Re: [AFMUG] I might be under attack by a competitor
We are with AC2. Unfortunately I’m on vacation so I’m briefly checking on it. I changed everything to 10MHz until I can deal with it this weekend. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Reynolds Sent: Tuesday, March 08, 2016 12:54 PM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor Are you graphing the stations / APs in AirControl2 or similar? This can help diagnose the problem. On Tue, Mar 8, 2016 at 1:50 PM, Rory Conaway <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: CCQ% is 95-98%.But it doesn’t mean it’s not an interference issue. I’ve seen Mikrotik do serious damage to Ubiquiti. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Josh Reynolds Sent: Tuesday, March 08, 2016 12:10 PM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor Yes, substantial interference will cause this, even on 5GHz. It could be noise at the AP, but only if all stations having high CCQs. If not, the CPEs are seeing another signal that either has very high signal or is on a near or overlapping frequency. On Tue, Mar 8, 2016 at 12:53 PM, George Skorup <geo...@cbcast.com<mailto:geo...@cbcast.com>> wrote: Rory, I think you're seeing somewhat normal operation from the UBNT radios. The AP heard nothing from that CPE in a while so it tore down the session. CPE still thinks it's registered. AP says nope. Could be interference. We saw this all the time in the 2.4 band w/ UBNT radios. On 3/8/2016 9:03 AM, Rory Conaway wrote: I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "timothy steele" <timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com<mailto:af@afmug.com>> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:
Re: [AFMUG] I might be under attack by a competitor
Are you graphing the stations / APs in AirControl2 or similar? This can help diagnose the problem. On Tue, Mar 8, 2016 at 1:50 PM, Rory Conaway <r...@triadwireless.net> wrote: > CCQ% is 95-98%.But it doesn’t mean it’s not an interference issue. > I’ve seen Mikrotik do serious damage to Ubiquiti. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Josh Reynolds > *Sent:* Tuesday, March 08, 2016 12:10 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > Yes, substantial interference will cause this, even on 5GHz. It could be > noise at the AP, but only if all stations having high CCQs. If not, the > CPEs are seeing another signal that either has very high signal or is on a > near or overlapping frequency. > > > > On Tue, Mar 8, 2016 at 12:53 PM, George Skorup <geo...@cbcast.com> wrote: > > Rory, I think you're seeing somewhat normal operation from the UBNT > radios. The AP heard nothing from that CPE in a while so it tore down the > session. CPE still thinks it's registered. AP says nope. Could be > interference. We saw this all the time in the 2.4 band w/ UBNT radios. > > > > On 3/8/2016 9:03 AM, Rory Conaway wrote: > > I haven’t seen one on a Ubiquiti AP which is why I asked but when I get > back in town next week, I’m going to set it up so I can see how it works. > Our Xirrus radios have that feature. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On > Behalf Of *Mike Hammett > *Sent:* Tuesday, March 08, 2016 6:02 AM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > When a deauth is happening, the laptop doing the deauth impersonates the > AP, telling the client to disconnect. What I see below doesn't look like a > deauth attack. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/ICSIL>[image: > http://www.ics-il.com/images/googleicon.png] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > http://www.ics-il.com/images/linkedinicon.png] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/mdwestix>[image: > http://www.ics-il.com/images/linkedinicon.png] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: > http://www.ics-il.com/images/twittericon.png] > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/thebrotherswisp>[image: > http://www.ics-il.com/images/youtubeicon.png] > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > > *From: *"timothy steele" <timothy.pct...@gmail.com> > *To: *af@afmug.com > *Sent: *Tuesday, March 8, 2016 6:28:42 AM > *Subject: *Re: [AFMUG] I might be under attack by a competitor > > 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client > list you should see it pop up now and then maybe pop up a fake ap with same > said with passphrase ubnt should connect then you can get into the network > of who ever is doing it > > > > On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote: > > are you running 802.11n or airmax? > > > > On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> > wrote: > > I’m almost done doing that. This should be interesting. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza > *Sent:* Monday, March 07, 2016 9:55 PM > *To:* Animal Farm <af@afmug.com> > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > Change your ssid and hide it... > > On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote: > > Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because > sending STA is leaving (or has left) BSS (8). > > Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 > rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 > > Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 > > Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11
Re: [AFMUG] I might be under attack by a competitor
