IDIOT's guide to how did they do this?

ldvaden · January 3, 2008, 11:05pm

This has happened twice in the last week, so obviously we’re open to someone messing with our APs.

How did they do this (presume it wasn’t via WinBox or ssh, but rather from the wlan)?

How do we prevent it?

THANKS for your help - it is truly appreciated.

Happy New Year!

Kind regards/ldv

wildbill442 · January 3, 2008, 11:59pm

How did they do what?

ldvaden · January 4, 2008, 3:02am

My edit appears to have hit /dev/null

The original post should have mentioned that the following references to 192.168 appeared unexpectedly in a MikroTik AP (2.9.46) mid afternoon:

[operator@dd-ap4] > /ip route print
 1  AD  0.0.0.0/0                          r 192.168.1.1     0        bridge1  

[operator@dd-ap4] /ip address print
 2 D 192.168.1.102/24   192.168.1.0     192.168.1.255   wlan1

Since then, I’ve found the following in the logs:

Jan  3 15:40:52 ap4 dhcp,critical,error,warning,info,debug dhcp alert on wlan1: discovered unknown dhcp server, mac 00:05:9E:82:86:17, 
ip 192.168.1.1
Jan  3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:bridge1, src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan  3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:(none), src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan  3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:bridge1, src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan  3 15:40:52 ap4 firewall,info BOGON_DROPPED log-and-drop-bogo: in:bridge1 out:(none), src-mac 00:05:9e:82:86:17, proto UDP, 192.168.1.1:67->255.255.255.255:68, len 576
Jan  3 15:40:52 ap4 dhcp,info,debug dhcp-client on wlan1 got IP address 192.168.1.102
Jan  3 15:40:52 ap4 system,info dns changed

So, it appears it was an innocent subscriber who turned his Linksys bassackwards or an actor (I dunno).

Thanks for the help.

rgds/ldv

ldvaden · January 4, 2008, 4:11am

Please critique this code, invoked from the input and forward chains in an AP:

add chain=log-and-drop-rogue-dhcp action=log in-interface=wlan1 src-port=67 \
    dst-port=68 protocol=udp log-prefix="DROP_ROGUE_DHCP" comment="Log and \
    drop rogue DHCPOFFERS" disabled=no 
add chain=log-and-drop-rogue-dhcp action=drop in-interface=wlan1 src-port=67 \
    dst-port=68 protocol=udp comment="Log and drop rogue DHCPOFFERS" \
    disabled=no

THANKS/regards/ldv

ldvaden · January 7, 2008, 9:59pm

ldvaden:

wildbill442:

How did they do what?

My edit appears to have hit /dev/null

The original post should have mentioned that the following references to 192.168 appeared unexpectedly in a MikroTik AP (2.9.46) mid afternoon:
[operator@dd-ap4] > /ip route print
 1  AD  0.0.0.0/0                          r 192.168.1.1     0        bridge1  

[operator@dd-ap4] /ip address print
 2 D 192.168.1.102/24   192.168.1.0     192.168.1.255   wlan1

As closure of this thread, whether it was an inside or an outside job, the problem turned out to be that this particular AP had a dhcp-client listening on wlan1

rgds/ldv