Re: [AFMUG] I might be under attack by a competitor

[Rory Conaway]

We are with AC2.  Unfortunately I’m on vacation so I’m briefly checking on it.  
I changed everything to 10MHz until I can deal with it this weekend.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Reynolds
Sent: Tuesday, March 08, 2016 12:54 PM
To: af@afmug.com
Subject: Re: [AFMUG] I might be under attack by a competitor

Are you graphing the stations / APs in AirControl2 or similar? This can help 
diagnose the problem.

On Tue, Mar 8, 2016 at 1:50 PM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
CCQ% is 95-98%.    But it doesn’t mean it’s not an interference issue.  I’ve 
seen Mikrotik do serious damage to Ubiquiti.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Josh Reynolds
Sent: Tuesday, March 08, 2016 12:10 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

Yes, substantial interference will cause this, even on 5GHz. It could be noise 
at the AP, but only if all stations having high CCQs. If not, the CPEs are 
seeing another signal that either has very high signal or is on a near or 
overlapping frequency.

On Tue, Mar 8, 2016 at 12:53 PM, George Skorup 
<geo...@cbcast.com<mailto:geo...@cbcast.com>> wrote:
Rory, I think you're seeing somewhat normal operation from the UBNT radios. The 
AP heard nothing from that CPE in a while so it tore down the session. CPE 
still thinks it's registered. AP says nope. Could be interference. We saw this 
all the time in the 2.4 band w/ UBNT radios.

On 3/8/2016 9:03 AM, Rory Conaway wrote:
I haven’t seen one on a Ubiquiti AP which is why I asked but when I get back in 
town next week, I’m going to set it up so I can see how it works.  Our Xirrus 
radios have that feature.

Rory

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
Sent: Tuesday, March 08, 2016 6:02 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] I might be under attack by a competitor

When a deauth is happening, the laptop doing the deauth impersonates the AP, 
telling the client to disconnect. What I see below doesn't look like a deauth 
attack.


-----
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
________________________________
From: "timothy steele" 
<timothy.pct...@gmail.com<mailto:timothy.pct...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Tuesday, March 8, 2016 6:28:42 AM
Subject: Re: [AFMUG] I might be under attack by a competitor

04:18:d6:e4:c0:15 Is a ubnt Mac sure you don't own that Mac? In the client list 
you should see it pop up now and then maybe pop up a fake ap with same said 
with passphrase ubnt should connect then you can get into the network of who 
ever is doing it

On Tue, Mar 8, 2016, 7:14 AM Gino Villarini 
<ginovi...@gmail.com<mailto:ginovi...@gmail.com>> wrote:
are you running 802.11n or airmax?

On Tue, Mar 8, 2016 at 1:44 AM, Rory Conaway 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
I’m almost done doing that.  This should be interesting.

Rory

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Jaime Solorza
Sent: Monday, March 07, 2016 9:55 PM
To: Animal Farm <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] I might be under attack by a competitor


Change your ssid and hide it...
On Mar 7, 2016 9:05 PM, "Rory Conaway" 
<r...@triadwireless.net<mailto:r...@triadwireless.net>> wrote:
Received disassoc from 04:18:d6:e4:c0:15. Reason: Disassociated because sending 
STA is leaving (or has left) BSS (8).
Feb 13 07:17:43 wireless: ath0     STA-TRAFFIC-STAT mac=04:18:d6:e4:c0:15 
rx_packets=633675 rx_bytes=116857546 tx_packets=2225222 tx_bytes=3041234063
Feb 13 07:17:43 wireless: ath0     Expired node:04:18:D6:E4:C0:15
Feb 13 07:17:43 hostapd: ath0: STA 04:18:d6:e4:c0:15 IEEE 802.11: disassociated
Feb 13 07:17:43 wireless: ath0     Sending deauth to 04:18:d6:e4:c0:15. Reason: 
Class 2 frame received from nonauthenticated STA (

From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf 
Of Rory Conaway
Sent: Monday, March 07, 2016 9:03 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: [AFMUG] I might be under attack by a competitor

I have a couple of customers off the same Ubiquiti Rocket 5 AP that have been 
having an issue the last couple days with going offline for a short time and 
then reconnecting and coming back online.  I pull the logs on the AP and see a 
bunch of handshaking and several of these.  I’m pretty sure this is what 
happens when an enterprise radio does Rogue Access Point Suppression.  Am I 
reading this right or is there something I’m not aware of like a bad CPE that 
can cause this?

Rory