malicious rogue vs. rogue?

  • 1
  • Question
  • Updated 4 months ago
Been googling a bit, but I'm not finding what the difference is between a "rogue AP" (I get that) and a "malicious rogue AP".  Also the logging is odd - I get log events of the rogue AP going away, but no mention of it appearing.  Log example:

2017/03/09  14:15:09 | High | A Malicious Rogue[40:5d:82:12:5d:93] detection by AP[1c:b9:c4:35:eb:e0] goes away
That MAC belongs to a Netgear device, so I'm assuming it's some consumer router.  It would be helpful if an SSID was logged as well...
Photo of sporkman

sporkman

  • 12 Posts
  • 1 Reply Like

Posted 5 months ago

  • 1
Photo of Mike Kuly

Mike Kuly

  • 1 Post
  • 0 Reply Likes
A rogue AP is any AP that your AP can hear the beacons from that is not part of your wifi network. Another vendors AP in the next office will show up as a rogue. Not usually a problem unless they are blasting your office too. Malicious AP is an AP that your AP can hear and its either transmitting your SSID (man in the middle attack) usually with an open SSID which clients may prefer and will connect to it instead of your AP. Or another scenario is when an AP that is not part of your wifi system and it is on your network. There are a couple of other types of malicious APs but they dont happen very often.

Hope this helps
Photo of sporkman

sporkman

  • 12 Posts
  • 1 Reply Like
Is there any way to coax more logging out of the Ruckus?  I'd like to know if the malicious rogue AP is using the same SSID or not (as that would certainly explain a lot of problems).  Also, any idea on why only the "goes away" state is logged?
Photo of Michael Brado

Michael Brado, Official Rep

  • 1968 Posts
  • 275 Reply Likes
Yes, if you collect a wireless trace from an AP.  A "rogue" is defined as any device not managed by your controller.
Malicious is if they are advertising our SSID, or DHCP.
Photo of sporkman

sporkman

  • 12 Posts
  • 1 Reply Like
Can you clarify a bit more?  I get "advertising our SSID" I think - another AP in range with the same SSID.  Clearly bad.  I don't get the "or DHCP" part.  What does that mean?  How can my AP detect anything having to do with DHCP on an AP that's not on my network?

Also in this message:

A new Same-Network Rogue[f0:b0:52:37:cf:fc] with SSID[CableWiFi] is first detected by AP[RuckusAP [email protected]:b9:c4:35:eb:e0]

What does "Network" refer to in the context of "same network"?  I assume not the same SSID, as the SSID is logged as the ubiquitous "CableWiFi".  Does network mean "channel" in this context?