Community discussions

 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

DHCP Flooding

Thu Oct 22, 2015 4:05 am

Good night,

I can predict the unauthorized distribution of dynamic IP address via DHCP?
Resumindo- If a malicious user put a virtual machine with a DHCP server, he can send addresses valid for the entire network, it is possible to guard against that?

Regards,
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: DHCP Flooding

Thu Oct 22, 2015 5:15 am

Mikrotik support DHCP Server Alert function that can tell when a new DHCP server is found.

/ip dhcp-server alert
add disabled=no interface=bridge-lan on-alert="/log error \"server found\""

You can add your own script as required.

It is also possible to filter DHCP on a Bridge if required. http://wiki.mikrotik.com/wiki/Bridge_Fi ... CP_Traffic
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

DHCP Flooding

Fri Oct 23, 2015 12:47 am

What exactly does this bridge dhcp filter in wiki?
I also have this problem in buildings that users connect routers to their apartment without asking.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: DHCP Flooding

Fri Oct 23, 2015 4:28 am

manageable switches normally have this functionality because its a problem to be solved at access layer
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

DHCP Flooding

Fri Oct 23, 2015 10:18 am

So filtering dhcp in bridge as said above wont help right?
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sat Oct 24, 2015 2:36 am

Mikrotik support DHCP Server Alert function that can tell when a new DHCP server is found.

/ip dhcp-server alert
add disabled=no interface=bridge-lan on-alert="/log error \"server found\""

You can add your own script as required.

Hello Friend,

I created this alert, thanks for the tip.
But as this alert work? Where will I be alerted?

What this video is doing the same thing this address above?
Sorry, I am a layman in this part :)
https://www.youtube.com/watch?v=oP1sIROxcwg
Last edited by marcelofares on Sat Oct 24, 2015 2:44 am, edited 2 times in total.
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sat Oct 24, 2015 2:36 am

manageable switches normally have this functionality because its a problem to be solved at access layer
Unfortunately my Switch does not offer this feature.
Thanks!
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sat Oct 24, 2015 2:39 am

What exactly does this bridge dhcp filter in wiki?
I also have this problem in buildings that users connect routers to their apartment without asking.

I also like to know what these rules will do?
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sat Oct 24, 2015 3:35 am

I think this video shows a correct tip for warning procedure work correctly, see

https://www.youtube.com/watch?v=lgD6qqJAISk

OR...

I think this video would be valid, but do not understand anything in this language :)

https://www.youtube.com/watch?v=4cfQ4y079dM
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

DHCP Flooding

Sat Oct 24, 2015 10:44 am

Yes these rules works. You have to place a command also to sent u email that a rogue dhcp has appeared in the network
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

DHCP Flooding

Sat Oct 24, 2015 10:46 am

This is the script i am using in my routers. This is from another user posted in the past...

:local CurrentTime [/system clock get time]
:local hostname [/system identity get name]
:global date [/system clock get date]
:local int "$interface"
:local addr "$address"
:local mac $"mac-address"
:local dh

/tool e-mail send to="mymail@gmail.com" subject="ROGUE DHCP Server have been detected on $hostname at $date - time $CurrentTime - Interface= $int - IP Address=$addr - MAC-Address= $mac"
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sat Oct 24, 2015 5:07 pm

This is the script i am using in my routers. This is from another user posted in the past...

:local CurrentTime [/system clock get time]
:local hostname [/system identity get name]
:global date [/system clock get date]
:local int "$interface"
:local addr "$address"
:local mac $"mac-address"
:local dh

/tool e-mail send to="mymail@gmail.com" subject="ROGUE DHCP Server have been detected on $hostname at $date - time $CurrentTime - Interface= $int - IP Address=$addr - MAC-Address= $mac"

I'm using the same commands this video below, I'm not sure this works see:
https://www.youtube.com/watch?v=lgD6qqJAISk

/ tool e-mail send to = "my-e-mail" subject = ("DHCP server on the network from unauthorized." [/ system identity get name]) $ $ address $ interface server "mac-address" "

If I want to use your tip, just copy this script and put the correct email, only this?
You do not have the required permissions to view the files attached to this post.
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

DHCP Flooding

Sat Oct 24, 2015 8:15 pm

Put your email address and also set correct parapeters in tools-email
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sun Oct 25, 2015 2:14 pm

Put your email address and also set correct parapeters in tools-email
Perfect my friend, I've done this procedure :)
Unfortunately there is no way the own mikrotik to prevent false DHCP servers (unauthorized). I think these functions are all layer two (switch). So far only found detective tips and not preventive (proactive)
Last edited by marcelofares on Sat Oct 31, 2015 1:27 am, edited 1 time in total.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: DHCP Flooding

Sun Oct 25, 2015 3:44 pm

What exactly does this bridge dhcp filter in wiki?
I also have this problem in buildings that users connect routers to their apartment without asking.

