IP scanner blocker

Hellbound · January 1, 2007, 12:17am

is it possible to add small ip scanner blocker tool to mikrotik?

for the case that you need to block someone who’s trying to steal authenticated mac addresses from the network. to disable his mac address.

thanks

mneumark · January 1, 2007, 4:26am

You can do something like this… Just modify it a little.

http://wiki.mikrotik.com/wiki/Drop_port_scanners

Hellbound · January 2, 2007, 4:54pm

I’m not quite sure how to modify to ip scanner instead of port scanner
thanks

normis · January 3, 2007, 8:16am

what’s an IP scanner? I assume that it’s something that makes one connection per IP to check if it’s alive. How would you know on the router that this one connection is bad?

mneumark · January 3, 2007, 8:43am

I think what he means is when a someone is scanner lets say a /24. What you will want to do is limit the amount of tcp connections on a forward rule in the firewall. The problem is you would have to figure out the speed and amount of connections.

normis · January 3, 2007, 8:46am

someone inside your network, that is scanning something on the outside? only like this.

not someone scanning your network from the inside, that’s impossible.

for the first case - yes, limiting the number of connections would work. set it to 20 and your users should not suffer (if they are not heavy torrenters)

Hellbound · January 3, 2007, 5:02pm

I think you did not get what I meant.
IP scanner is basically try to scan an ip range (lets say 10.1.1.0/24) for alive nodes.
if the hacker can scan the network and find alive network then it can clone mac address and blend into network as one.

but if we can detect who’s scanning network we can prevent that.

thanks

normis · January 4, 2007, 6:25am

and how can you detect what a person is doing in his PC? imagine someone throwing tennis balls at random people. you will get hit once, and you will never know that he is doing the same to the others as well. router can’t do anything if this scan does not go THROUGH it. it is just pinging random machines.

mneumark · January 4, 2007, 7:36am

Hellbound,

The only way its possible to block this is setup a firewall rule where it detects so many packets per second just like the port scanning wiki shows and have it add their ip address to a blocked firewall rule.

Normis is right, you can’t distinguish between a real ping and a ip scan. The only way i see it possible is to detect the amount of ping from a src within so many seconds.

Hellbound · January 4, 2007, 11:00am

I believe it is possible to detect if any user send any local destined packet to more than three various address and block user instantly. no matter what the protocol is used but as long as it is destined to local address.

thanks

normis · January 4, 2007, 11:11am

how can a router know that the user has sent some packets to other computers previously? the connection doesn’t go through the router, so it’s not possible to track anything.

Hellbound · January 4, 2007, 12:34pm

if you assign your IP to block of two instead of block of 255 ip address all IP packets has to pass through router.

at the other hand, we dont need to pass them through router, we just isolate users either on wireless or managed switches. then we make a transparent bridge with mikrotik bridge option.

everything will pass through that bridge, we enable connection tracking and packets will be analyzed before their delivery.

is it difficult?

thanks for the reply

normis · January 4, 2007, 12:39pm

if you make them go through the router, then make the connection limit rule as suggested earlier. there is no other way to do this, only as already mentioned above in this thread.

janisk · January 4, 2007, 12:43pm

and if i want to play online game with 10 other users? like CS:S or hearts?

Hellbound · January 4, 2007, 12:47pm

Well, IP scanners usually work on arp or icmp protocol , you don’t need to block users who are communicating with friends through other protocols.

At the other hand, mostly ip scanners are working through a sequence, for instance try AngryIPScanner. which is one of them that I tried. it simply try to send packets from 10.1.1.1 to 10.1.1.255 you can block that users when it reach 10.1.1.15 and report it to network admin. so we can find a culprit

Also I have not seen any game that scan network for alive IP addressess.

it may not be 100% secure network but we can block average hackers which usually use public tools to clone mac address simply by adding registry to windows.

normis · January 4, 2007, 12:55pm

all network games do that. they look for open servers nearby when you click the join button or something. also same for many other programs. just try to monitor one of the scans and see what the person is using; then block only the type of traffic that is the scan. best method of course is to go and beat up the offender.

Hellbound · January 4, 2007, 1:06pm

Thanks for prompt reply again,

Have you ever seen a thief to show his ID to CCTV camera before he steal something?

A Person who is already authenticated and has its user record in the system won’t attempt to hack the network.

A Person who is not authenticated will attempt to hack network. a hacker will always use anonymous identity. this rule does not have to be applied for authenticated users who are logged in and have true identity.

Once, you’re in then you’re clean, but if you’re outside and you’re trying to call names to create your fake ID to get into the house, then this tool comes in.

And what you mentioned is of course for LAN connection, where it sends a broadcast packet, and of course not in every single game. every game has Internet and LAN options. you can simply force users to use their internet options instead of LAN options to create server (which is also up to individual network admin to decide),

But this is just IP Scanner Detector, so we know who’s trying to play game or who’s trying to clone mac address by stealing Mac addresses on the network. at least we can log network activities, specially if it also will be added to log option as well.

It is up to the admin to decide to block it or not… at least we will have a list of people who are playing game so we can find out whether they really played their game or they went off the hook and clone the mac address.

but truly if this is not the solution? what is the solution to find someone who is attempting to hack cable or wireless network?

I say that again, it is up to the individuals to decide what policy to apply after that.

stephenpatrick · January 5, 2007, 12:16pm

I’m not an expert on this topic but:

At home I have a Netgear ADSL router. On one config page it has a couple of check-boxes for “DOS prevention” and “port-scan-detect”.
i.e. if nasty people out on the net are trying to break in or take down the network by DOS, it takes some action, presumably ignoring the requests.
I doubt the algorithm is terribly sophisticated, and there are no options to tweak it, but it exists.
I wonder if there should be some features like this on the “wish list” for MT?

… hope that was relevant …

Regards

janisk · January 5, 2007, 12:31pm

check out webbox, there are basic options for protection.

normis · January 5, 2007, 12:33pm

stephen, you are again talking about port scan. that we have. hellbound wants to detect when somebody scans a range of ip’s by means of (most likely) single ping to each address. what i’m saying is that it is not possible whether somebody just pings, or actually does it for evil purpose.