Hello,
I have very strange logs recently, please explain me what it means, and is somebody trying to brake into my router or what?
I had a few thousands of this logs..., happening every few seconds.
Thanks a lot for help
If this keeps happening the most likely cause is that your AP can hear the station, but the station can't hear your AP, so it never gets the deauthentication frame.<DEV>: data from unknown device <MAC>, sent deauth [(XXX events suppressed, YYY deauths suppressed)]
Data frame from unknown device (read - not registered to this AP) with mac address <MAC> received, AP sent deauthentication frame to it (as per 802.11). XXX is number of events that are not logged so that the log does not become too large (logs are limited to 1 entry per 5s after first 5 entries), YYY is the number of deauthentication frames that should have been sent, but were not sent, so that resources are not wasted sending too many deauthentication frames (only 10 deauth frames per second are allowed).
The likely cause of such a message is that the Station previously connected to the AP, which does not yet know it has been dropped from AP registration table, sending data to AP. Deauthentication message tells the Station that it is no longer connected.
how can we drop only on that particular MAC address?http://wiki.mikrotik.com/wiki/Manual:Wi ... gs#AP_MODEIf this keeps happening the most likely cause is that your AP can hear the station, but the station can't hear your AP, so it never gets the deauthentication frame.<DEV>: data from unknown device <MAC>, sent deauth [(XXX events suppressed, YYY deauths suppressed)]
Data frame from unknown device (read - not registered to this AP) with mac address <MAC> received, AP sent deauthentication frame to it (as per 802.11). XXX is number of events that are not logged so that the log does not become too large (logs are limited to 1 entry per 5s after first 5 entries), YYY is the number of deauthentication frames that should have been sent, but were not sent, so that resources are not wasted sending too many deauthentication frames (only 10 deauth frames per second are allowed).
The likely cause of such a message is that the Station previously connected to the AP, which does not yet know it has been dropped from AP registration table, sending data to AP. Deauthentication message tells the Station that it is no longer connected.
Wouldn't a deauth attack have the deauth frame being sent from the attacker to the victim? In the screenshot the AP itself is sending deauth frames.judging by the rate I would say that is a deuth attack aimed at bringing down your AP. I would start using the "management frame" in security profiles before the attacker gets hold of the broadcast address and uses it to disassociate each and every client to your AP.