of like a bad CPE that can cause 
this? 

Rory

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Rory Conaway 
I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in 
town next week, I’m going to set it up so I can see how it works.  Our Xirrus 
radios have that feature.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
Sent: Tuesday, March 08, 2016 6:02 AM
To: af@afmug.com
Subject: Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack.


-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "timothy steele" 
<timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Tuesday, March 8, 2016 6:28:42 AM
Subject: Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini 
<ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote:
are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Jaime Solorza
Sent: Monday, March 07, 2016 9:55 PM
To: Animal Farm <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] I might be under attack by a competitor


Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway" 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA (

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online.  I pull the logs on the AP and see a 
bunch of handshaking and several of these.  I’m pretty sure this is what 
happens when an enterprise radio does Rogue Access Point Suppression.  Am I 
reading this right or is there something I’m not aware of like a bad CPE that 
can cause this?

Rory

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Rory Conaway 
Airmax

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Gino Villarini
Sent: Tuesday, March 08, 2016 5:14 AM
To: Animal Farm <af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Jaime Solorza
Sent: Monday, March 07, 2016 9:55 PM
To: Animal Farm <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] I might be under attack by a competitor


Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway" 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA (

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online.  I pull the logs on the AP and see a 
bunch of handshaking and several of these.  I’m pretty sure this is what 
happens when an enterprise radio does Rogue Access Point Suppression.  Am I 
reading this right or is there something I’m not aware of like a bad CPE that 
can cause this?

Rory

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Mike Hammett 
When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "timothy steele" <timothy.pct...@gmail.com> 
To: af@afmug.com 
Sent: Tuesday, March 8, 2016 6:28:42 AM 
Subject: Re: [AFMUG] I might be under attack by a competitor 


04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it 


On Tue, Mar 8, 2016, 7:14 AM Gino Villarini < ginovi...@gmail.com > wrote: 



are you running 802.11n or airmax? 


On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway < r...@triadwireless.net > wrote: 





I’m almost done doing that. This should be interesting. 

Rory 

From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Jaime Solorza 
Sent: Monday, March 07, 2016 9:55 PM 
To: Animal Farm < af@afmug.com > 
Subject: Re: [AFMUG] I might be under attack by a competitor 



Change your ssid and hide it... 

On Mar 7, 2016 9:05 PM, "Rory Conaway" < r...@triadwireless.net > wrote: 




Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8). 
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated 
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA ( 



From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Rory Conaway 
Sent: Monday, March 07, 2016 9:03 PM 
To: af@afmug.com 
Subject: [AFMUG] I might be under attack by a competitor 

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online. I pull the logs on the AP and see a 
bunch of handshaking and several of these. I’m pretty sure this is what happens 
when an enterprise radio does Rogue Access Point Suppression. Am I reading this 
right or is there something I’m not aware of like a bad CPE that can cause 
this? 

Rory

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread timothy steele 
04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client
list you should see it pop up now and then maybe pop up a fake ap with same
said with passphrase ubnt should connect then you can get into the network
of who ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote:

> are you running 802.11n or airmax?
>
> On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net>
> wrote:
>
>> I’m almost done doing that.  This should be interesting.
>>
>>
>>
>> Rory
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza
>> *Sent:* Monday, March 07, 2016 9:55 PM
>> *To:* Animal Farm <af@afmug.com>
>> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>>
>>
>>
>> Change your ssid and hide it...
>>
>> On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote:
>>
>> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because
>> sending STA is leaving (or has left) BSS (8).
>>
>> Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15
>> rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
>>
>> Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
>>
>> Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11:
>> disassociated
>>
>> Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15.
>> Reason: Class 2 frame received from nonauthenticated STA (
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory Conaway
>> *Sent:* Monday, March 07, 2016 9:03 PM
>> *To:* af@afmug.com
>> *Subject:* [AFMUG] I might be under attack by a competitor
>>
>>
>>
>> I have a couple of customers off the same Ubiquiti Rocket 5 AP that have
>> been having an issue the last couple days with going offline for a short
>> time and then reconnecting and coming back online.  I pull the logs on the
>> AP and see a bunch of handshaking and several of these.  I’m pretty sure
>> this is what happens when an enterprise radio does Rogue Access Point
>> Suppression.  Am I reading this right or is there something I’m not aware
>> of like a bad CPE that can cause this?
>>
>>
>>
>> Rory
>>
>>
>>
>>
>>
>>
>

