I have a router board rb100ah x2 as a server and using usermanager but i have a big problem that hackers are using some programs like netcut for windows and eznetsan for android to hack my network bypassing my hotspot to get free internet. the way they use that they connect to any of my access points and run theses programs which give them all the clients devices mac addresses then they change their mac to the client mac and by that they get free internet.
Can,t mikrotik find a way to protect the clients mac to be shown to anybody like that easily ???
Please help
detect netcut users
/ip firewall layer7-protocol
add name=detect regexp=“^.+(arcai.com|netCut)”
/ip firewall mangle
add action=add-src-to-address-list address-list=netcutuser address-list-timeout=3d chain=prerouting layer7-protocol=detect
and ban their macs on dhcp and bridge firewall with a script
review this analysis
http://forum.mikrotik.com/t/no-ip-scanners-nomore-updated/110846/5
It is not possible to avoid that. The router has no way to know if the paying user is connecting with their MAC, or someone who copied that MAC.
When you have a prevalence of foul people in your neighborhood, it really is not possible to run a paid WiFi system this way.
The crooks will always be able to either hijack your system to use it for free, or to deny access to the paying users forcing you to give up your business.
deal with the root reason which is network arp sweeps and icmp scans to reveal the connected macs
if you blocked the scan process then you solve the root of this problem,
Sorry libyatik you lack the basic understanding of the problem and your solution is not a solution.
Banning MAC addresses is going to lock out your paying users alongside with the attackers… NOT a solution.
the ban process is for scanners not network legit users (firewall filter) and its not a permanent ban rather than a traffic block
I don’t understand why mikrotik doesn’t have client isolation where every client cannot see other clients information
There is no way to tell the difference between legitimate users and users spoofing MAC addresses of legitimate users,
same for IP addresses. Scanning MAC addresses of legitimate users can be done passively, no way to tell that someone is doing that.
the question here is why should it must be that easy to discover the clients mac addresses by hackers so that they can copy them ???
there must be away that we could hide them from everybody
It is so because it is defined that way in the 802.11 WiFi standard which was not designed to handle foul users.
The MAC addresses are always sent in the clear even when the data itself is encrypted…
When you use encryption it is somewhat more difficult for foul users to take over the bandwidth bought by paying users,
but they can still disconnect the paying users and leave them without service.
When you want to use an open “hotspot” setup without WPA2 key and everybody log on to a portal page, the system
is essentially wide open to abusers and other foul play.
When you have a “closed” system with fixed users connecting to an access point, at least implement WPA2 encryption
so the sessions are not so easy to take over. But they still can be disconnected.
so do you advice me to stop searching for a solution ? and can firewall filters do something or not ? and the last question shouldn’t mikrotik update their system to make it more secure for hotspot ??
That’s how an open system is supposed to work: Open. And there is no way to hide them as long the system is open.
It is your choice to keep it open, and there is nothing you can do against it, unless you close it.
And you can wait for 1000 updates, open systems will remain open and anyone could sniff them.
so what is the purpose of hotspot if anyone can hack it man ??? hotspot should close what you call an open system.
the filter works before the spoof happens
a hacker must scan a network to collect macs here is where the prevention acts (!=packets sniffing)
Nope. All you have to do is receive. If you never transmit, there is no way to detect it.
Hotspot works fine in an environment where the users are honest.
Normally in a small room e.g. a restaurant you can use it to allow the visitors to use internet.
When you put the accesspoint on the roof and have the entire neighborhood use it via outdoor WiFi, hotspot is really not
the way to do it, because there is more chance that you have hackers. You can use 802.1x authentication with username/password
which will put encryption on the links (WPA2-EAP with MSCHAPv2) but it is not really secure either. The determined hackers
will be able to hack it anyway. at least to the point where they can disconnect your paying users. Taking over the connection
is more difficult but it is possible.
that statement holds true in traffic sniffing not network scans where its all request and response
You have to understand that radio waves are not selectively addressed and can be received by anyone in the range of that AP, and there is no way around this. Everyone can sniff an AP’s full traffic, no matter what (and some time the client’s traffic, too, but this is not relevant in this discussion).
As long as a data packet is transmitted, there is no way to shield it so that it is not to be received by an arbitrary in range receiver.
The purpose of a hotspot is to allow an open access with minimal management overhead. If you want privacy and security, use encryption.
BTW, no one stops you to run a hotspot over an encrypted access, and to hand out access keys to your legitimate users.
Or switch over to some other encrypted solution with an per user password management.
You do not need to connect anywhere find out the users MAC addresses. Sniffing the unencrypted WiFi traffic is sufficient. You can even find the user’s WEP key just by sniffing. WPA2 seems still secure towards this approach.