Endless auth/deauth from alien source…
-
My system logs are full of the following junk:
Feb 13 22:04:40 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
Feb 13 22:04:40 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
Feb 13 22:04:37 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
Feb 13 22:04:34 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
Feb 13 22:04:34 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
Feb 13 22:04:31 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
Feb 13 22:03:56 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
Feb 13 22:03:56 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
Feb 13 22:03:53 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
Feb 13 22:03:50 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
Feb 13 22:03:50 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
Feb 13 22:03:47 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associated
Feb 13 22:03:12 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deassociated
Feb 13 22:03:12 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: deauthenticated due to local deauth request
Feb 13 22:03:09 hostapd: ath0: STA 97:af:6c:89:56:df IEEE 802.11: associatedWireless performance is not nearly as good as we'd like, and although I don't know whether this is the cause, it sure can't help.
97:af:6c does not correspond to any known manufacturer, and Wireshark reports that this MAC has been set by the user. I can't tell whether this is an intentional attack, or just some malfunctioning but innocent device somewhere… I can use NetStumbler to track down rogue APs, does anyone know of a good tool to track down rogue clients? Anyway, my real question is: can I tell pfSense to ignore this MAC? I believe I've read that WPA and MAC filtering can't coexist (at least not with the current state of ath and hostapd), but is there anything I can do?
Version 1.2-RC4
built on Tue Jan 15 23:13:25 EST 2008
Platform pfSense
CPU Type Intel(R) Pentium(R) 4 CPU 2.66GHzifconfig -v ath0
ath0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
inet6 fe80::214:6cff:fe89:56df%ath0 prefixlen 64 scopeid 0x2
ether 00:14:6c:89:56:df
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: associated
ssid collective channel 1 (2412) bssid 00:14:6c:89:56:df
authmode WPA privacy MIXED deftxkey 3
TKIP 2:128-bit
TKIP 3:128-bit powersavemode OFF powersavesleep 100 txpowmax 37
txpower 63 rtsthreshold 2346 mcastrate 1 fragthreshold 2346 bmiss 7
pureg protmode CTS -wme -burst ssid SHOW -apbridge dtimperiod 1
bintval 100 -countermeasuresathstats
543934 tx management frames
34279 tx frames discarded prior to association
1478 tx discarded empty frame
7447 tx failed 'cuz FIFO underrun
65058 tx failed 'cuz bogus xmit rate
119530 tx frames with rts enabled
451913 tx frames with an alternate rate
5134 tx frames with 11g protection
382850 rx failed 'cuz of FIFO overrun
4 rx failed 'cuz MIC failure
44 rx failed 'cuz frame too short
395827 rx management frames
10 rx failed 'cuz of PHY err
5490981 transmit underrun
2161030 OFDM illegal parity
1 (unknown phy error code 24)
3329906 CCK header crc
760374 beacon setup failed 'cuz no mbuf
1822437940 beacons transmitted
2618 periodic calibration failures
1 tx used alternate antenna
Antenna profile:
[2] tx 570351 rx 802471
[3] tx 1 rx 0If any further info is needed, let me know.</hostap></up,broadcast,running,promisc,simplex,multicast>
-
7447 tx failed 'cuz FIFO underrun
I found when this happens, my wireless connection drops and reconnects kinda transparently. The result was that traffic goes very high, then dips very very lo and high again. Many spikes while using high bandwidth applications like newsgroups and torrents.
Is this what you ar experiencing?