Re: [AFMUG] I might be under attack by a competitor

2016-03-08 Thread Gino Villarini 
are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> wrote:

> I’m almost done doing that.  This should be interesting.
>
>
>
> Rory
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza
> *Sent:* Monday, March 07, 2016 9:55 PM
> *To:* Animal Farm <af@afmug.com>
> *Subject:* Re: [AFMUG] I might be under attack by a competitor
>
>
>
> Change your ssid and hide it...
>
> On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote:
>
> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because
> sending STA is leaving (or has left) BSS (8).
>
> Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15
> rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
>
> Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
>
> Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11:
> disassociated
>
> Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15.
> Reason: Class 2 frame received from nonauthenticated STA (
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory Conaway
> *Sent:* Monday, March 07, 2016 9:03 PM
> *To:* af@afmug.com
> *Subject:* [AFMUG] I might be under attack by a competitor
>
>
>
> I have a couple of customers off the same Ubiquiti Rocket 5 AP that have
> been having an issue the last couple days with going offline for a short
> time and then reconnecting and coming back online.  I pull the logs on the
> AP and see a bunch of handshaking and several of these.  I’m pretty sure
> this is what happens when an enterprise radio does Rogue Access Point
> Suppression.  Am I reading this right or is there something I’m not aware
> of like a bad CPE that can cause this?
>
>
>
> Rory
>
>
>
>
>
>

Re: [AFMUG] I might be under attack by a competitor

2016-03-07 Thread Rory Conaway 
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza
Sent: Monday, March 07, 2016 9:55 PM
To: Animal Farm <af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor


Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway" 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA (

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online.  I pull the logs on the AP and see a 
bunch of handshaking and several of these.  I’m pretty sure this is what 
happens when an enterprise radio does Rogue Access Point Suppression.  Am I 
reading this right or is there something I’m not aware of like a bad CPE that 
can cause this?

Rory

Re: [AFMUG] I might be under attack by a competitor

2016-03-07 Thread Jaime Solorza 
Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway"  wrote:

> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because
> sending STA is leaving (or has left) BSS (8).
>
> Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15
> rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
>
> Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
>
> Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11:
> disassociated
>
> Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15.
> Reason: Class 2 frame received from nonauthenticated STA (
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory Conaway
> *Sent:* Monday, March 07, 2016 9:03 PM
> *To:* af@afmug.com
> *Subject:* [AFMUG] I might be under attack by a competitor
>
>
>
> I have a couple of customers off the same Ubiquiti Rocket 5 AP that have
> been having an issue the last couple days with going offline for a short
> time and then reconnecting and coming back online.  I pull the logs on the
> AP and see a bunch of handshaking and several of these.  I’m pretty sure
> this is what happens when an enterprise radio does Rogue Access Point
> Suppression.  Am I reading this right or is there something I’m not aware
> of like a bad CPE that can cause this?
>
>
>
> Rory
>
>
>
>
>

Re: [AFMUG] I might be under attack by a competitor

2016-03-07 Thread Rory Conaway 
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA (

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com
Subject: [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online.  I pull the logs on the AP and see a 
bunch of handshaking and several of these.  I'm pretty sure this is what 
happens when an enterprise radio does Rogue Access Point Suppression.  Am I 
reading this right or is there something I'm not aware of like a bad CPE that 
can cause this?

Rory