Hotspot dhcp offering leases by MAC Address Generator

ayasramadhan · February 11, 2017, 4:58am

The anonymous user has tried to connect to the hotspot system by using software which generate MAC Address continously. I don’t know how to block it.

 system resource print 
                   uptime: 3h27m52s
                  version: 6.36 (stable)
               build-time: Jul/20/2016 14:09:10
              free-memory: 63.4MiB
             total-memory: 128.0MiB
                      cpu: MIPS 74Kc V4.12
                cpu-count: 1
            cpu-frequency: 600MHz
                 cpu-load: 6%
           free-hdd-space: 78.1MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 13068
         write-sect-total: 15671688
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RB951Ui-2HnD
                 platform: MikroTik

pe1chl · February 11, 2017, 10:52am

Enable WPA2 with a pre-shared key (password).

ayasramadhan · February 12, 2017, 2:09pm

Hi,

Thanks for your advise. it could be a solution and the network becomes more secure. the problem is the user should input the password to connect to the AP and they must login to hotspot system too. This will give bad feedback for most of users.

pe1chl · February 12, 2017, 2:54pm

When you leave your frontdoor unlocked all the time it will give a good experience for nice people who want to visit you.
Unfortunately it also gives a opportunity for bad guys who want to steal your belongings.
In a good neighborhood the open-door policy may work, but apparently in the network world you live in a bad neighborhood and you need to lock your door, or the bad people will sabotage your network.
The “bad feedback for most of the users” is the price you have to pay.

sup5 · February 12, 2017, 3:07pm

There might be a solution:

create an insanely big DHCP IP-Pool for your Hotspot Service like : 10.0.0.2 - 10.255.255.254
Reduce the lease-times to something like an hour or so.
Run the DHCP-Service on a Router with powerful CPU.
Apply Rate-Limiting to DHCP-Requests per AP or Client.

pe1chl · February 12, 2017, 3:24pm

That may work against this particular attack, but the bad neighbor will find another way to sabotage the network.

ayasramadhan · February 12, 2017, 3:26pm

Understood.
sometimes we want to always open the door for anyone who wants to visit. without knowing he’s a good person or not. I just looking for another way in order to keep the door opened to anyone and minimize the disruption that will occur.

pe1chl · February 12, 2017, 6:25pm

Is this a local (indoor or on-terrain) WiFi or is it a widerange installation with clients kilometers away?

ayasramadhan · February 20, 2017, 1:47am

Hi,
It’s like inside the room and there are also some public areas. Such as Hotel, Resort or Villa has a public area

pe1chl · February 20, 2017, 9:10am

You can only hope that those attacks are only made infrequently by guests you happen to have at that time and who
think it is fun to destroy the hotel WiFi.
When it does not occur too often, it could be acceptable. When it happens all the time, you have a big problem.
Using a WPA2 key and displaying it at the front desk is not going to cover that, as your guest still can do nasty
things (although not as much as when the WiFi is fully open).

WiFi was really designed for cooperative use, there is almost no protection against this kind of DoS.