flipping between MAC hotspots

What does it usually mean if I connect to one MAC unsecured AP of unknown
origin and in the middle of browsing my connection flips to another
unsecured MAC with same SSID name? For example, surfing
associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
yy:yy:yy:yy HOTSPOT Is this a hacking attack?

On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
<(E-Mail Removed)> wrote:

>What does it usually mean if I connect to one MAC unsecured AP of unknown
>origin and in the middle of browsing my connection flips to another
>unsecured MAC with same SSID name? For example, surfing
>associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
>yy:yy:yy:yy HOTSPOT Is this a hacking attack?

It means that you are hearing more than one access point with the same
SSID. For example, the local hospital has something like 20 access
points, all with SSID="CHS" (Catholic Healthcare West), but each with
a different MAC address. If your computah can do seamless roaming
(802.11r or WISPr 2.0), it will constantly switch between access
points, and therefore between MAC addresses, as you move around.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann wrote:
> On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
> <(E-Mail Removed)> wrote:
>
>> What does it usually mean if I connect to one MAC unsecured AP of unknown
>> origin and in the middle of browsing my connection flips to another
>> unsecured MAC with same SSID name? For example, surfing
>> associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
>> yy:yy:yy:yy HOTSPOT Is this a hacking attack?
>
> It means that you are hearing more than one access point with the same
> SSID. For example, the local hospital has something like 20 access
> points, all with SSID="CHS" (Catholic Healthcare West), but each with
> a different MAC address. If your computah can do seamless roaming
> (802.11r or WISPr 2.0), it will constantly switch between access
> points, and therefore between MAC addresses, as you move around.
>
>
Is that good? Does it mean the new spot has a better connection?

In article <(E-Mail Removed)>,
LouB <(E-Mail Removed)> wrote:

> Is that good? Does it mean the new spot has a better connection?

Not _better_ necessarily, but equal.
--
one more silver dollar
weed whites and wine
there's no smokin' anywhere
You made me this way asshole

On Thu, 31 Mar 2011 12:11:28 -0400, LouB <(E-Mail Removed)> wrote:

>Jeff Liebermann wrote:
>> On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
>> <(E-Mail Removed)> wrote:
>>
>>> What does it usually mean if I connect to one MAC unsecured AP of unknown
>>> origin and in the middle of browsing my connection flips to another
>>> unsecured MAC with same SSID name? For example, surfing
>>> associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
>>> yy:yy:yy:yy HOTSPOT Is this a hacking attack?
>>
>> It means that you are hearing more than one access point with the same
>> SSID. For example, the local hospital has something like 20 access
>> points, all with SSID="CHS" (Catholic Healthcare West), but each with
>> a different MAC address. If your computah can do seamless roaming
>> (802.11r or WISPr 2.0), it will constantly switch between access
>> points, and therefore between MAC addresses, as you move around.

>Is that good?

Yes.

>Does it mean the new spot has a better connection?

Yes. There are various algorithms for selecting the "best" wireless
access point. Signal strength is unfortunately the most common, and
the least useful. The strongest signal may also have the worst SNR
(signal to noise ratio), and therefore the worst thruput. The one's
that work (per 802.11r) is the best SNR. Criteria for switching is
that that the current connection either disappears, the SNR is too
high, or the connection speed drops below a preset speed. Seamless
roaming does even better by switching access points up to several
times per second. It will also act opportunistic, and pre-connect to
several available access points just in case it has to switch rapidly.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

On Thu, 31 Mar 2011 13:58:34 -0700, Jeff Liebermann <(E-Mail Removed)>
wrote:

I forgot to mumble that you can see the currently connected MAC
address in Vista and Windoze 7 with:
wlan show networks mode=bssid
BSSID is the same thing as the MAC address.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Thu, 31 Mar 2011 12:11:28 -0400, LouB <(E-Mail Removed)> wrote:
>
>>Jeff Liebermann wrote:
>>> On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
>>> <(E-Mail Removed)> wrote:
>>>
>>>> What does it usually mean if I connect to one MAC unsecured AP of
>>>> unknown origin and in the middle of browsing my connection flips to
>>>> another unsecured MAC with same SSID name? For example, surfing
>>>> associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted
>>>> to yy:yy:yy:yy HOTSPOT Is this a hacking attack?
>>>
>>> It means that you are hearing more than one access point with the
>>> same SSID. For example, the local hospital has something like 20
>>> access points, all with SSID="CHS" (Catholic Healthcare West), but
>>> each with a different MAC address. If your computah can do seamless
>>> roaming (802.11r or WISPr 2.0), it will constantly switch between
>>> access points, and therefore between MAC addresses, as you move
>>> around.
>
>>Is that good?
>
> Yes.
>
>>Does it mean the new spot has a better connection?
>
> Yes. There are various algorithms for selecting the "best" wireless
> access point. Signal strength is unfortunately the most common, and
> the least useful. The strongest signal may also have the worst SNR
> (signal to noise ratio), and therefore the worst thruput. The one's
> that work (per 802.11r) is the best SNR. Criteria for switching is
> that that the current connection either disappears, the SNR is too
> high, or the connection speed drops below a preset speed. Seamless
> roaming does even better by switching access points up to several
> times per second. It will also act opportunistic, and pre-connect to
> several available access points just in case it has to switch rapidly.