CCQ% is 95-98%.But it doesn’t mean it’s not an interference issue. I’ve seen Mikrotik do serious damage to Ubiquiti. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Reynolds Sent: Tuesday, March 08, 2016 12:10 PM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor Yes, substantial interference will cause this, even on 5GHz. It could be noise at the AP, but only if all stations having high CCQs. If not, the CPEs are seeing another signal that either has very high signal or is on a near or overlapping frequency. On Tue, Mar 8, 2016 at 12:53 PM, George Skorup <geo...@cbcast.com<mailto:geo...@cbcast.com>> wrote: Rory, I think you're seeing somewhat normal operation from the UBNT radios. The AP heard nothing from that CPE in a while so it tore down the session. CPE still thinks it's registered. AP says nope. Could be interference. We saw this all the time in the 2.4 band w/ UBNT radios. On 3/8/2016 9:03 AM, Rory Conaway wrote: I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "timothy steele" <timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com<mailto:af@afmug.com>> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com<mailto:af@afmug.com> Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and seve
Re: [AFMUG] I might be under attack by a competitor
Yes, substantial interference will cause this, even on 5GHz. It could be noise at the AP, but only if all stations having high CCQs. If not, the CPEs are seeing another signal that either has very high signal or is on a near or overlapping frequency. On Tue, Mar 8, 2016 at 12:53 PM, George Skorup <geo...@cbcast.com> wrote: > Rory, I think you're seeing somewhat normal operation from the UBNT > radios. The AP heard nothing from that CPE in a while so it tore down the > session. CPE still thinks it's registered. AP says nope. Could be > interference. We saw this all the time in the 2.4 band w/ UBNT radios. > > > On 3/8/2016 9:03 AM, Rory Conaway wrote: > > I haven’t seen one on a Ubiquiti AP which is why I asked but when I get > back in town next week, I’m going to set it up so I can see how it works. > Our Xirrus radios have that feature. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On > Behalf Of *Mike Hammett > *Sent:* Tuesday, March 08, 2016 6:02 AM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > When a deauth is happening, the laptop doing the deauth impersonates the > AP, telling the client to disconnect. What I see below doesn't look like a > deauth attack. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/ICSIL>[image: > http://www.ics-il.com/images/googleicon.png] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > http://www.ics-il.com/images/linkedinicon.png] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/mdwestix>[image: > http://www.ics-il.com/images/linkedinicon.png] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: > http://www.ics-il.com/images/twittericon.png] > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/thebrotherswisp>[image: > http://www.ics-il.com/images/youtubeicon.png] > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > > *From: *"timothy steele" <timothy.pct...@gmail.com> > *To: *af@afmug.com > *Sent: *Tuesday, March 8, 2016 6:28:42 AM > *Subject: *Re: [AFMUG] I might be under attack by a competitor > > 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client > list you should see it pop up now and then maybe pop up a fake ap with same > said with passphrase ubnt should connect then you can get into the network > of who ever is doing it > > > > On Tue, Mar 8, 2016, 7:14 AM Gino Villarini < <ginovi...@gmail.com> > ginovi...@gmail.com> wrote: > > are you running 802.11n or airmax? > > > > On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway < <r...@triadwireless.net> > r...@triadwireless.net> wrote: > > I’m almost done doing that. This should be interesting. > > > > Rory > > > > *From:* Af [mailto: <af-boun...@afmug.com>af-boun...@afmug.com] *On > Behalf Of *Jaime Solorza > *Sent:* Monday, March 07, 2016 9:55 PM > *To:* Animal Farm < <af@afmug.com>af@afmug.com> > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > Change your ssid and hide it... > > On Mar 7, 2016 9:05 PM, "Rory Conaway" < <r...@triadwireless.net> > r...@triadwireless.net> wrote: > > Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because > sending STA is leaving (or has left) BSS (8). > > Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 > rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 > > Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 > > Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: > disassociated > > Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. > Reason: Class 2 frame received from nonauthenticated STA ( > > > > *From:* Af [mailto: <af-boun...@afmug.com>af-boun...@afmug.com] *On > Behalf Of *Rory Conaway > *Sent:* Monday, March 07, 2016 9:03 PM > *To:* <af@afmug.com>af@afmug.com > *Subject:* [AFMUG] I might be under attack by a competitor > > > > I have a couple of customers off the same Ubiquiti Rocket 5 AP that have > been having an issue the last couple days with going offline for a short > time and then reconnecting and coming back online. I pull the logs on the > AP and see a bunch of handshaking and several of these. I’m pretty sure > this is what happens when an enterprise radio does Rogue Access Point > Suppression. Am I reading this right or is there something I’m not aware > of like a bad CPE that can cause this? > > > > Rory > > > > > > > > > > >
Re: [AFMUG] I might be under attack by a competitor
