Hello all
I use Microtik Hotspot and use the open wirless AP ( nanostation m2 ) To deliver the Internet to customers.>
There are those who penetrate the network through the programs Like (netcut & fing & another spoofing program )
The Penetrator Change his MAC number to customer Mac number.
Is there a solution to prevent Spoofing programs from showing customers mac >
Hi
For anti arp spoofing you can chane your ip prefix to /32
example: 192 168.1.1/32 and in your m2 try isolation clients
No, there is really nothing you can do about this.
When running open wireless with portal authentication you are invariably running this risk.
Another way, disable address pool from hotspot servers
ErfanDL: your replies are irrelevant. You probably refer to using the network from unregistered
clients but these replies are not relevant to MAC spoofing.
When you want to take some countermeasures against users using an IP not obtained via DHCP or
sending unsolicited ARP replies to confuse the router, there are possibilities in RouterOS
(enable “add arp entry for leases” in DHCP and set arp mode to “reply-only” for interfaces) but this
has zero effect when MAC is spoofed.
some of mobile phone not get internet in subnet /32
ok >
Let’s start to the cause of the problem.
spoofing programs like fing and netcut.
What is the protocol used by these programs ??
What i means to prevent the program itself or the protocol used ..
..
The other thing.
Can I Prevent client change his Mac ??
Or that is discovered how is change his Mac and the block him from entering the network ..
For example, connecting a Mac with host name for all client mobile ??
These programs set the address of the malicious user to the same as the legitimate client.
It is not as much a protocol as it is just sabotage of the system.
The address (and especially the MAC address) is the unique identifier of the device in the 802.11
protocol, and when two users have the same address it will break down.
There is nothing you can do about that other than finding those people and knocking them off
your territory.
The only way to prevent this is to use encrypted wireless.
Think about it for a moment - devices don’t have “voices” that can be recognized, right? It’s just a pulse of RF energy… and if that pulse contains a MAC address, then there is no way in the world you can determine which physical radio sent the pulse other than doing things like triangulating the signal and noticing where it actually came from… and WiFi isn’t generally set up to be that sophisticated…
So - the point is, since the wireless is open, there is nothing to stop anyone from setting any MAC address they want onto any device they want and sending any traffic they want.
The only way to stop this is to authenticate the clients at the WiFi layer using either preshared key or EAP… As Scotty said: “I canna change the laws of physics.”
One idea would be to have an open network that only works for signup purposes, after which, users authenticate to an encrypted SSID using the credentials they created on the open network.
I think even encrypted wireless will not fix this… the MAC addresses are not encrypted and people
can just send disconnect commands and effectively deny all service.
This problem is not impossible as you say.
There is a solution to it. It is to give each customer a different address.
Example: Customer No. 1 address is 12.134.65.3
Customer Number 2 = 171.152.33.4.
This method is via the add different addresses for each in the address pool >
…
This method has been tried and has worked successfully.
But it suffers from slow communication between the client and Accesse Point.
I’d think that you will advise me by virtue of experience, but I discovered that you do not have enough experience.
On the whole a very thank you
One thing you can do to limit the ability of one malicious user to ARP poison other users (netcut, rogue dhcp, etc) is to enable client isolation in your AP.
At least this way, the AP will not forward the poisoned ARP reply from the bad user towards the victim user.
As for specifying client IP addresses, I don’t see how that can possibly help. What is to stop a bad actor from simply sniffing the wireless traffic and spoofing any client they choose?
Since the traffic is un-encrypted, it would be trivial to do so.
I’m not saying that you must come up with an encrypted hotspot solution. We all know that the goal of a hotspot is to make it easy for any novice user to simply connect to the SSID and go online. However, the trade-off is that security is much worse on open wireless networks because everything is being broadcast in the clear. Anyone with an antenna can easily view this traffic and do something bad.
Basically, your question relates to access-layer security, and by its very nature, open wireless is NOT secure at the access layer.
thank you bro