Community discussions

MUM Europe 2020
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Help me stop MAC spoofing

Fri Oct 06, 2017 5:23 am

hello everyone
i have a real problem with my network which is MAC spoofing.
a lot of people are using MAC changers to access my network
so they are stealing other people's credit on my network.
is there anyway to stop the MAC spoofing and hide the MAC addresses from showing in any MAC scanner ?
i was able to hide them and also hide the nano station from showing in Ubnt discovery without any scripts or rules but i forgot how.
is there any way to solve this problem ?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Help me stop MAC spoofing

Fri Oct 06, 2017 9:34 am

You need invest in the Mikrotiks, configure them as bridges and give them to the clients to stabilize MAC address base.
Then you can account their traffic using Mikrotik's MACs not clients ones as client will be hidden behind bridges.
Real admins use real keyboards.
 
ebreyit
Member Candidate
Member Candidate
Posts: 120
Joined: Tue Apr 30, 2013 11:44 am
Location: Shropshire, United Kingdom

Re: Help me stop MAC spoofing

Fri Oct 06, 2017 2:01 pm

Disable client forwarding on WiFi networks and use bridge horizon
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Re: Help me stop MAC spoofing

Fri Oct 06, 2017 4:56 pm

I'm sorry but i didn't understand anything
can you give me steps please ? on what should i do or where to go ?
i'm using MikroTik Router RB1100AHx2 and NSM2 for the customers to connect
and i'm using username and password only once to get authorized after that they can login by MAC address.
 
ebreyit
Member Candidate
Member Candidate
Posts: 120
Joined: Tue Apr 30, 2013 11:44 am
Location: Shropshire, United Kingdom

Re: Help me stop MAC spoofing

Sat Oct 07, 2017 2:05 pm

I'm not sure a band aid based on a response from here is going to solve your problem.

If this is causing you real issues, you need to spend some time thinking about your current strategy and do some research on a number of possible solutions to the security and accountability issues you are facing.

MAC based login is a very insecure way to go. It's ease of use and subsequent ease of abuse is becoming apparent so I would rethink this aspect entirely.
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Re: Help me stop MAC spoofing

Sun Oct 08, 2017 5:15 pm

i know my response is not enough but its because i don't really know what to say about my network i began 1 month ago and i don't have that much of information to talk about my network .
i tried to stop the MAC based login but it seems that everyone is enjoying it and they just don't want to login every time they connect to the network
so i think you have to ask me about info and i will answer it because i really don't know where to start and if you can't help it's okay .
my firewall is kinda clean it has some filter's rule but i think they are for logging in and out and redirecting .
 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Mon Oct 03, 2016 6:47 pm

Re: Help me stop MAC spoofing

Sun Oct 08, 2017 11:00 pm

Is this a hotspot or what?
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Re: Help me stop MAC spoofing

Thu Oct 12, 2017 6:37 am

yes its a hotspot i think
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Help me stop MAC spoofing

Fri Oct 13, 2017 1:13 am

You are going to need to spend time implementing layer 2 isolation on your network. Basically this is not something that can be done or controlled at the core of your network, you need to do it at the edge of the network, the point that client devices connect. How you do that is up to you and depends on your network equipment that you have installed and what it is able to do. Your ultimate goal is to stop client to client communication over layer2, this is a network design problem.

If you need to maintain a layer2 network, here are some steps.

The first line of defense is going to be disabling forwarding on your wireless interfaces. Mikrotik calls this "default forwarding", other manufacturers call it something else. But the basic idea is the same, not allowing devices connected to the wireless network talk to each other over the wireless network.

The next step is deciding how you want to isolate hosts on your switches. This can typically be done through VLANs or port isolation on switches. Port isolation works by telling the switch what ports traffic is allowed to be forwarded to.

Both of these things need not change how your clients connect today and use the system today, but will greatly increase security, and will help with your problem. This doesn't prevent someone from grabbing the MAC address by using a wireless sniffer and grabbing it from the air, but does prevent someone from grabbing a MAC address from another part of the network.

If your current equipment doesn't support these kinds of things, then you will need to budget for network upgrades that will allow you to do so.
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Re: Help me stop MAC spoofing

Fri Oct 13, 2017 3:40 pm

i already read about all of that but no one is giving steps like open here, write this. add this to firewall, they are all talking about layer2 and to be honest i dont even know where is this layer2 or how to reach it.
by the way im using nano station M2 with XM.v6.0.7 version , and RB SXT 5nD r2 as a receiver,
does these equipment support the ip isolate ?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Fri Oct 13, 2017 5:20 pm

You should probably consider switching to PPPoE instead of hotspot if you have such rampant issues with end-user abuse.
Another option to experiment with would be cookie logins.