Rory, I think you're seeing somewhat normal operation from the UBNT radios. The AP heard nothing from that CPE in a while so it tore down the session. CPE still thinks it's registered. AP says nope. Could be interference. We saw this all the time in the 2.4 band w/ UBNT radios. On 3/8/2016 9:03 AM, Rory Conaway wrote: I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory *From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett *Sent:* Tuesday, March 08, 2016 6:02 AM *To:* af@afmug.com *Subject:* Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> http://www.ics-il.com/images/fbicon.png <https://www.facebook.com/ICSIL>http://www.ics-il.com/images/googleicon.png <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>http://www.ics-il.com/images/linkedinicon.png <https://www.linkedin.com/company/intelligent-computing-solutions>http://www.ics-il.com/images/twittericon.png <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> http://www.ics-il.com/images/fbicon.png <https://www.facebook.com/mdwestix>http://www.ics-il.com/images/linkedinicon.png <https://www.linkedin.com/company/midwest-internet-exchange>http://www.ics-il.com/images/twittericon.png <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> http://www.ics-il.com/images/fbicon.png <https://www.facebook.com/thebrotherswisp>http://www.ics-il.com/images/youtubeicon.png <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> *From: *"timothy steele" <timothy.pct...@gmail.com <mailto:timothy.pct...@gmail.com>> *To: *af@afmug.com <mailto:af@afmug.com> *Sent: *Tuesday, March 8, 2016 6:28:42 AM *Subject: *Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com <mailto:ginovi...@gmail.com>> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net <mailto:r...@triadwireless.net>> wrote: I’m almost done doing that. This should be interesting. Rory *From:*Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] *On Behalf Of *Jaime Solorza *Sent:* Monday, March 07, 2016 9:55 PM *To:* Animal Farm <af@afmug.com <mailto:af@afmug.com>> *Subject:* Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net <mailto:r...@triadwireless.net>> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( *From:*Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] *On Behalf Of *Rory Conaway *Sent:* Monday, March 07, 2016 9:03 PM *To:* af@afmug.com <mailto:af@afmug.com> *Subject:* [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory
Re: [AFMUG] I might be under attack by a competitor
You truly are… that one guy. Chris Wright Network Administrator Velociter Wireless 209-838-1221 x115 From: Af [mailto:af-boun...@afmug.com] On Behalf Of That One Guy /sarcasm Sent: Tuesday, March 08, 2016 7:19 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor If it were verifiable that a competitor were the cause of this, whether maliciously or as a bybroduct of a security mechanism, is there legal recourse for something like this? I used to have rogue AP detection and mitigation turned on at my house on a router connected to an external omni on my roof.. dick move. I would add APs to the mitigation list and eventually I would see the sam or similar ESSID pop up on a different MAC indicating they got a new router. In retrospect, it really wasnt funny. On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net<mailto:af...@ics-il.net>> wrote: Anyone with a laptop and a Linux live disc also has that feature. :-) - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>> To: af@afmug.com<mailto:af@afmug.com> Sent: Tuesday, March 8, 2016 9:03:20 AM Subject: Re: [AFMUG] I might be under attack by a competitor I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> ____________ From: "timothy steele" <timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Jaime Solorza Se
Re: [AFMUG] I might be under attack by a competitor
Rory, is this a hotspot where customers connect their own devices? Or is it a conventional fixed wireless scenario where you supply the CPE which is always connected? The reason I ask is that I see a lot of strange stuff in the wireless registration logs on managed WiFi routers for customer battery devices that go into a sleep mode to save battery life. Even some non battery operated devices seem to have a low power mode where they go to sleep, authorization times out, then they wake up and there’s a log entry for an unauthorized device but a second later they authenticate and register normally. I assume it also has something to do with whether the AP has WMM sleep mode enabled. From: That One Guy /sarcasm Sent: Tuesday, March 08, 2016 9:19 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor If it were verifiable that a competitor were the cause of this, whether maliciously or as a bybroduct of a security mechanism, is there legal recourse for something like this? I used to have rogue AP detection and mitigation turned on at my house on a router connected to an external omni on my roof.. dick move. I would add APs to the mitigation list and eventually I would see the sam or similar ESSID pop up on a different MAC indicating they got a new router. In retrospect, it really wasnt funny. On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote: Anyone with a laptop and a Linux live disc also has that feature. :-) - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP -- From: "Rory Conaway" <r...@triadwireless.net> To: af@afmug.com Sent: Tuesday, March 8, 2016 9:03:20 AM Subject: Re: [AFMUG] I might be under attack by a competitor I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP -- From: "timothy steele" <timothy.pct...@gmail.com> To: af@afmug.com Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this rig
Re: [AFMUG] I might be under attack by a competitor
