10-times "deauth" in one sec

Kilma · October 5, 2011, 3:12pm

Hello there,
I work for the local internet provider that got about 1500 active costumers.
Last week we found log in one of our many mikrotiks that repeatly tells us that some unknown mac adress is deauthenticated about 10times in one sec.You can make me really happy, if you can solve our problem, cause this “deauth message” is realy annoying

Thx a lot

PS. sorry for my english…it´s just a secondary lang.
Výstřižek.PNG

mgutz2 · October 5, 2011, 5:58pm

I have the same problem, but I found that mac adresss from a customer router that connects to my wireless card, I have not yet determined which protocol is the cause of this message, I hope to share ideas.
Greetings from Nicaragua.

WirelessRudy · October 5, 2011, 10:45pm

Your signal strength range in the access list is set to “0”. Set it like the rest, default.

WirelessRudy · October 5, 2011, 10:47pm

You have the same problem? But the rest of your post doesn’t make a lot of sense.
Explain better what is happening and show us also prints of the log, register and access-list and all other wireless related info.

mgutz2 · October 6, 2011, 12:40am

los mensajes son los mismos, una de las direcciones macadress proviene de un cliente conectado a mi wireless, pero no corresponde al radio que se conecta, me parece que viene de un router que el cliente tiene en su red.

messages are the same, one of the addresses from a mac address connected to my wireless client, but not for the radio to connect, I think that comes from a router that the client has in its network.

Kilma · October 6, 2011, 5:06am

[/quote]Your signal strength range in the access list is set to “0”. Set it like the rest, default.[/quote]

We don´t wanna accept this MAC adress…it´s unknown for us so we would like to permanently ban it

janisk · October 6, 2011, 7:26am

check this option:
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Management_frame_protection

Kilma · October 6, 2011, 7:44am

Thx everybody, we´ll try to figure this out or just ignore those logs…

nest · October 6, 2011, 8:33pm

Looks like a classic deauth attack. Might be someone trying to hack? Or perform a Denial Of Service.

Janisk’s solution is the best answer to this problem.

mramos · October 7, 2011, 3:31am

Hi …

00:19:56 & 00:1A:6D belongs to Cisco Systems …

If the CPEs are UBNTs (mainly Bullets, Nano2/5, Nano 2/5 Loco) configured as bridge you can expect some mac “leaks” from customer LAN. May be other CPEs manufacturers have the same “hole” when configured as bridges.

Regards;