03-07-2023 02:15 PM - edited 03-07-2023 03:22 PM
Hello. I have two Ruckus R320 APs running 200.12.10.105.129. My router (a Firewalla Gold) notified me last night that the master AP started making requests every few minutes to umm1.exands.com:443, supposedly originating from the AP, and the endpoint being in China.
I did a bit of Googling about the endpoint and couldn't determine anything other than Exands seems to be a "network infrastructure operator". Once I blocked the endpoint, I started seeing umm1.exands.com:53 (DNS) requests instead (also being blocked by my router), similarly originating from the WAP.
This has concerned me, as if it could be malware, but I don't know how to investigate. If it were a plain linux box, maybe I could use something like tcpdump to determine the process making the requests; I can SSH into it, but the Ruckus CLI is limited. Any advice before I wipe and reinstall the APs?
Aside: I notice the master AP is also making constant (seemingly every 2-3min) attempts to captive.apple.com for a long time. I believe that's a tactic used to determine if a device is on a captive network, but is that a feature of Unleashed?
Solved! Go to Solution.
03-07-2023 08:16 PM
@defect
"exands" is a specific customer. Probably the AP was holding the configuration. Probably you need to do the Factory default and then load the firmware if you are using a second hand APs.
03-07-2023 10:05 PM - edited 03-07-2023 10:10 PM
I appreciate the detail, but I'm still confused; I do understand that captive.apple.com is how a device can check to see if it's behind a captive portal. I'm not running a captive portal, and more importantly: my router doesn't report _all_ traffic that happens to be traversing the access point (like web requests from my devices on wifi). It's reporting that connections to "captive.apple.com" are _originating_ from the AP. In other words, it's not that some android or ios device is checking that URL, at least if I'm interpreting this correctly.
What am I looking for in the dump in Wireshark to discern the source? I've looked at TCP and HTTP traffic before, but I haven't been able to find anything that would help me identify this CNA traffic.
03-07-2023 10:10 PM
Hi @defect
Even if the AP is not bradcasting a Captive portal enabled SSID, the apple client by default it will send a query to preconfigured URL captive.apple.com whenever it connects to the SSID.
Since the Firewall is pointing that the source is AP, we can take the capture on the AP to see the real source.
You can follow the steps mentioned to take the capture, or you can open a support case so that the TAC team can help you on this.
03-07-2023 10:14 PM
I understand that the CNA URL will be accessed. And it would make sense if my router was reporting that my mobile devices were accessing it, but the source of the connections are the master AP's MAC address. That's what is confusing me.
I did perform a capture per your instructions but I'm having trouble interpreting. I'll see if I can get help via support ticket, thanks for your time.
03-07-2023 10:16 PM
Hi @defect
Sure, let me the case number once you create it.
03-07-2023 10:26 PM
Case number is 01444881