Unfortunately, there is nothing much you can do to stop devices from MAC spoofing. Client isolation won't completely fix this issue. The only thing this would do is give your network a small amount of defense against unskilled users easily monitoring network traffic for other MAC addresses on the network.

Layer 2 refers to ethernet / wifi devices (as opposed to routers) - MAC addresses are part of this layer 2 and a router (which is layer 3) cannot really do much about spoofed MAC addresses. Layer 2 security requires devices that have such features - ethernet switches and WiFi access points are the devices which would have such features, and not a router such as your Mikrotik.

If your access is strictly wifi-based, then you should set up a lab and implement username/password for connecting to the WiFi itself. That would be the best solution IMO.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Re: Help me stop MAC spoofing

Sat Oct 14, 2017 3:36 am

yes i kinda understand now and yes its wifi-based .
there are a lot of routers that you can't connect to when your MAC is changed it will always say that the wifi password is wrong even if its right.
can we use that feature in Nano station ?
it will be like the best thing to stop spoofing
 
ebreyit
Member Candidate
Member Candidate
Posts: 120
Joined: Tue Apr 30, 2013 11:44 am
Location: Shropshire, United Kingdom

Re: Help me stop MAC spoofing

Wed Oct 18, 2017 3:19 pm

yes i kinda understand now and yes its wifi-based .
there are a lot of routers that you can't connect to when your MAC is changed it will always say that the wifi password is wrong even if its right.
can we use that feature in Nano station ?
it will be like the best thing to stop spoofing
I think your lack of knowledge in regards to the OSI Model https://en.wikipedia.org/wiki/OSI_model and how to use it to understand your issues and mitigate the problems they present is the first thing you need to address, until you do, even following steps here may not produce the results you are expecting and could even make things worse as you don't understand what going on.

You need to build yourself a lab (a small scale version of what your running in the field) and spend some time learning the basics, slowing increasing the complexity of the setup and configuration so that you can gain a clear understanding of whats happening, why and how to make the changes you need, but, also, how to debug a setup when it's not performing as expected.

Start by learning the various layers of the OSI model and what part they play within each piece of network equipment. (Difference between routing, switching, bridging etc. IP's, MAC's, MTU, TCP, UDP... The list goes on)

Then spend some time working through examples in the Mikrotik Wiki and from elsewhere on the Internet. YouTube also has many good videos to learn from.

Take a look at GNS3 https://www.gns3.com/

It's easy to say, give me the answer, but, there's no point if you don't understand the solutions that are given or how to apply them to your setup without breaking anything else.

If you have more knowledge, at least if you don't fully understand the solutions given to begin with, you'll be better equipped to analyse them and see what's going on, test it in a lab setup and learn what's going on and how it can be used.

There's no way to stop MAC Spoofing, but you can minimise chances of people scanning your network to collect MAC's which they can then use for spoofing. This doesn't stop people from sharing MAC's with each other in order to abuse your network though.

Ultimately that's not going to solve your problem.
Your problem stems from using MAC's as a means of authentication. It's flawed.
Various online articles have existed for over a decade warning against the pitfalls of using MAC address's for access control (example http://www.techrepublic.com/article/the ... filtering/).

There area limited number of instances where the use of MAC's can be useful, but never in a network facing a public domain.
 
darkoknght
just joined
Topic Author
Posts: 20
Joined: Fri Oct 06, 2017 5:09 am

Re: Help me stop MAC spoofing

Wed Oct 18, 2017 3:50 pm

everything you have said is true i do lack tons of knowledge and i don't know where to start
and i don't even know my own network that much so i have to learn as you said but can you give me more links about the basics please
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Help me stop MAC spoofing

Sat Oct 21, 2017 4:28 pm

The first thing you should do is re-read every reply you've had in this thread and make a list of all the terms you don't understand. Take each one you don't understand and Google it. Write down some notes about what you find to help cement your knowledge.
Nobody is paid to post on these forums and having to spoon-feed somebody who won't help themselves is tedious and unrewarding, and you will find that the number of replies to your requests for help dwindle.
Like ebreyit says you need to build a lab and test out some different scenarios.
 
jimmy1ghetto
just joined
Posts: 4
Joined: Mon Oct 30, 2017 8:08 pm

Re: Help me stop MAC spoofing

Mon Oct 30, 2017 8:39 pm

there is no way you can stop some one from spoofing mac address as long as he have some device is mac address thats active user on your hotspot and he have rooted phone, but what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32
from your winbox settings go to
IP
DHCP SERVER
choose NETWORKS
make the gateway 2.2.2.2
netmask 32
then apply

method two
when a client connect to your hotspot the system will show you the mac address of the device, ip and the host name so as we know if some one steal other client is mac you still can find out by the hostname of the device for example if he spoofed 3 different clients the dhcp server will list those three macs with the same host name unless he is very genius and found a way of spoofing hostnames too.
ok lets get to the point there is a script you put into the new terminal what this script do is scans all the hostnames every 20 seconds if one of them is duplicated it automaticly cicks that bad hostname so the hacker can have access for maximum 20sec before he gets cicked out, i hope it will solve your problems

the acript
# use global hacklist variable
#:log info ($hacklist)
:foreach host in $hacklist do={
:foreach i in= [/ip dhcp-server lease find host-name $host] do={
:local ipnum [/ip dhcp-server lease get $i address]
:local unum [/ip hotspot active find address $ipnum]
:if ([:len $unum] >0) do {
:local usr [/ip hotspot active get $unum user]
:log warning ($host . " " . $ipnum . " " . $usr)
#next line kick them out right now, could also check pppoe
/ip hotspot active remove $unum
#other stuff can do now with the identified IP and USER
}
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Help me stop MAC spoofing

Tue Oct 31, 2017 2:43 pm

what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32
MAC addresses are not encrypted on wifi. You can confirm this yourself with a tool like Kismet, eg:

https://lh6.googleusercontent.com/VjbpX ... m3dBEvwZ60
 
jimmy1ghetto
just joined
Posts: 4
Joined: Mon Oct 30, 2017 8:08 pm

Re: Help me stop MAC spoofing

Wed Nov 01, 2017 11:10 pm

what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32
MAC addresses are not encrypted on wifi. You can confirm this yourself with a tool like Kismet, eg:

https://lh6.googleusercontent.com/VjbpX ... m3dBEvwZ60
wifi scanners scans for the ip range therefore if you prevent it from showing ip addresses mac addresses wont be listed too
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Help me stop MAC spoofing

Thu Nov 02, 2017 9:08 pm

One can still do ARP requests as that is a layer2 function, and need not involve the IP addresses, also if someone just sniffs for wireless traffic they can still grab MAC addresses out of the air. So your solutions will only slow down someone that has a basic knowledge of what is going on, not really preventing anything.

Also by someone duplicating a MAC address, it still causes problems for the real host regardless if you block the offender from gaining access to the internet for a short time.
 
jimmy1ghetto
just joined
Posts: 4
Joined: Mon Oct 30, 2017 8:08 pm

Re: Help me stop MAC spoofing

Fri Nov 03, 2017 6:18 pm

ok why dont you provide us with a better solutions then?
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Help me stop MAC spoofing

Fri Nov 03, 2017 7:33 pm

ok why dont you provide us with a better solutions then?
Check earlier in the thread where layer2 isolation on the wireless access is talked about, along with VLANs and port isolation on switches. There is also enabling WPA2 encryption on wireless assuming that you are in a situation that you can get away with that.

A router is a router, a layer 3 device, it cannot control traffic that does not flow over it. When you are talking about computers talking to each other, i.e. spoofing MAC addresses of legitimate users, that is all happening on layer2, and it does not need to involve a router to happen. So you need to control it on the devices that handle that specific traffic the best you can.

It is not a router issue, it is a network design issue.
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Help me stop MAC spoofing

Sun Nov 05, 2017 12:26 am

wifi scanners scans for the ip range therefore if you prevent it from showing ip addresses mac addresses wont be listed too
I think you are confused. I linked to a screenshot of a wifi scanner by the name of "kismet", a tool I have used myself [you can also verify this easily enough, because it - amongst other, similar tools, no doubt - is free to download and use]. That screenshot shows the MAC addresses of devices connected to an encrypted wireless network.

You cannot hide MAC addresses of wireless clients, so any scheme that relies for it's integrity on MAC addresses being secret, is doomed to failure.
ok why dont you provide us with a better solutions then?
Scroll up.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1312
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Help me stop MAC spoofing

Sun Nov 05, 2017 2:20 pm

What about using PPPoE.
Then every user need to configure their client with a username/password.
Off course someone can give login information to other people.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Help me stop MAC spoofing

Sun Nov 05, 2017 11:16 pm

Off course someone can give login information to other people.
...which is an improvement on "other people" just taking your login without you knowing about it!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Tue Nov 07, 2017 9:24 pm

Given the choice between PPPoE and WPA2-enterprise, I'd choose the latter because access to the WiFi network is controlled at the front door by AAA. It still cannot stop MAC spoofing but at least the spoofing client must possess active credentials to join the network before being naughty, and those can be disabled / changed centrally. PPPoE will end up being a protection for layer 3 but still uses MACs as well, ostensibly on an open WiFi network that goes nowhere w/o PPPoE, but bad actors can still cause issues in this scenario.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1312
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Help me stop MAC spoofing