I also like to know what these rules will do?
They will stop DHCP traffic if it passes through the MikroTik router. However, DHCP packets are distributed in the whole LAN, independent from the router.

As already mentioned, a manageable/smart switch is really the only way to filter out such packets, by making all devices forward packets only in the direction of your router and back (which would also effectively forbid your clients from communicating with each other at all, without the router's permission).

The alternative is simply not using DHCP, but using either IPs or PPPoE. Leave DHCP to provide settings that only lead to a single web page, which explains how to setup the connection "manually".
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sat Oct 31, 2015 1:27 am

What exactly does this bridge dhcp filter in wiki?
I also have this problem in buildings that users connect routers to their apartment without asking.

I also like to know what these rules will do?
They will stop DHCP traffic if it passes through the MikroTik router. However, DHCP packets are distributed in the whole LAN, independent from the router.

As already mentioned, a manageable/smart switch is really the only way to filter out such packets, by making all devices forward packets only in the direction of your router and back (which would also effectively forbid your clients from communicating with each other at all, without the router's permission).

The alternative is simply not using DHCP, but using either IPs or PPPoE. Leave DHCP to provide settings that only lead to a single web page, which explains how to setup the connection "manually".

Well, taking advantage of the topic, you know a way (with script usage) to detect the same mac-address (clone) in HOTSPOT network? I've been looking for this for a long time!
 
troffasky
Member
Member
Posts: 395
Joined: Wed Mar 26, 2014 4:37 pm

Re: DHCP Flooding

Sat Oct 31, 2015 11:59 am

I think this:

https://github.com/davidnutter/mikrotik-arpwatch

will do what you want but a) documentation for it is thin on the ground and b) it requires an external server to run it on [although I guess you could run it on an OpenWRT metarouter]
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Sun Nov 01, 2015 2:02 pm

I think this:

https://github.com/davidnutter/mikrotik-arpwatch

will do what you want but a) documentation for it is thin on the ground and b) it requires an external server to run it on [although I guess you could run it on an OpenWRT metarouter]

Sorry friend, but I do not understand WHAT you wrote above. This is a complementary tool to prevent or detect ARP spoofing?
 
troffasky
Member
Member
Posts: 395
Joined: Wed Mar 26, 2014 4:37 pm

Re: DHCP Flooding

Sun Nov 01, 2015 3:18 pm

arpwatch alerts you when a MAC address changes IP address, or when an IP address changes MAC address. If a "bad guy" assumes somebody else's MAC and IP addresses, you aren't going to be able to know who the "real" one is. Perhaps you could set hotspot interface ARP mode to reply-only, populate ARP from DHCP and disable client-to-client forwarding. That will make it harder for a "bad guy" to get enough information about innocent users in order to spoof them.
 
InoX
Forum Guru
Forum Guru
Posts: 1962
Joined: Tue Jan 09, 2007 6:44 pm

Re: DHCP Flooding

Sun Nov 01, 2015 3:33 pm

This is how is done.
You do not have the required permissions to view the files attached to this post.
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: DHCP Flooding

Mon Nov 02, 2015 6:03 pm

arpwatch alerts you when a MAC address changes IP address, or when an IP address changes MAC address. If a "bad guy" assumes somebody else's MAC and IP addresses, you aren't going to be able to know who the "real" one is. Perhaps you could set hotspot interface ARP mode to reply-only, populate ARP from DHCP and disable client-to-client forwarding. That will make it harder for a "bad guy" to get enough information about innocent users in order to spoof them.

Please, where can I find these options?
ARP mode to reply-only and disable client-to-client forwarding

Note - I'm not an external service provider, only I use internal HOTSPOT to authenticate the hotel guests

Thanks!

Who is online

Users browsing this forum: No registered users and 36 guests