[Chilli] Apparent intrusion attempt on AP running coova-chilli 1.2.9, ways to mitigate?
Xabier Oneca -- xOneca
xoneca at gmail.com
Sun Feb 15 23:36:08 UTC 2015
2015-02-15 23:57 GMT+01:00 Ben West <ben at gowasabi.net>:
> Thank you, Xavier, for the tip about possible API calls from a wayward
> Android client. I also couldn't Google anything meaningful about the
> filenames"apkupdate.php," etc and assumed the client was malicious.
Misbehaved App/user? It seems so. Malicious? Probably not. But if you
are not running PHP on that AP, I would not worry.
> Are there options for dealing with chilli clients who open many many many
> simultaneous connections, for whatever reason? For example use iptables
> connlimit module to limit the number of new connections per unit time on
> unauthenticated clients?
> https://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
Only on unauthenticated clients? Authenticated clients can also be
rogue. I would simply set the limit so high that normal clients will
never reach it. You should probably do a load test to see where's the
limit of the Nanostation. I am not sure those requests brought down
your AP, unless they were in the order of tens/hundreds per second.
> I'd hate to apply filters that could potentially impede portal
> authentication for all clients, but having a small handful of misbehaving
> clients (whether intentional or not) crash the AP is also problematic.
>
> P.S. Thank you also for your answer to my question about chilli_query in the
> previous thread!
You are welcome!
Cheers,
Xabier Oneca_,,_
P.S.: Are you using public IP addresses for your clients? (Client
MAC=8C-84-01-XX-XX-XX assigned IP *101.209.43.124*)
More information about the Chilli
mailing list