Dick-move, Steve. ;) -Ty -Ty On Tue, Mar 8, 2016 at 9:19 AM, That One Guy /sarcasm < thatoneguyst...@gmail.com> wrote: > If it were verifiable that a competitor were the cause of this, whether > maliciously or as a bybroduct of a security mechanism, is there legal > recourse for something like this? > > I used to have rogue AP detection and mitigation turned on at my house on > a router connected to an external omni on my roof.. dick move. I would add > APs to the mitigation list and eventually I would see the sam or similar > ESSID pop up on a different MAC indicating they got a new router. In > retrospect, it really wasnt funny. > > On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote: > >> Anyone with a laptop and a Linux live disc also has that feature. :-) >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> *From: *"Rory Conaway" <r...@triadwireless.net> >> *To: *af@afmug.com >> *Sent: *Tuesday, March 8, 2016 9:03:20 AM >> >> *Subject: *Re: [AFMUG] I might be under attack by a competitor >> >> I haven’t seen one on a Ubiquiti AP which is why I asked but when I get >> back in town next week, I’m going to set it up so I can see how it works. >> Our Xirrus radios have that feature. >> >> >> >> Rory >> >> >> >> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett >> *Sent:* Tuesday, March 08, 2016 6:02 AM >> *To:* af@afmug.com >> *Subject:* Re: [AFMUG] I might be under attack by a competitor >> >> >> >> When a deauth is happening, the laptop doing the deauth impersonates the >> AP, telling the client to disconnect. What I see below doesn't look like a >> deauth attack. >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> [image: http://www.ics-il.com/images/fbicon.png] >> <https://www.facebook.com/ICSIL>[image: >> http://www.ics-il.com/images/googleicon.png] >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: >> http://www.ics-il.com/images/linkedinicon.png] >> <https://www.linkedin.com/company/intelligent-computing-solutions>[image: >> http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> [image: http://www.ics-il.com/images/fbicon.png] >> <https://www.facebook.com/mdwestix>[image: >> http://www.ics-il.com/images/linkedinicon.png] >> <https://www.linkedin.com/company/midwest-internet-exchange>[image: >> http://www.ics-il.com/images/twittericon.png] >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> [image: http://www.ics-il.com/images/fbicon.png] >> <https://www.facebook.com/thebrotherswisp>[image: >> http://www.ics-il.com/images/youtubeicon.png] >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> -- >> >> *From: *"timothy steele" <timothy.pct...@gmail.com> >> *To: *af@afmug.com >> *Sent: *Tuesday, March 8, 2016 6:28:42 AM >> *Subject: *Re: [AFMUG] I might be under attack by a competitor >> >> 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the >> client list you should see it pop up now and then maybe pop up a fake ap >> with same said with passphrase ubnt should connect then you can get into >> the network of who ever is doing it >> >> >> >> On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote: >> >> are you running 802.11n or airmax? >> >> >> >> On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> >> wrote: >> >> I’m almost done doing tha
Re: [AFMUG] I might be under attack by a competitor
If it were verifiable that a competitor were the cause of this, whether maliciously or as a bybroduct of a security mechanism, is there legal recourse for something like this? I used to have rogue AP detection and mitigation turned on at my house on a router connected to an external omni on my roof.. dick move. I would add APs to the mitigation list and eventually I would see the sam or similar ESSID pop up on a different MAC indicating they got a new router. In retrospect, it really wasnt funny. On Tue, Mar 8, 2016 at 9:10 AM, Mike Hammett <af...@ics-il.net> wrote: > Anyone with a laptop and a Linux live disc also has that feature. :-) > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------ > *From: *"Rory Conaway" <r...@triadwireless.net> > *To: *af@afmug.com > *Sent: *Tuesday, March 8, 2016 9:03:20 AM > > *Subject: *Re: [AFMUG] I might be under attack by a competitor > > I haven’t seen one on a Ubiquiti AP which is why I asked but when I get > back in town next week, I’m going to set it up so I can see how it works. > Our Xirrus radios have that feature. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett > *Sent:* Tuesday, March 08, 2016 6:02 AM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > When a deauth is happening, the laptop doing the deauth impersonates the > AP, telling the client to disconnect. What I see below doesn't look like a > deauth attack. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/ICSIL>[image: > http://www.ics-il.com/images/googleicon.png] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > http://www.ics-il.com/images/linkedinicon.png] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > http://www.ics-il.com/images/twittericon.png] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/mdwestix>[image: > http://www.ics-il.com/images/linkedinicon.png] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: > http://www.ics-il.com/images/twittericon.png] > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: http://www.ics-il.com/images/fbicon.png] > <https://www.facebook.com/thebrotherswisp>[image: > http://www.ics-il.com/images/youtubeicon.png] > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > > *From: *"timothy steele" <timothy.pct...