When mine does that some of the access points are open and allow me to
surf, while others are blocked and do not allow any data to transfer.
In my case one is set for WEP and the others are NONE. There's about 3-4
of them I can surf through 2, but the others associate but won't allow
data transfer. Is this a firewall thing or what?

On Fri, 1 Apr 2011 00:51:55 +0000 (UTC), FredFlintstone
<(E-Mail Removed)> wrote:

>When mine does that some of the access points are open and allow me to
>surf, while others are blocked and do not allow any data to transfer.
>In my case one is set for WEP and the others are NONE. There's about 3-4
>of them I can surf through 2, but the others associate but won't allow
>data transfer. Is this a firewall thing or what?

Are all these assorted access points owned by one vendor or company?
In order for seamless roaming (802.11r) to work, the various access
points need to be connected on some kind of common backbone, in order
to pass the connection from one AP to another AP. It's generally
understood that they also must have the same SSID.

My guess(tm) is that your random assortment of AP's are not owned by
one vendor or company, and that what you're seeing is just the usual
assortment of AP's owned by different people. Seamless roaming won't
work for such systems. You have to manually switch connections.

However, I'll guess that your unspecified operating system is
automatically connecting to the first open access point it can find.
This is convenient for some users, but not always desireable. You can
disable this behavior somewhere in the wireless settings.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Fri, 1 Apr 2011 00:51:55 +0000 (UTC), FredFlintstone
> <(E-Mail Removed)> wrote:
>
>>When mine does that some of the access points are open and allow me to
>>surf, while others are blocked and do not allow any data to transfer.
>>In my case one is set for WEP and the others are NONE. There's about
3-4
>>of them I can surf through 2, but the others associate but won't allow
>>data transfer. Is this a firewall thing or what?
>
> Are all these assorted access points owned by one vendor or company?
> In order for seamless roaming (802.11r) to work, the various access
> points need to be connected on some kind of common backbone, in order
> to pass the connection from one AP to another AP. It's generally
> understood that they also must have the same SSID.

Thanks much for your good replies.
I have no idea who owns these. All I know is that they have the same
SSID/name of AP. The switching SEEMS to follow a pattern, i.e.- xx
switches to cc or dd, yy also switches to cc or dd.


>
> My guess(tm) is that your random assortment of AP's are not owned by
> one vendor or company, and that what you're seeing is just the usual
> assortment of AP's owned by different people. Seamless roaming won't
> work for such systems. You have to manually switch connections.

Nope it's happening on the fly without any input. I wonder if someone is
injecting packets to try to capture my data stream by changing the
associated MAC? I recently found a trojan on my machine and am pretty
sure this came from the wifi since I always check any software and am
careful not to open attachments and some email. Could possibly have come
from a web page maybe, but I don't use Internet Explorer and usually
have javascript off. Also I notice that frequently I can associate
with good signal strength (if you can believe those adapter card client
software readouts) but my data slows to a crawl. When I change my MAC
and other config settings, I am back up again with good data speeds.
I am thinking this could possibly be a honeypot, but I have all file
transfer protocols deleted and am running pretty restrictive software
firewall settings. I frequently get "destination unreachable" alerts on
chat connections, but the login goes through and I am able to chat.

>
> However, I'll guess that your unspecified operating system is
> automatically connecting to the first open access point it can find.
> This is convenient for some users, but not always desireable. You can
> disable this behavior somewhere in the wireless settings.


Using the manager that came with the adapter card REALTEK under XPsp2.
It's kind of annoying because the other MAC it keeps switching to often
break my data connections and I have to manually try to reestablish
connection with the MAC that works. Is there a third party program I can
use that will disallow association from certain MACs?

On Thu, 31 Mar 2011 14:01:51 -0700, Jeff Liebermann <(E-Mail Removed)>
wrote:

>On Thu, 31 Mar 2011 13:58:34 -0700, Jeff Liebermann <(E-Mail Removed)>
>wrote:
>
>I forgot to mumble that you can see the currently connected MAC
>address in Vista and Windoze 7 with:
> wlan show networks mode=bssid

Oops. It should be:
netsh wlan show networks mode=bssid
Sorry(tm).

>BSSID is the same thing as the MAC address.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS