Endless auth/deauth from alien source…



  • My system logs are full of the following junk:
    Feb 13 22:04:40 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
    Feb 13 22:04:40 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
    Feb 13 22:04:37 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
    Feb 13 22:04:34 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
    Feb 13 22:04:34 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
    Feb 13 22:04:31 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
    Feb 13 22:03:56 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
    Feb 13 22:03:56 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
    Feb 13 22:03:53 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
    Feb 13 22:03:50 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
    Feb 13 22:03:50 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
    Feb 13 22:03:47 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
    Feb 13 22:03:12 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
    Feb 13 22:03:12 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
    Feb 13 22:03:09 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated

    Wireless performance is not nearly as good as we'd like, and although I don't know whether this is the cause, it sure can't help.

    97:af:6c does not correspond to any known manufacturer, and Wireshark reports that this MAC has been set by the user.  I can't tell whether this is an intentional attack, or just some malfunctioning but innocent device somewhere…  I can use NetStumbler to track down rogue APs, does anyone know of a good tool to track down rogue clients?  Anyway, my real question is: can I tell pfSense to ignore this MAC?  I believe I've read that WPA and MAC filtering can't coexist (at least not with the current state of ath and hostapd), but is there anything I can do?

    Version  1.2-RC4
    built on Tue Jan 15 23:13:25 EST 2008
    Platform pfSense
    CPU Type Intel(R) Pentium(R) 4 CPU 2.66GHz

    ifconfig -v ath0

    ath0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
            inet6 fe80::214:6cff:fe89:56df%ath0 prefixlen 64 scopeid 0x2
            ether 00:14:6c:89:56:df
            media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: associated
            ssid collective channel 1 (2412) bssid 00:14:6c:89:56:df
            authmode WPA privacy MIXED deftxkey 3
            TKIP 2:128-bit
            TKIP 3:128-bit powersavemode OFF powersavesleep 100 txpowmax 37
            txpower 63 rtsthreshold 2346 mcastrate 1 fragthreshold 2346 bmiss 7
            pureg protmode CTS -wme -burst ssid SHOW -apbridge dtimperiod 1
            bintval 100 -countermeasures

    athstats

    543934 tx management frames
    34279 tx frames discarded prior to association
    1478 tx discarded empty frame
    7447 tx failed 'cuz FIFO underrun
    65058 tx failed 'cuz bogus xmit rate
    119530 tx frames with rts enabled
    451913 tx frames with an alternate rate
    5134 tx frames with 11g protection
    382850 rx failed 'cuz of FIFO overrun
    4 rx failed 'cuz MIC failure
    44 rx failed 'cuz frame too short
    395827 rx management frames
    10 rx failed 'cuz of PHY err
        5490981 transmit underrun
        2161030 OFDM illegal parity
        1 (unknown phy error code 24)
        3329906 CCK header crc
    760374 beacon setup failed 'cuz no mbuf
    1822437940 beacons transmitted
    2618 periodic calibration failures
    1 tx used alternate antenna
    Antenna profile:
    [2] tx  570351 rx  802471
    [3] tx        1 rx        0

    If any further info is needed, let me know.</hostap></up,broadcast,running,promisc,simplex,multicast>



  • 7447 tx failed 'cuz FIFO underrun

    I found when this happens, my wireless connection drops and reconnects kinda transparently. The result was that traffic goes very high, then dips very very lo and high again. Many spikes while using high bandwidth applications like newsgroups and torrents.

    Is this what you ar experiencing?


Locked