[Chilli] Apparent intrusion attempt on AP running coova-chilli 1.2.9, ways to mitigate?

Xabier Oneca -- xOneca xoneca at gmail.com
Sun Feb 15 23:36:08 UTC 2015

2015-02-15 23:57 GMT+01:00 Ben West <ben at gowasabi.net>:
> Thank you, Xavier, for the tip about possible API calls from a wayward
> Android client.  I also couldn't Google anything meaningful about the
> filenames"apkupdate.php," etc and assumed the client was malicious.

Misbehaved App/user? It seems so. Malicious? Probably not. But if you
are not running PHP on that AP, I would not worry.

> Are there options for dealing with chilli clients who open many many many
> simultaneous connections, for whatever reason?  For example use iptables
> connlimit module to limit the number of new connections per unit time on
> unauthenticated clients?
> https://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable

Only on unauthenticated clients? Authenticated clients can also be
rogue. I would simply set the limit so high that normal clients will
never reach it. You should probably do a load test to see where's the
limit of the Nanostation. I am not sure those requests brought down
your AP, unless they were in the order of tens/hundreds per second.

> I'd hate to apply filters that could potentially impede portal
> authentication for all clients, but having a small handful of misbehaving
> clients (whether intentional or not) crash the AP is also problematic.
> P.S. Thank you also for your answer to my question about chilli_query in the
> previous thread!

You are welcome!


Xabier Oneca_,,_

P.S.: Are you using public IP addresses for your clients? (Client
MAC=8C-84-01-XX-XX-XX assigned IP **)

More information about the Chilli mailing list