@gmail.com> > *To: *af@afmug.com > *Sent: *Tuesday, March 8, 2016 6:28:42 AM > *Subject: *Re: [AFMUG] I might be under attack by a competitor > > 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client > list you should see it pop up now and then maybe pop up a fake ap with same > said with passphrase ubnt should connect then you can get into the network > of who ever is doing it > > > > On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote: > > are you running 802.11n or airmax? > > > > On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> > wrote: > > I’m almost done doing that. This should be interesting. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza > *Sent:* Monday, March 07, 2016 9:55 PM > *To:* Animal Farm <af@afmug.com> > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > Change your ssid and hide it... > > On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote: > > Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because > sending STA is leaving (or has left) BSS (
Re: [AFMUG] I might be under attack by a competitor
Anyone with a laptop and a Linux live disc also has that feature. :-) - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Rory Conaway" <r...@triadwireless.net> To: af@afmug.com Sent: Tuesday, March 8, 2016 9:03:20 AM Subject: Re: [AFMUG] I might be under attack by a competitor I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com/images/fbicon.pnghttp://www.ics-il.com/images/googleicon.pnghttp://www.ics-il.com/images/linkedinicon.pnghttp://www.ics-il.com/images/twittericon.png Midwest Internet Exchange http://www.ics-il.com/images/fbicon.pnghttp://www.ics-il.com/images/linkedinicon.pnghttp://www.ics-il.com/images/twittericon.png The Brothers WISP http://www.ics-il.com/images/fbicon.pnghttp://www.ics-il.com/images/youtubeicon.png From: "timothy steele" < timothy.pct...@gmail.com > To: af@afmug.com Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini < ginovi...@gmail.com > wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway < r...@triadwireless.net > wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm < af@afmug.com > Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" < r...@triadwireless.net > wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory
Re: [AFMUG] I might be under attack by a competitor
I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in town next week, I’m going to set it up so I can see how it works. Our Xirrus radios have that feature. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett Sent: Tuesday, March 08, 2016 6:02 AM To: af@afmug.com Subject: Re: [AFMUG] I might be under attack by a competitor When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "timothy steele" <timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com<mailto:af@afmug.com>> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com<mailto:af@afmug.com> Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory
Re: [AFMUG] I might be under attack by a competitor
Airmax From: Af [mailto:af-boun...@afmug.com] On Behalf Of Gino Villarini Sent: Tuesday, March 08, 2016 5:14 AM To: Animal Farm <af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com<mailto:af@afmug.com>> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com<mailto:af@afmug.com> Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory
Re: [AFMUG] I might be under attack by a competitor
When a deauth is happening, the laptop doing the deauth impersonates the AP, telling the client to disconnect. What I see below doesn't look like a deauth attack. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "timothy steele" <timothy.pct...@gmail.com> To: af@afmug.com Sent: Tuesday, March 8, 2016 6:28:42 AM Subject: Re: [AFMUG] I might be under attack by a competitor 04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini < ginovi...@gmail.com > wrote: are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway < r...@triadwireless.net > wrote: I’m almost done doing that. This should be interesting. Rory From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm < af@afmug.com > Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" < r...@triadwireless.net > wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto: af-boun...@afmug.com ] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory
Re: [AFMUG] I might be under attack by a competitor
04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list you should see it pop up now and then maybe pop up a fake ap with same said with passphrase ubnt should connect then you can get into the network of who ever is doing it On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com> wrote: > are you running 802.11n or airmax? > > On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> > wrote: > >> I’m almost done doing that. This should be interesting. >> >> >> >> Rory >> >> >> >> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza >> *Sent:* Monday, March 07, 2016 9:55 PM >> *To:* Animal Farm <af@afmug.com> >> *Subject:* Re: [AFMUG] I might be under attack by a competitor >> >> >> >> Change your ssid and hide it... >> >> On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote: >> >> Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because >> sending STA is leaving (or has left) BSS (8). >> >> Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 >> rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 >> >> Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 >> >> Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: >> disassociated >> >> Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. >> Reason: Class 2 frame received from nonauthenticated STA ( >> >> >> >> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory Conaway >> *Sent:* Monday, March 07, 2016 9:03 PM >> *To:* af@afmug.com >> *Subject:* [AFMUG] I might be under attack by a competitor >> >> >> >> I have a couple of customers off the same Ubiquiti Rocket 5 AP that have >> been having an issue the last couple days with going offline for a short >> time and then reconnecting and coming back online. I pull the logs on the >> AP and see a bunch of handshaking and several of these. I’m pretty sure >> this is what happens when an enterprise radio does Rogue Access Point >> Suppression. Am I reading this right or is there something I’m not aware >> of like a bad CPE that can cause this? >> >> >> >> Rory >> >> >> >> >> >> >