Tue Nov 07, 2017 11:19 pm

Not sure if darkoknght only uses Wifi, but if so, I agree that WPA2 enterprise is a good solution.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1057
Joined: Fri Jul 28, 2017 2:53 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 9:06 am

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 4:34 pm

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding.
This will not stop MAC spoofing. This is a method to enforce the use of DHCP on the LAN, and disabling default forward blocks the clients from direct east-west communication at layer 2, but doesn't do anything to prevent MAC spoofing.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1057
Joined: Fri Jul 28, 2017 2:53 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 6:14 pm

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding.
This will not stop MAC spoofing. This is a method to enforce the use of DHCP on the LAN, and disabling default forward blocks the clients from direct east-west communication at layer 2, but doesn't do anything to prevent MAC spoofing.
You're right. What would you do?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 6:33 pm

scroll up..... and see that I would go with WPA2-Enterprise
i.e. AAA-backed per-user authentication
That STILL doesn't stop the endpoint's ability to spoof MAC addresses but at least you can disable the account of anyone caught doing it and that device won't be able to join the network.

At the end of the day, there's nothing you can do to prevent a device from spoofing its MAC. If it chooses to lie, then it's going to tell lies. The only thing you can do is limit the ability to attach to your network.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1057
Joined: Fri Jul 28, 2017 2:53 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 7:06 pm

scroll up..... and see that I would go with WPA2-Enterprise
i.e. AAA-backed per-user authentication
That STILL doesn't stop the endpoint's ability to spoof MAC addresses but at least you can disable the account of anyone caught doing it and that device won't be able to join the network.

At the end of the day, there's nothing you can do to prevent a device from spoofing its MAC. If it chooses to lie, then it's going to tell lies. The only thing you can do is limit the ability to attach to your network.
How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 8:27 pm

How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac?
Okay - so I'll take my laptop there, unplug the expected device, note its MAC address (which I can ultimately learn by plugging my laptop directly into the "mac-verified" device's ethernet card and using wireshark to sniff the packets it sends, noting the SRC MAC) and then set my laptop to spoof that MAC and plug into the network in the same spot.

What then?
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1057
Joined: Fri Jul 28, 2017 2:53 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 8:51 pm

How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac?
Okay - so I'll take my laptop there, unplug the expected device, note its MAC address (which I can ultimately learn by plugging my laptop directly into the "mac-verified" device's ethernet card and using wireshark to sniff the packets it sends, noting the SRC MAC) and then set my laptop to spoof that MAC and plug into the network in the same spot.

What then?
How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 10:25 pm

How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface.
I go to the other device physically - pull its cable out and sniff it from a direct connection to the device. Then I connect into its port and go online with that MAC from its port.
The point is that even east/west isolation doesn't stop the ability to spoof MAC addresses, if that's your goal.
MAC-based security is broken, which was the original point of this thread.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1057
Joined: Fri Jul 28, 2017 2:53 pm

Re: Help me stop MAC spoofing

Wed Nov 08, 2017 10:31 pm

How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface.
I go to the other device physically - pull its cable out and sniff it from a direct connection to the device. Then I connect into its port and go online with that MAC from its port.
The point is that even east/west isolation doesn't stop the ability to spoof MAC addresses, if that's your goal.
MAC-based security is broken, which was the original point of this thread.
The point is isolate the clients from each other any way. Segmentation in subnets is solution.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Help me stop MAC spoofing

Thu Nov 09, 2017 4:23 pm

The point is isolate the clients from each other any way. Segmentation in subnets is solution.
I'm not saying client isolation is bad. I'm just saying that doesn't help in the OP's problem.

OP's problem is that wireless clients are spoofing the MAC addresses of other customers to have their traffic billed to other customers.
In a wireless environment, be it open or shared key, it is trivial to sniff the air for other users' traffic to learn MAC addresses and spoof them.
wpa2-enterprise authentication solves the issue in two ways:
1) billing is done based on higher-layer authentication so MAC spoofing won't help leeches
2) if a client DOES spoof another's MAC, then the password of the spoofer can be disabled
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5985
Joined: Mon Jun 08, 2015 12:09 pm

Re: Help me stop MAC spoofing

Thu Nov 09, 2017 4:36 pm

Of course the approach depends a lot on the actual problem at hand. When you have a problem with unknown/anonymous attackers who sniff for a valid MAC address then change their own AP to that MAC, and the response is to disable usage of that MAC, an innocent (and paying) user of the network will be locked out and he did not do anything wrong.
When the actual problem is that users hand out their credentials to others, of course it is a valid approach to disable them.
(assuming the terms of service disallow that action)
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1057
Joined: Fri Jul 28, 2017 2:53 pm

Re: Help me stop MAC spoofing

Thu Nov 09, 2017 6:07 pm

Radius AAA then.

Who is online

Users browsing this forum: No registered users and 23 guests