Hello All,
I have a problem where my hot spot users scan the network and get the mac address of my access points and put it on their own PCs causing the whole network to go down. I have done some reading but there seems to be no explicit resolution of this problem. Any Idea's?
There's no real way to prevent this. This, however, should be seen as a malicious attack. I'd take the following action:
1) Find out what MAC was online immediately prior to going offline. (If you're not doing RADIUS authentication, you should)2) Block that MAC.
3) Someone will call if they are having a problem.Chris
" snipped-for-privacy@gmail.com" hath wroth:
Nope. Someone is probably trying to do a "man in the middle" attack and is doing it rather badly. They're trying to poison the ARP cache in the router, without affecting the routers normal operation. By also spoofing the MAC address of the router, they've goofed badly. It can also be a badly written ARP flood tool designed to crack WEP systems. Even if you're not running WEP, some clueless idiot might be running the tool.
If you sniff the traffic, you'll probably see a flood of ARP broadcasts and/or replies. Grab the source MAC address as that's your culprit. It might also be spoofed, but this attack sounds like the perpetrator is clueless. You might be able to identify the maker of the wireless device from the MAC address. See:
Meanwhile, you should setup "AP isolation" or "client isolation" (same thing) in your unspecified model hot spot access points. It will prevent clients from seeing each other via your access points. It will not prevent such attacks, but will ruin a large series of other possible attacks.
The main issue is that someone is trying to stop my hot spot network by simply causing a mac address conflict with the access point. from what I gather from the above replies, this is unavoidable but can be cured by blocking the mac address of the attacker each time he tries to do that. I have a different plan in mind to avoid such attacks and I would like your opinions on it. I intend on reserving a /30 subnet for each client, that way the client cannot get to the access points mac or IP address. would that work?
" snipped-for-privacy@gmail.com" hath wroth:
That's correct. With a duplicate MAC address, the client has no way to distinguish between the real access point and a fake access point.
I don't see how that would help. Having a mess of IP addresses all piled onto the one MAC address for the access point isn't going to do anything. This problem needs to be solved on the MAC level.
You have not described any of your existing hardware or topology, so I can't offer any specific advice. I'm very suspicious of your theory that someone is maliciously attacking your system. I've heard such DoS stories before and invariably find that there is some obscure misconfiguration or setup issue causing the problem. One of my hot spot customers had someone explain how they could "take over" a hot spot with various hacker tools. From that point on, every problem they had with the wireless was presumed to be a hacker attack. When someone accidentally unplugged and ethernet cable, the failure was initially presumed to be a hacker attack.
I also have a guess as to what's happening. Do you have two wireless routers in series as in double NAT? If so, did you "clone" the MAC address of one router with the other?
If you want any further help, please disclose exactly how you determined that you're being attacked and some clues as to your hardware and setup.
It is a DLINK access point with a Mikrotik hot spot server. The idea is very simple. just change your PCs MAC address to that of the access point's and the network is dead. I have tried it my self. It is not someone trying to hack into the network or do a MIM attack. It is just someone to stop the network. is there any way around this?
It is a DLINK access point with a Mikrotik hot spot server. The idea is very simple. just change your PCs MAC address to that of the access point's and the network is dead. I have tried it my self. It is not someone trying to hack into the network or do a MIM attack. It is just someone to stop the network. is there any way around this?
It is a DLINK access point with a Mikrotik hot spot server. The idea is very simple. just change your PCs MAC address to that of the access point's and the network is dead. I have tried it my self. It is not someone trying to hack into the network or do a MIM attack. It is just someone to stop the network. is there any way around this?
" snipped-for-privacy@gmail.com" hath wroth:
No way to stop it that I know about. The MAC addresses are exposed to the world and are not encrypted. Therefore, encryption and IP layer tinkering will do nothing. You could possibly change your unspecified model DLink access point MAC address, or just try a different access point, but that's not a permanent fix.
Again, I suggest you verify that you are really being attacked and that you are not dealing with a configuration problem. Setup a wireless sniffer that will sniff clients (Kismet) as well as AP's. Make sure you can see the attackers packets. Then, just power off your access point. If the attackers packets, (SSID broadcasts, retransmissions, etc) with your source MAC address, are still there, you are being attacked. If not, your hot spot is broken or misconfigured.
There's also the option of finding the culprit. Reduce your access point signal stength (antenna attenuator) to force the attacker to raise theirs. Then, go transmitter hunting with a directional dish antenna.
Your unwillingness to provide system specifics and persue configuration issues, makes me very suspicious. Are you sure it is you that is being attacked, or are you planning to attack a hot spot?
that I know about. The MAC addresses are exposed to
" snipped-for-privacy@gmail.com" hath wroth:
Ok, I'll stop being suspicious. However, I do want to know the model number, hardware version, and possibly firmware version of the Dlink access point. Some of those are rather marginal. Also, some clue as to the symptoms of this alleged attack (without your intentional duplicate MAC testing).
It won't solve the problem. However, it might identify the problem. I'm still not convinced that he has a hacker problem. It could be a configuration issue. By changing the access point, he automatically gets a new MAC address. The alleged attacker is probably not monitoring his activities continuously. Therefore, when you change access points, there will be a period where everything is suppose to be working because your attacker is spoofing the wrong MAC address. That can't last forever as the attacker could easily change his MAC address to compensate, but in the meantime, you'll have some time to determine if it's an attack or a configuration problem. If changing the access point magically solves the problem for a while, you have an attacker (or a broken AP). If it's still acting funny after changing the access point, it's something wrong in the AP or router config. It's possible that the attacker has some kind of intelligent script that follows MAC address changes, but that's rather improbable. (Don't forget to power cycle the router so it learns the new LAN MAC address of the AP when juggling hardware).
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.