Re: [AFMUG] I might be under attack by a competitor
are you running 802.11n or airmax? On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway <r...@triadwireless.net> wrote: > I’m almost done doing that. This should be interesting. > > > > Rory > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza > *Sent:* Monday, March 07, 2016 9:55 PM > *To:* Animal Farm <af@afmug.com> > *Subject:* Re: [AFMUG] I might be under attack by a competitor > > > > Change your ssid and hide it... > > On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net> wrote: > > Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because > sending STA is leaving (or has left) BSS (8). > > Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 > rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 > > Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 > > Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: > disassociated > > Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. > Reason: Class 2 frame received from nonauthenticated STA ( > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory Conaway > *Sent:* Monday, March 07, 2016 9:03 PM > *To:* af@afmug.com > *Subject:* [AFMUG] I might be under attack by a competitor > > > > I have a couple of customers off the same Ubiquiti Rocket 5 AP that have > been having an issue the last couple days with going offline for a short > time and then reconnecting and coming back online. I pull the logs on the > AP and see a bunch of handshaking and several of these. I’m pretty sure > this is what happens when an enterprise radio does Rogue Access Point > Suppression. Am I reading this right or is there something I’m not aware > of like a bad CPE that can cause this? > > > > Rory > > > > > >
Re: [AFMUG] I might be under attack by a competitor
I’m almost done doing that. This should be interesting. Rory From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza Sent: Monday, March 07, 2016 9:55 PM To: Animal Farm <af@afmug.com> Subject: Re: [AFMUG] I might be under attack by a competitor Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote: Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com<mailto:af@afmug.com> Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I’m pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I’m not aware of like a bad CPE that can cause this? Rory
Re: [AFMUG] I might be under attack by a competitor
Change your ssid and hide it... On Mar 7, 2016 9:05 PM, "Rory Conaway"wrote: > Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because > sending STA is leaving (or has left) BSS (8). > > Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 > rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 > > Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 > > Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: > disassociated > > Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. > Reason: Class 2 frame received from nonauthenticated STA ( > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Rory Conaway > *Sent:* Monday, March 07, 2016 9:03 PM > *To:* af@afmug.com > *Subject:* [AFMUG] I might be under attack by a competitor > > > > I have a couple of customers off the same Ubiquiti Rocket 5 AP that have > been having an issue the last couple days with going offline for a short > time and then reconnecting and coming back online. I pull the logs on the > AP and see a bunch of handshaking and several of these. I’m pretty sure > this is what happens when an enterprise radio does Rogue Access Point > Suppression. Am I reading this right or is there something I’m not aware > of like a bad CPE that can cause this? > > > > Rory > > > > >
Re: [AFMUG] I might be under attack by a competitor
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending STA is leaving (or has left) BSS (8). Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063 Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15 Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated Feb 13 07:17:43 wireless: ath0 Sending deauth to 04:18:d6:e4:c0:15. Reason: Class 2 frame received from nonauthenticated STA ( From: Af [mailto:af-boun...@afmug.com] On Behalf Of Rory Conaway Sent: Monday, March 07, 2016 9:03 PM To: af@afmug.com Subject: [AFMUG] I might be under attack by a competitor I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been having an issue the last couple days with going offline for a short time and then reconnecting and coming back online. I pull the logs on the AP and see a bunch of handshaking and several of these. I'm pretty sure this is what happens when an enterprise radio does Rogue Access Point Suppression. Am I reading this right or is there something I'm not aware of like a bad CPE that can cause this? Rory