Hello,

I have very strange logs recently, please explain me what it means, and is somebody trying to brake into my router or what?
I had a few thousands of this logs..., happening every few seconds.


Thanks a lot for help

http://wiki.mikrotik.com/wiki/Manual:Wi ... gs#AP_MODE

<DEV>: data from unknown device <MAC>, sent deauth [(XXX events suppressed, YYY deauths suppressed)]

Data frame from unknown device (read - not registered to this AP) with mac address <MAC> received, AP sent deauthentication frame to it (as per 802.11). XXX is number of events that are not logged so that the log does not become too large (logs are limited to 1 entry per 5s after first 5 entries), YYY is the number of deauthentication frames that should have been sent, but were not sent, so that resources are not wasted sending too many deauthentication frames (only 10 deauth frames per second are allowed).

The likely cause of such a message is that the Station previously connected to the AP, which does not yet know it has been dropped from AP registration table, sending data to AP. Deauthentication message tells the Station that it is no longer connected.

If this keeps happening the most likely cause is that your AP can hear the station, but the station can't hear your AP, so it never gets the deauthentication frame.

http://wiki.mikrotik.com/wiki/Manual:Wi ... gs#AP_MODE

<DEV>: data from unknown device <MAC>, sent deauth [(XXX events suppressed, YYY deauths suppressed)]

Data frame from unknown device (read - not registered to this AP) with mac address <MAC> received, AP sent deauthentication frame to it (as per 802.11). XXX is number of events that are not logged so that the log does not become too large (logs are limited to 1 entry per 5s after first 5 entries), YYY is the number of deauthentication frames that should have been sent, but were not sent, so that resources are not wasted sending too many deauthentication frames (only 10 deauth frames per second are allowed).

The likely cause of such a message is that the Station previously connected to the AP, which does not yet know it has been dropped from AP registration table, sending data to AP. Deauthentication message tells the Station that it is no longer connected.

If this keeps happening the most likely cause is that your AP can hear the station, but the station can't hear your AP, so it never gets the deauthentication frame.

how can we drop only on that particular MAC address?

I'm not sure what you're asking. Are you asking about connect lists? Firewall filters?

judging by the rate I would say that is a deuth attack aimed at bringing down your AP. I would start using the "management frame" in security profiles before the attacker gets hold of the broadcast address and uses it to disassociate each and every client to your AP.

judging by the rate I would say that is a deuth attack aimed at bringing down your AP. I would start using the "management frame" in security profiles before the attacker gets hold of the broadcast address and uses it to disassociate each and every client to your AP.

Wouldn't a deauth attack have the deauth frame being sent from the attacker to the victim? In the screenshot the AP itself is sending deauth frames.

Well it seems correct as I see it. The AP is sending a de-authentification frame to the CPE that is trying to log in.

What is not clear is the reasons.. More info would be available with the wireless debug!

I was attacked a few years back by a competitor who had got together with a fellow countryman to bring down my AP and sabotage my network.

This was at the time of the introduction of the "management frame".. Sadly though at that time my network was a mix of suppliers...

The attacker was causing my MT AP to send a de-authentification frame to each and every cpe, causing them ALL to disconnect... This was being repeated every second or so.

I trawled the darker depths of the internet in search of the method that the saboteur was using, and did eventually come across it... I remember that it had something to do with "knowing the broadcast address" and at least 1 mac address of a CPE. And that was all that was needed to destroy everything.

The ONLY cure was to use the management frame, which I implemented immediately, then I spent the next few days systematically swoping all clients CPE's that were not MT to MT units!

6000 euros later and the network was secure... FYI, 1 night I did turn off the management frame after midnight, and was surprised to see that the attacker was still sending these broadcast disconnect frames several days later.

Hi ...

"A8:6A:6F:XX:XX:XX" returned RIM as manufacturer, a canadian companhy that claims "Research In Motion (RIM), a global leader in wireless innovation, revolutionized the mobile industry with the introduction of the BlackBerry® solution in 1999 ..." (www.rim.com)

Of course anyone can clone mac addresses ...

Are your AP on 2.4 or 5.8?

BTW, once I had a Bullet2 at bridge mode and it "leaks" some MAC addresses behind it, making one of my APs fills the log with this messages as if it was a wireless device trying to connect but in fact was a ETH mac from a laptop that run Dude server.

Regards;

Very strange fact. I keep on getting the same deauth message on my home AP which is an MT.

It shows deauth message against the registration of my Blackberry smartphone. These are manufactured by RIM.

Any clue??

hi
I want to log mac from anybody that ping me
but in logging ONly show previous router mac not remote mac device
How do I get the Mac right?

This is because the client cannot properly communicate with the access point.
Nothing to worry about.
The client is too far to be able to connect to the access point