Hello. I have two Ruckus R320 APs running 22.214.171.124.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.
I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.
This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?
Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?
Solved! Go to Solution.
I see. I'm pretty sure that I did do a factory reset on both, since I was installing new firmware on both devices, I remember getting the initial setup flow and everything.
So there's no way that the AP had configuration pushed to it? This MSM would have had to be configured the whole time?
For the NTP, both the URL are actually same resolving to same IP address 126.96.36.199.
For the captive.apple.com, The URL captive.apple.com <https://captive.apple.com/> is apple CNA (Captive Network Assistance) URL. It is different for Android and windows client devices.
When apple device connect to any captive portal enabled SSID, it auto pop-up the browser and try to access captive.apple.com <https://captive.apple.com/> to redirect to the portal's splash page. After successful authentication the client will be redirected to redirect captive.apple.com <https://captive.apple.com/> as the default start page configuration is "URL that the user intends to visit".
If you need to understand where is the actual request is coming from, then you can take the packet from the AP.
1. Go to Admin & Services > Administration > Diagnostics > Packet Capture.
2. For Radio, select 2.4 GHz or 5 GHz.
3. Under Currently Managed APs, select APs from the list and click Add to Capture APs.
4. Select Local Mode or Streaming Mode as the capture mode.
• To capture a limited snapshot on each AP, select Local Mode.
a. Click Start to begin capturing packets.
b. Click Stop to end the capture.
c. Click Save to save the packet capture to a local file.
• To stream the captured packets to Wireshark, select Streaming Mode.
a. Click Start to launch Wireshark.
b. Select Capture Options. Under Capture: Interface, select Remote. A Remote Interface dialog box is displayed.
c. Under Host, enter the IP address of the AP you want to view. Leave the Port field empty and click OK.
The remote host interface list on the right side is updated.
d. Select wifi0 or wifi1 from the list, depending on whether you are streaming on the 2.4-GHz or 5-GHz radio.
5. Click on Start.