Any Idea to stop this kind of scanning or snooping?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Any Idea to stop this kind of scanning or snooping?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Any Idea to stop this kind of scanning or snooping?
Any Idea to stop this kind of scanning or snooping?
2020-03-30 15:51:13
Model: EAP225-Outdoor  
Hardware Version: V1
Firmware Version: 1.7.0 Build 20200113 Rel. 35383

Hi guys,

 

I don't know if this can be fix in EAP or it need to be fix in my router which is ubiquity. As I've been suspicious with some of my clients and leveled up my security in away like using VLAN, I've encounter this problems, a certain client been changing Mac address which I can't ban because he can just change his MAC address. Another client can slip into a scheduled SSIDs while it is RADIO OFF.

 

And as I know that clients which does not authenticate with Voucher portal gets disconnected within a certain amount of time but this client been connected for more than 3 hrs and its from different MAC Address, but only 1 at a time, here is the one currently connected in my WIFI.

 

 

2020-03-30 log with 5hrs 48 mins with only 1.96 M/ 5.07 M and I've checked the past guest authorization and no authorization happening there.

As I've implemented the VLAN with EAP and my edgerouter, I found in the router with its traffic analysis this kind.

 

 

Different IPs connecting? Is it like snooping or scanning for backdoor?

 

Any suggestions or help regarding this intrusion and activities? in the AP or EAP side?

 

Regards and thanks in advance.

  0      
  0      
#1
Options
9 Reply
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-15 01:38:47

 

JessieG wrote

Hi guys,

 

I don't know if this can be fix in EAP or it need to be fix in my router which is ubiquity. As I've been suspicious with some of my clients and leveled up my security in away like using VLAN, I've encounter this problems, a certain client been changing Mac address which I can't ban because he can just change his MAC address. Another client can slip into a scheduled SSIDs while it is RADIO OFF.

 

And as I know that clients which does not authenticate with Voucher portal gets disconnected within a certain amount of time but this client been connected for more than 3 hrs and its from different MAC Address, but only 1 at a time, here is the one currently connected in my WIFI.

 

 

@JessieG

 

What kind of portal function you are using? I think only the clients know the password/code can pass the authentication. For the MAC address trick, I suggest you set a mac filter function in EAP or the router, then only the MAC address you set in advance can access the Internet.

 

  0  
  0  
#2
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-15 02:14:16

@jonas 

 

I'm using voucher type, so the authentication would be none but because of the voucher portal they need to authenticate there. And as I've observer after I've updated my EAPs and OC200, because of that I rarely have this kind of suspicious clients but there is a few clients that is connected to the EAP even without authenticating with the voucher portal.

 

Here are some lates screenshots,

 

As for today I only have 1 authentication with voucher but I have a few client who only used a 13mb/1.5mb maybe because of the curfew so they need to go inside their house and can't get the EAP signal like the 3rd client.

 

 

 

But I got a few clients who always connects to the EAP, maybe because they have set it for auto-connect to known wifi, but if you look at their history they got no authentication with the voucher portal but got connected also 2hrs (thats april 9 and only the 2nd page of the connection history). 

 

I don't if they are scanning or snooping but everytime I saw them in the network, It got my ubnt router flooded with different IPs with traffic analysis.

 

Regarding the MAC filter, as I'm using a voucher type and bulk selling vouchers to re-distributors near my signal, I can't add mac address everytime a new client want to use my services, but Its noted if things get to tough here. I got 2 additional competitors here using vendo machine wifi, so I'm thinking they are trying to make my connection slow or something, I hope not.

 

I'm looking to buy 1 or 3 more 225-outdoor but because of this lockdown, delivery is impossible and that model is already out of stock. 

 

trying to find ways and will eventually try to be a WISP. Starting little by little, so any inputs and help will do.

  0  
  0  
#3
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-15 08:36:29

@JessieG 

 

Do you only have one SSID for the voucher portal authentication? If use the voucher portal, only the wireless clients who have the voucher code can pass the authentication. Maybe you can check if you have set "Free Authentication Policy" for some devices. With the "Free Authentication Policy", clients will access the Internet without the authentication.

 

  0  
  0  
#4
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-15 12:45:08

Hi @jonas 

 

I'm using 3 kinds of portal authentication at the moment and using 5 SSIDs with vlan. I wanted to use the facebook portal but every time a create a facebook portal, all other portal can access facebook even without authentication. the No Authentication SSIDs are offline at the moment because I have a client who can change their Mac address and can use this to exploit this and its has another and I saw a client authenticate with No authenticatioin even after it was scheduled radio ON only so I'm using radio OFF and for indefinitely. Back to the problem.

