Hallo,
we have this problem: we use 5GHz interface for 4 client and it working really good. But, some people from rivalry generating in 5GHz Mac address 1-4 times per second and he tried to connect to this interface, so it is impossible, (disabled def. auth.), but whet it takes about 10 minutes, the MT is going down or sometimes other interface doesn’t working (after disable and enable it is good). When I have enabled def.auth. the situation is the same. So, can you help me, how I can protect before this attack???
Perhaps a baseball bat and a couple of really big friends?
I don’t know the answer but that is a terrible thing to happen to you
Can you rate limit this somehow?
Have you tried an access list for the interface and set default-authentication=no? This might help some.
I have treid everything, this one too…
Now I have updated to MT 2.9.18 and it look’s better, maybe, I’m waiting to attack…
Hmmm. What about using 10MHz or 5MHz channels? NStreme? Short Preamble? Do you know what kind of gear these people are using?
How does the client send the MAC address? It must be possible to rate limit the connections that do this? I don’t know what protocol or port is responsable for this handshaking but you would think you could rate limit it to a certain ammount per second max?
actually a simple way would be to change and hide SSID and add or change WEP 128. This might stop the hacker being able to connect in the first place?
Our problem is not connecting, the connect is really imposible, but, if the pirat connect and disconnect 5times per second, the MT has big problem. We don§t really know why…
sadicek, client can’t connect to wireless access point, when you have ‘default-authentication=no’ for wireless interface.
Could you clarify your problem ? ‘the connect is really imposible, but, if the pirat connect and disconnect 5times per second’.
so: he try to connect---- it means he connect, and after, when mikrotik terminate the connectining, he change Mac, connect etc., etc. and MT is down…
Hi,
I have had a similar situation in a small town with 4 ISPs. Client radios from other ISPs were connecting/deauth/disconnecting from our AP not on purpose. Yet, that caused our Mikrotik to slow down and ping times to rise a lot. So, best thing to do, is to work it out through the access list, not by blocking the attacker, but by disabling default authenticate, and then in the access list allowing only your client Mac Addresses.
If your attacker is clever enough to clone your client Mac Addresses, then how many will he clone??? Remember there is Encryption Involved.
Don’t block his Macs. This will only add proccessor load, even if he changes his Mac to an unblocked one. Remember when you start allowing your clioents in the access list, you should also set the encryption individually for each client you allow.
By the way, if your attacker clones his Mac Addresses, try to get the proof or testimony of a few of your clients and nail your attacker’s A**.
Good Luck.
So it’s more like a brute force mac address buster!
There should be some way to rate limit this like with a DDOS attack and brute force password crackers! If not then really MT could see if it’s possible. there is no need for this fast auth attemps to be possible it seems to me and this is something we should all be worried about as in future more people will learn how to do this? genuine clients should authenticate no problem. Also what happens if 2 macs of the same try to connect at same time?
Please enable the wireless debug logging and make the support output file when the user is hacking your wireless AP. Then send that file to support@mikrotik.com