Re: [AFMUG] I might be under attack by a competitor

[George Skorup]

Rory, I think you're seeing somewhat normal operation from the UBNT 
radios. The AP heard nothing from that CPE in a while so it tore down 
the session. CPE still thinks it's registered. AP says nope. Could be 
interference. We saw this all the time in the 2.4 band w/ UBNT radios.

On 3/8/2016 9:03 AM, Rory Conaway wrote:

I haven’t seen one on a Ubiquiti AP which is why I asked but when I 
get back in town next week, I’m going to set it up so I can see how it 
works.  Our Xirrus radios have that feature.

Rory

*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
*Sent:* Tuesday, March 08, 2016 6:02 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates 
the AP, telling the client to disconnect. What I see below doesn't 
look like a deauth attack.



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
http://www.ics-il.com/images/fbicon.png 
<https://www.facebook.com/ICSIL>http://www.ics-il.com/images/googleicon.png 
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>http://www.ics-il.com/images/linkedinicon.png 
<https://www.linkedin.com/company/intelligent-computing-solutions>http://www.ics-il.com/images/twittericon.png 
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
http://www.ics-il.com/images/fbicon.png 
<https://www.facebook.com/mdwestix>http://www.ics-il.com/images/linkedinicon.png 
<https://www.linkedin.com/company/midwest-internet-exchange>http://www.ics-il.com/images/twittericon.png 
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
http://www.ics-il.com/images/fbicon.png 
<https://www.facebook.com/thebrotherswisp>http://www.ics-il.com/images/youtubeicon.png


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

------------------------------------------------------------------------

*From: *"timothy steele" <timothy.pct...@gmail.com 
<mailto:timothy.pct...@gmail.com>>
*To: *af@afmug.com <mailto:af@afmug.com>
*Sent: *Tuesday, March 8, 2016 6:28:42 AM
*Subject: *Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the 
client list you should see it pop up now and then maybe pop up a fake 
ap with same said with passphrase ubnt should connect then you can get 
into the network of who ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini <ginovi...@gmail.com 
<mailto:ginovi...@gmail.com>> wrote:

    are you running 802.11n or airmax?

    On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway
    <r...@triadwireless.net <mailto:r...@triadwireless.net>> wrote:

        I’m almost done doing that.  This should be interesting.

        Rory

        *From:*Af [mailto:af-boun...@afmug.com
        <mailto:af-boun...@afmug.com>] *On Behalf Of *Jaime Solorza
        *Sent:* Monday, March 07, 2016 9:55 PM
        *To:* Animal Farm <af@afmug.com <mailto:af@afmug.com>>
        *Subject:* Re: [AFMUG] I might be under attack by a competitor

        Change your ssid and hide it...

        On Mar 7, 2016 9:05 PM, "Rory Conaway" <r...@triadwireless.net
        <mailto:r...@triadwireless.net>> wrote:

            Received disassoc from 04:18:d6:e4:c0:15. Reason:
            Disassociated because sending STA is leaving (or has left)
            BSS (8).

            Feb 13 07:17:43 wireless: ath0 STA-TRAFFIC-STAT
            mac=04:18:d6:e4:c0:15 rx_packets=633675 rx_bytes=116857546
            tx_packets=2225222 tx_bytes=3041234063

            Feb 13 07:17:43 wireless: ath0 Expired node:04:18:D6:E4:C0:15

            Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE
            802.11: disassociated

            Feb 13 07:17:43 wireless: ath0 Sending deauth to
            04:18:d6:e4:c0:15. Reason: Class 2 frame received from
            nonauthenticated STA (

            *From:*Af [mailto:af-boun...@afmug.com
            <mailto:af-boun...@afmug.com>] *On Behalf Of *Rory Conaway
            *Sent:* Monday, March 07, 2016 9:03 PM
            *To:* af@afmug.com <mailto:af@afmug.com>
            *Subject:* [AFMUG] I might be under attack by a competitor

            I have a couple of customers off the same Ubiquiti Rocket
            5 AP that have been having an issue the last couple days
            with going offline for a short time and then reconnecting
            and coming back online.  I pull the logs on the AP and see
            a bunch of handshaking and several of these.  I’m pretty
            sure this is what happens when an enterprise radio does
            Rogue Access Point Suppression.  Am I reading this right
            or is there something I’m not aware of like a bad CPE that
            can cause this?

            Rory