 

 

 

I don't have any Free Authentication Policy, and haven't used any of it.

 

 

I for got to screenshot the traffic analytic in my router, it has 138 pages of random ip address, but while I'm replying to this I got 64 pages again.

 

 

the 1st page are the ips of those legitimate clients and the rest are like this. Thats why I was asking if this is snooping or something because my DCHP are using 10.x.x.x and 172.x.x.x only and I can see ip adds not within the starting ip, like they manually set it as static IP and connected to the EAP. 

 

I really like your product and here are some glitches I found and if possible any help will do. I'm willing to learn and now I got lots of time because of this pandemic. 

 

Regards,

  0  
  0  
#5
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-16 03:15:26

@JessieG 

 

JessieG wrote

Hi @jonas 

 

I'm using 3 kinds of portal authentication at the moment and using 5 SSIDs with vlan. I wanted to use the facebook portal but every time a create a facebook portal, all other portal can access facebook even without authentication. the No Authentication SSIDs are offline at the moment because I have a client who can change their Mac address and can use this to exploit this and its has another and I saw a client authenticate with No authenticatioin even after it was scheduled radio ON only so I'm using radio OFF and for indefinitely. Back to the problem.

 

 

 

I don't have any Free Authentication Policy, and haven't used any of it.

 

 

I for got to screenshot the traffic analytic in my router, it has 138 pages of random ip address, but while I'm replying to this I got 64 pages again.

 

 

the 1st page are the ips of those legitimate clients and the rest are like this. Thats why I was asking if this is snooping or something because my DCHP are using 10.x.x.x and 172.x.x.x only and I can see ip adds not within the starting ip, like they manually set it as static IP and connected to the EAP. 

 

I really like your product and here are some glitches I found and if possible any help will do. I'm willing to learn and now I got lots of time because of this pandemic. 

 

Regards,

 

I have checked the IP address 103.126.243.13, 13.226.254.123, it is the public IP address, maybe locate in HongKong China and US. I think you can check why it will show the public IP address in the traffic analyzing list in the router, maybe it is the server which clients have accessed?

 

BTY, you can check the historical wireless clients list in the "Insight" list of Omada Controller, check if some wireless clients have these kind of "IP address". And you can SSH in the EAP, use command "cliclientd wltool sta" to list the real-time wireless clients that connect with the EAP, check if there have some " suspicious" clients.

  0  
  0  
#6
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-16 11:25:12 - last edited 2020-04-16 11:53:26

@JessieG, those external IPs occur in EdgeRouter's traffic analysis if WAN connections are initiated from outside as it is the case with torrents, skype, VPNs or funky NAT rules used for port forwarding. See UBNT forums for an in-depth discussion of foreign IPs occuring in traffic statistics.

 

Nothing to worry of. As for WLAN statistics, use Omada controller's Insight and client's Connection History.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  1  
  1  
#7
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-18 03:43:39

@JessieG 

With regards to the MAC Address spoofing; I'm not sure if you're aware of this, most of the newer phones (at least Android/Samsung) has a security feature to randomoze the MAC address of the WiFi everytime it connects to the network. And this feature is turned on by default since android 10.

 

https://source.android.com/devices/tech/connect/wifi-mac-randomization

 

 

  1  
  1  
#8
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-18 10:55:07 - last edited 2020-04-18 11:32:40

@AsankaG, MAC randomization is used when a client scans for WiFi networks. Such a survey isn't recorded in Omada controller. Android 10 and Windows 10 randomize the MAC for connecting to a SSID, but once connected this randomized MAC address needs to be persistent for the particular SSID even over disconnect/reconnect cycles.

 

If it would not be persistent, roaming between APs would disrupt all active services and thus would not work as expected by the user. Usually, this persistance of the MAC address is guaranteed by using the SSID in the formula for creating randomized MACs when connecting. See the note in the »Validation« section of the document you linked to, it states this persistance explicitly.

 

BTW: MAC randomization is fine, but using fingerprints of probe requests and fake advertising hotspots (especially with HS 2.0 protocol / IEEE 802.11u) one can completely defeat MAC address randomization.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  1  
  1  
#9
Options
Re:Any Idea to stop this kind of scanning or snooping?
2020-04-19 14:13:45
Thanks for the insight here. I've had a ton of issues with Captive Portal and WiFi since updating to Android 10. Once I am back at this location, I will give this another go and see if the MAC address changes between connections. Thanks gain for the info :)
  0  
  0  
#10
Options

Information

Helpful: 0

Views: 2405

Replies: 9

Related Articles