Re: [AFMUG] vehicle tracking systems and open WiFi hotspot

[George Skorup]

I've seen those MACs all over the place for years trying to connect to 
open systems. Maybe it's an Illinois thing, we have a lot of BNSF lines 
around here.

On 6/16/2015 3:48 PM, Ken Hohhof wrote:
Nope.
MAC address always starts with 00:16:A4
DHCP hostname always starts with UA followed by a long number
This forum post leads me to believe it is vehicle or RR car tracking:
http://forum.mikrotik.com/viewtopic.php?t=76847
*From:* Josh Luthman <mailto:j...@imaginenetworksllc.com>
*Sent:* Tuesday, June 16, 2015 3:37 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] vehicle tracking systems and open WiFi hotspot
Do the DHCP lease names say Truck-PC?  I saw millions of those a while 
back.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Tue, Jun 16, 2015 at 4:32 PM, Jaime Solorza 
<losguyswirel...@gmail.com <mailto:losguyswirel...@gmail.com>> wrote:

    What did the mac search reveal?  Our tracking systems use GPS and
    GSM but not WiFi

    Jaime Solorza

    On Jun 16, 2015 2:27 PM, "Ken Hohhof" <af...@kwisp.com
    <mailto:af...@kwisp.com>> wrote:

        Fast food franchise at tollway oasis had us set up an open
        guest hotspot as a Virtual AP on their Mikrotik, and we see
        random WiFi connections and DHCP leases for MAC addresses
        starting with 00:16:A4 and hostnames starting with UA followed
        by a bunch of numbers.  The WiFi signal is always low, around -90.

        Doing some research on the web, I think this may be due to
        vehicle tracking systems,  I'm not sure if these are vehicles
        in the parking lot or whizzing by on the tollroad.  Also not
        sure if they are from the vehicle or the intermodal container
        it is carrying.

        I'm not sure it is a big problem, we have the DHCP lease time
        set to 30 minutes.

        Has anyone else run into this, and if so, did you take any
        action?  I guess we could block connections from those MAC
        addresses, or maybe set a higher signal threshold to connect. 
        Or maybe we should just let them check their location or call
        the mothership or whatever they do.

        BTW, don't say this is a DOS attack trying to exhaust the DHCP
        leases, they dribble in 1 or at most 2 at a time.  If we had
        the DHCP leases set to 30 days, it could be a problem unless
        we expanded the pool.